Anti-virus software has long been the standard for endpoint protection. However, today, it’s no longer enough. As cyberattacks grow more sophisticated, MSPs need to protect clients with tools that can detect and respond to threats in real time. That’s why they must offer EDR, or endpoint detection and response.
While anti-virus software dates back to 1987, its reactive nature leaves gaps in modern cybersecurity. So, MSPs need more to safeguard their clients. “Anti-virus isn’t cutting it anymore,” said Michael Cocanower, CEO of itSynergy, a Phoenix-based MSP that supports clients with 10 seats to 1,200. “EDR first hit the [channel’s] radar screens five years ago. AV is all about what we know about. EDR does that and tracks what we don’t know.”
The Cost of Skipping EDR: A Painful Lesson
Cocanower installs EDR software on desktops, laptops, and servers, but it comes with a big price tag.
Michael Cocanower
Cocanower recalled one large customer who initially resisted the $1,500-per-month cost to deploy EDR across their environment. To prove its value, itSynergy offered a one-month trial using its own servers. The alerts flew hard and fast, showing constant malware and ransomware activity, he shared. Still, the client declined.
Soon after, the client suffered a ransomware hit. “They paid a mid-six-figure ransom,” Cocanower said. “Right then, we made EDR mandatory for all our customers.”
EDR Is A Critical Tool for Post-breach Recovery
Cocanower isn’t alone in seeing EDR as essential. Other MSPs specializing in breach response say it can make the difference between damage control and disaster.
Take Oli Thordarson, CEO of Irvine, CA-based Alvaka, whose firm provides “right of boom” — or post-breach recovery — support to help companies recover from ransomware attacks. Thordason’s clients typically get ransom demands ranging from $1 million to $27 million dollars, he said.
When threat actors break into a network, the first step Thordason takes is to install EDR to thwart any further activity as he locks the system down against outsiders. “EDR must be in the company toolkit,” noted Thordarson. “We deploy it on every PC and server.”
Why Visibility Still Matters
While EDR is critical for visibility and response, Thordarson said some organizations may benefit from upgrading to managed detection and response (MDR), which adds a layer of expert analysis and 24/7 monitoring on top of EDR’s capabilities.
Oli Thordarson
One of the biggest challenges Thordarson encounters is a lack of visibility. “They have no current inventory,” he said of many ransomware victims. Without knowing what devices are on the network, it’s nearly impossible to fully secure them. To address this, Alvaka uses automation to detect and protect as many endpoints as possible during onboarding.
Time Equals Money During Ransomware Attacks
Both Cocanower and Thordarson rely on automation to speed response times. Cocanower sets EDR tools to quarantine known threats automatically, then escalates to a technician for review.
“You only have 61 minutes to catch, define, and deal with a cyber threat,” he warned. Beyond that, data may already be encrypted or exfiltrated.
He also plants decoys, known as honeypot files, to test for compromise and watches for behavioral anomalies. “You can’t trigger alerts every time someone uses PowerShell,” he explained. “You have to look for a harmful sequence of commands.”
Logging is another critical EDR function, added Thordarson. A complete record of activity can help techs trace the cause of a breach, demonstrate due diligence, and support recovery efforts.
Find the Right Fit and Stay Current
Not all EDR solutions are created equal. MSPs must evaluate vendors carefully to find tools that suit SMB clients. “What’s good today may not be as good in three years,” Thordarson cautioned. “You have to stay on top of your EDR vendor to make sure they stay relevant.”
Bottom line: MSPs that treat EDR as optional risk leaving clients exposed. Choosing the right EDR solution and staying vigilant can mean the difference between a minor incident and a multimillion-dollar breach.
Featured image: DALL-E
