Endpoint Detection & Response (EDR)
Next-Generation Technologies & Secure Development
EDR Vendors Face ‘an Existential Crisis’ as Businesses Increasingly Use the Cloud
CrowdStrike, Microsoft and Trend Micro sit atop the Forrester Wave report for endpoint detection and response providers as vendors grapple with business data increasingly moving to the cloud.
See Also: Third Party Risk: Lessons on Log4j
Forrester Wave author Allie Mellen says Extended Detection and Response vendors face “an existential crisis” as the endpoint becomes less important now that businesses are typically storing their data in the cloud rather than on the endpoint. This has forced EDR providers to build out full-fledged EDR platforms that incorporate different telemetry sources and provide robust protection for cloud data (see: Forrester Report: Key Questions to Ask XDR Vendors).
“When looking at how EDR strategies have changed and how implementations have changed, it’s really all driven by getting to XDR and trying to provide XDR to clients,” Mellen tells Information Security Media Group. “This was a really regular thing that I saw not just in road maps, but also in the product vision for the next five years.”
Forrester heaped praise on CrowdStrike for having the best current EDR offering and best strategy among the 15 vendors evaluated, while Microsoft took the silver in both categories. Trend Micro was awarded bronze for its current EDR offering and recognized as a leader overall, while Elastic took the bronze for EDR strategy and was recognized as a strong performer overall.
“CrowdStrike has dominated in EDR for a long time, and the quality of the offering is really quite high,” Mellen says. “One of the things that’s really beneficial for CrowdStrike is they’ve had their MDR service for a long time, and that feeds a lot of how they think about what workflows should be integrated into the product and how they should be enhancing the product to actually improve it for practitioners.”
Forrester’s take on the EDR market was quite similar to two years earlier, when the technology research firm also named CrowdStrike, Microsoft and Trend Micro as its overall leaders. But the subcategory rankings were more muddled in early 2020, with CrowdStrike and SentinelOne tied for the lead in EDR strategy while Cybereason, Microsoft and CrowdStrike took the top three slots in current EDR offering.
Outside of the leaders, six vendors were named as strong EDR performers in 2022: Bitdefender, Elastic, Palo Alto Networks, SentinelOne, Sophos and VMware Carbon Black. Cybereason, FireEye and McAfee were named EDR contenders, and the latter two merged in January to form Trellix. BlackBerry Cylance and network security vendors Check Point and Fortinet rounded out the Forrester Wave as EDR challengers.
“It’s all about thinking about practitioner problems and then implementing unique and differentiated features to solve them,” Mellen says. “If we reach the point of, ‘Hey our competitor has this so we need to have it,’ that is not going to end you up in the leader category because we need to see something that is actually unique and differentiated across multiple different categories.”
Trend Micro’s Hunt for Threats
Trend Micro has spent the past year adding automated response actions and building threat hunting capabilities into its Vision One EDR platform, Director of Product Marketing Lori Smith says. The threat hunting investments have allowed Trend Micro to evolve from reactively taking action on detections to proactively searching for early indicators of compromise even if a formal detection hasn’t surfaced yet.
“The earlier that you can see something, the less impact it’s going to be on the organization,” Smith tells ISMG. “It’s really about being proactive and minimizing threats in your environment.”
On the response side of the equation, Smith says Trend Micro has added custom script enhancements so users can automate their response and preemptively dictate what action they want to take in certain situations. Trend Micro offers broad coverage across Windows, Linux and Apple operating systems and delivers XDR tooling as part of the Vision One license without customers having to buy another product.
Forrester criticized Trend Micro for limitations around compliance reporting and not providing orchestration of response across multiple endpoints. Smith says Trend Micro plans to address both of these areas in the coming months, and the company will be rolling out security playbooks and pursuing integrations with security orchestration tools to respond more effectively across multiple endpoints.
A compliance reporting dashboard is in public preview that offers new views into threat activity as well as the state of security risks within a customer’s environment. Reporting is needed for both compliance and cyber insurance purposes, and Smith says the new dashboard will help customers visualize their attack surface, current level of exposure, threat activity in ecosystem, and mitigation and response options.
“Much of our development in the past year has been about providing the views and tools to fulfill the stages of attack life cycle management,” Smith said.
What Sets CrowdStrike and Microsoft Apart
The Forrester Wave report lauds CrowdStrike for prioritizing feature enhancements in EDR and prevention capabilities, and expanding into additional XDR capabilities around identity, data and third-party ingestion. The Falcon Insight product is praised for allowing threat hunters to create real-time detection rules and scheduled queries and for contextualizing search results with threat intelligence.
Forrester criticized Falcon Insight for lagging behind competitors with only seven days of data retention by default, which has forced customers to export their telemetry to another source for longer retention needs. CrowdStrike leaders weren’t immediately available for additional comment to ISMG.
“Because of our foundational work in having the best EDR solution, we are well-positioned to lead the XDR market as we continue driving innovation and moving the industry forward together,” CrowdStrike Chief Technology Officer Michael Sentonas said in a statement.
Microsoft was complimented by Forrester for its threat investigation features, such as autogenerated human-readable detection names and being able to replay the attack story so customers can see exactly what happened in what order. The Defender for Endpoint product was also praised by Forrester for its native sandbox feature, response recommendations, remote shell capabilities and custom scripting.
Forrester critiqued Microsoft for not allowing threat hunters to create custom detection rules based on a hunt, and said Defender for Endpoint is best suited for those with a large Windows deployment or those moving to an E5 license. Microsoft leaders weren’t immediately available for additional comment to ISMG.
“Microsoft gives security operations teams full visibility of not just endpoint information but also signals from identity, cloud applications and email in Microsoft Defender 365 to help security teams more rapidly detect and evict threats,” Rob Lefferts, corporate vice president of Microsoft 365 Security, says in a blog post.