When it comes to the footprint of an endpoint detection and response (EDR) product, size matters. That’s some of the advice Forrester analyst Rick Holland offered during a recent webinar hosted by the research firm and Cybereason.
“With many security vendors offering next-generation endpoint products, businesses are unsure about what to look for when reviewing their options,” he said. “A good place to start is by looking at the size of the agent’s footprint.”
Challenge the small footprint promise
Holland discourages companies from simply accepting vendor claims that their product has a small footprint. “When was the last time you heard any vendor say they have a large, intrusive footprint?” Holland said, adding that all vendors describe their products’ footprints as small.
He recommends companies quiz vendors on how the agent operates, asking questions like what percentage of the CPU does the agent use, what’s the size of the agent and does the agent run in the kernel or user space.
Consider the implications on other agents
“Context matters when defining what constitutes a small footprint,” Holland said. An endpoint product may have a small footprint, but it could expand substantially when considering the other agents already running on a machine, such as IT other security agents. One should also consider what will happen in the future, as other software will be installed on the endpoint.
“Because of this, organizations are looking to stack functionality to minimize the number of agents running on a machine,” he said.
The kernel vs user space debate
Companies looking to deploy agents in the kernel should proceed with caution.
“There are challenges [with] operating in the kernel,” Holland said, adding that he sets customer expectations about what can happen when you work in the kernel.
Some of the risks associated with kernel-level deployments include slow computers or more serious issues that could greatly hinder business productivity, like blue screens, he said.
Businesses need to look beyond successfully implementing kernel-level agents and think about how an agent works with other applications currently running in the kernel, such as antivirus software, as well as applications that could be added to a machine in the future.
Endpoint products that work in the user space and collect relevant security data exist, but companies are under the illusion that agents can only run in the kernel to be successful.
“Companies that are considering an endpoint product that runs in the user space but doubt its detection abilities should test the system,” Holland said.
Put it to the test
Seeing how the product works across all builds in a company’s IT environment gives more insight than either an analyst or vendor can offer, he said.
A demonstration will show if the product can provide the detection levels an enterprise requires and prevent a company from spending substantial sums of money on a system that fails to meet its needs, Holland added.
This is the second blog post in a series looking at the five points an enterprise should consider when evaluating next-generation endpoint security products. The first blog post gave an overview of each point and subsequent blogs will delve further into the individual topics.