Endpoint Detection and Response (EDR) Implementation and Tuning
Design and Pilot
We begin by defining the technical integration points and architecture considerations for your EDR toolset. We design, plan and lead a pilot which includes installing the solution in a limited environment to verify functionality and integration with the IT environment and test stability, as well as functionality and compatibility.
Integration and Tuning
Following a successful pilot, we coordinate rollout, including grouping of assets and change control for installing EDR agents on your endpoints and servers. We configure EDR alerts to match your detection use cases, bringing our own extensive library of use cases and configurations and combining them with your specific needs. If appropriate, we configure EDR to send alerts to SIEM your for streamlined endpoint event monitoring. We assist you in creating SIEM correlation rules associated with EDR alerts and critical asset groups. We integrate your external threat intelligence feeds as appropriate and conduct testing to ensure intel is being correctly matched against alerts.
Incident Response Workflow and Documentation
We document processes for EDR alert analysis, communication and resolution steps, based on industry leading practices (NIST, SANS) and a recognized ‘kill chain’ model. We document an EDR runbook including process flows, roles and responsibilities. We work with you to incorporate EDR into your Incident Response Workflow (IRW) to improve your process effectiveness.
We document the solution environment, including technical requirements and dependencies for smooth operation, train and transition the solution to your resources.