You're currently viewing Softcat.ie, would you like to continue?

Yes, I want to view Softcat.ie
No, take me to Softcat.com
Explain IT: Season 2, Episode 12 - Endpoint Detection and Response

Playing now - Endpoint Detection and Response

0:00
34:17

In this episode we look at EDR, or Endpoint Detection and Response. We dig into its past and look at its evolution to what we see today, as well as exploring how it can work for different organisations. Host Michael Bird is joined by Adam Louca, Softcat’s chief technologist for security as well as Russell Humphries, VP of product management for the endpoint security group at Sophos, to discuss the pros and cons that come with the newest generation of endpoint protection software.

From L to R: Adam Louca, Michael Bird, Russel Humphries
Host:
Michael Bird
Michael Bird Digital Marketing Manager Softcat
Guests:
Adam Louca
Adam Louca Chief Security Technologist Softcat
Russel Humphries
Russel Humphries Vice President of Product Sophos
Key takeaways
  • EDR solutions have been through an evolution. From signature-based antivirus technologies through AI and machine learning to what we see today – solutions that give real context to an attack and an ability to proactively search for attacks.
  • No two attacks look the same, but this next generation evolution of EDR allows organisations to very quickly work out exactly what’s happened and the status of every Endpoint and whether it’s secure.
  • EDR should be seen as an addition to advanced endpoint protection. Organisations need protection - a next-gen endpoint detection platform - as an essential before working out whether EDR is appropriate for them.
  • EDR improves your security by giving you increased visibility, reducing your response time, and your detection time. It gives you data in a quicker and more consumable way.
  • EDR needs man-power to optimise its functionality. An EDR solution requires someone who can understand the data it produces and work with it effectively.
  • The future of security looks to be in integration across vendors and technologies to share data more effectively and create a more secure ecosystem.
Solutions

Adam Louca: It is on us as an industry to work out a way that we can work better together so that our tools can share data more effectively. We need to have this data sharing so that we can trigger and we can triage at the speed of machines rather than trying to always put human glue in between.

Michael Bird: Hello and welcome to Explain IT brought to you by Softcat - the show for IT professionals, by IT professionals that aims to simplify the complex and often overcomplicated bits of Enterprise IT without compromising on detail. I'm host Michael Bird and over the next 30 or so minutes I'll be challenging our panel of experts to take a different area of the IT ecosystem and of course, explain it. And in this episode we’re going to be talking about Endpoint detection and response, or EDR - what it is, why an organisation should care about it and what the future is. And with me to help is Adam Louca who Softcat’s chief technologist for security, welcome back to the show Adam.

Adam Louca: Hi Michael how are you?

Michael Bird: I'm good thanks! This is your third time? Fourth time?

Adam Louca: I think it's the third time this season.

Michael Bird: So as you have been here for your third time you need to bring your third interesting fact. This one has got to top all other interesting facts.

Adam Louca: So I had a band at school called Test of Nerves.

Michael Bird: Test of Nerves!

Adam Louca: Very emo phase, I was still trying to grow my long hair out, and we mainly did pop punk covers.

Michael Bird: What was the favourite song that you did?

Adam Louca: Very much liked Blink 182, Adam's Song.

Michael Bird: Yes!

Adam Louca: Fully fulfilled my ego as the lead singer.

Michael Bird: And we also have Russel Humphries who is VP of product management for the Endpoint security group at Sophos. Russel thank you so much for joining us here at Explain IT. Russel did you bring an interesting fact with you? I think we prepped you, didn’t we?

Russel Humphries: I brought a semi interesting fact that my family doctor is the brother of the past actor Robert Shaw and is the absolute spit of him. Whenever used to go in there, I don't know, maybe the thousandth time he heard the joke “it looks like we need a bigger surgery,” he was always kind and polite and laughed appropriately, but it was always a bit of a double-take going to see someone for your sniffles, that the last time you saw them they looked like they were chasing down sharks.

Michael Bird: That's really cool. So Russel as the VP of product management for the Endpoint security group at Sophos, what does your job actually entail?

Russel Humphries: Well at the end of the day, a product manager owns the business if you will, so you are defining what the product looks like, understanding what the competitive marketplace is like, helping design and develop the product in its evolution, not just the needs and the wants for today, but trying to predict where the bad guys are going, where our competition and the marketspace is going, what customer and user needs are going to be, market trends, if you will, and combining all that with a technological discipline to be able to translate that into terms that developers, data scientists, labs and so forth can help to turn into product for us.

Michael Bird: Good answer, thank you very much.

Ok so first question, EDR then, what is it, can we just quickly define it?

Adam Louca: So I think we have to speak about EDR as an evolution and probably in three different stages, so stage one was our signature-based antivirus technologies, something that most of us would be very familiar with, but it's the idea that we had a list of bad things and we detected anything that was on that bad list. Then attackers got clever and they started making different types of attacks and they started reforming their attacks so they looked different, so all of a sudden this list got really really big and we either had to keep giving more and more bigger lists, or we had to find some new techniques. So this started the revolution or the evolution to next generation Endpoint. This was Endpoint agents that contained additional detective techniques, so it would have things like machine learning or AI based algorithms to identify malware that was similar to another piece that we'd seen before but wasn't exactly the same. Alongside that we started using things like sand boxes to actually explode the malware, not literally, but to run the code and actually look to see whether it did anything malicious. So a sandbox is, if you think about the word, what is a sandbox? It’s a place where the kids play, it's a place with the malware plays, it's a safe space where the malware plays and does its thing and we look to see whether it's good or bad. Alongside that we then started considering things like exploit prevention. What happened to version 2.1 is that threat actors started realising, “Hey if we don’t use files, these guys are blind,” so what we started to do was to use this script based malware that would only run in memory to try and bypass all these mechanisms that we'd picked up to actually pick up their malware, so what then happened was the market responded by looking for the techniques they used to run that malicious code so these exploits they were using so they would typically take advantage of memory corruption techniques so whether these are ROP attacks or buffer overflows in a very classic style, and what we did is we to start to look for these different types of exploits, so this exploit prevention. And then we combined that, typically, with the network information, so we looked at IP addresses, known bad C2 servers or looking for randomised DNS lookups, all these different techniques that would give us the signal that maybe this thing was bad. So you can see how much of a big jump that is from version 1 to version 2, or level 1 to level 2. So we did all this and this was great and we started to get a rate of false positives and actually these tools were better at detecting a larger range of attacks but they started kicking up a number of false positives so what we've now done is we’ve now gone to the third generation of EDR and for me this brings in three fundamental additional capabilities. Number one, it increases the amount of context we have about an incident, so not only do you see not just the malicious file but you'll also see the chain of events that happened before and after that file, so that gives you that full visibility of the attack chain. Secondary to that, actually we can start to be proactive so if you have the right skills and/or you subscribe to a service whereby you get those skills, we can proactively look for these malicious attacks, techniques and targets and start to then take action on that. And then finally it gives us the ability to proactively respond across a mass set of devices so should something bad happened, Wannacry is often used, but one of the questions customers were asking me after Wannacry, years ago now, is how do I know if I've been breached? Well with EDR, we have the ability to very quickly at scale work out exactly what’s happened and the status of every Endpoint and whether or not it’s secured.

Russel Humphries: I think I'd like to add on perhaps a little bit more context, and there's the magic word, context, you see no two attacks can look the same, from a payload perspective, from an initial entry point perspective, even the patterns of behaviour of the bad guys, threat actors are modifying those. So without having an enormous false positive rate even next-generation solutions are tuned more towards detection than FP, for fairly obvious reasons. I said FP, what is an FP? Well it’s a false positive where a solution incorrectly convicts a process, an application, a of set of behaviour as being bad, when in actuality it was not.

Adam Louca: If you talk about where is the security market going? For me, if you look at it very broadly in a macro scale, it's getting out of the way of the users and every time we have a false positive, we’ve failed as security people because we've stopped someone doing something that potentially they were meant to be doing, if we go and capture a Word document that you were trying to work on because we thought it was malware, actually we've prevented someone being effective at their job.

Russel Humphries: I would agree with that right up to the point that the organisation gets hit by the word macro and all of their servers are encrypted and then surprisingly enough they become more false positive acceptant. Like a lot of things in this industry it tends to pendulum swing a tad. But in principle, I agree. I think the point I mentioned earlier about context is also important when one thinks about EDR the premise is if you were to catch all of the likely actors that fall into the grey space, the unknown space where EDR lives, if we knew it was bad, we’d stop it, if we knew it was good, we’d let it go by, if we're not too sure, well that’s where EDR lives, and one of the key reasons that we have to understand that ‘not too sure’ is just a reality, is because vendors have a global context whereas companies have a local context. Let me explain that. I, as a piece of software or trained machine learning algorithm could look at a PowerShell script, for example, that could be built in memory, that might be completely legitimate. I have to say from a threat indication perspective any threat hunter would look at that and go, “That looks fairly smelly,” but I found in the real world we have customers that have, believe it or not, Word documents and Excel spreadsheets that build PowerShell script in a macro and then execute them as a legitimate, in their mind, co path, as a legitimate part of the solution. It would not be terribly unreasonable to look at that set of behaviours and mark it as malicious, in a global context. The local context is, “I know I am the admin and I've written this Excel macro that generates these PowerShell scripts,” so if we were to set the adjustment down too low, we would let through too many. If we set it to high we would start convicting innocent behaviours. As soon as you start munching down the detection barrier even a little bit, whatever the observed behaviour or behaviours are going to the EDR fold, that is where local context comes up, that is where I, as the administrator, can bless, exonerate or convict a set of behaviours, begin to gather that information and  contextualise it, that's really where EDR is living.

Adam Louca: So Russel you mentioned that the term ‘operator’ - security analyst, person using the tool, I guess that's one of the things we see a lot, from our perspective, is customers looking to embark on EDR journeys are seeing these very much as requiring investment in people as well as tooling. I'm interested to hear your view on that balance between need for expertise vs investing in tooling that almost provides that as a third analyst in a box, or SOC in a box used previously. I'd been interested in your view because obviously you can't replace that local knowledge, you talked about how important that is, that local context, but actually how much of this can be automated so that it isn't a burden on SOC or security teams in businesses?

Russel Humphries: It's a cracking question or I might up-level that if I say perhaps that most customers do not have a SOC or security team so how can we add value for customers that just don't have one? And the answer to that is yes you're correct, this is where machine learning and artificial intelligence and data science combined with labs like curated data services, reputation, these can all come together to be able to exhibit, and I'm going to pick a number here just for illustrative purposes, let’s say the top 80%. Here we can believe that we can leverage data science, we can leverage the scale of machine learning to look at patterns of behaviour to identify, and again it's illustrative, I’s of this order though, 80% of suspicious activities where an IT admin who has the local context could look at that auto curated list, if you will, then be able to add that local context that the machine brain in a box doesn't have. The machine brain in a box, like any ML, can be taught against tens, hundreds, thousands, in our case and in many cases in the malware space, tens of millions of examples, but they’re examples of stuff we've seen and it's very good at looking at something it's never seen before and mapping it against those examples. The same thing can be true for behaviours, let me give you an example, an unknown or low reputation, so there's your curated labs, what's the reputation of something, it's prevalence, its providence, is it signed? Did it come through a trusted installer? These are signals. If it doesn't have any of those signals it might just be a shadow IT app that doesn't necessarily mean it's bad but then that application reaches out to an unknown IP address on the internet, ok, these are very suspicious behaviours, again it may not be bad, it could be shadow IT. We can absolutely in our industry have machine learning models that could look at those signals and exhibit a warning to an IT admin that, in simple terms, do you recognise this? Is this your shadow IT app? Well then we can make it easier for someone to press all the metaphorical buttons that asks more - how did it get here? What did it do? What's your judgement, Mr brain in a box as to what this thing does?

Michael Bird: So let's talk about organisations then. So why would they consider EDR over advanced Endpoint protection?

Russel Humphries: Well they shouldn't. It should be an and not an or, you should always have a protection first approach because the better you are at protecting, the less hunting you've got to do. Pick the strongest protection that you can and layer EDR on top of that, don't go towards EDR first and then think about your protection profile. I would posit, personally, that the better protection, the more likely you are to catch something earlier in the attack chain, the likelier you are to catch something in the first place, but I'll come back to - nothing's 100%, nothing is, so you want EDR on top of it.

Michael Bird: So you’re saying EDR needs to be in conjunction with an Endpoint detection platform?

Russel Humphries: A next-gen Endpoint detection platform.

Michael Bird: A next-gen Endpoint detection platform. So you've got an advanced next gen Endpoint detection platform, why would you then consider EDR, what's the advantage to an organisation or what would they be missing out if they didn't have it?

Adam Louca: So I kind of think of three main key things for improvement - increased visibility, reduced time to respond, and reduced time to detect. Fundamentally they are the three things that you're looking for as a security person if you are measuring the effectiveness of a SOC or any sort of the security function, mttd – mean time to detect, mttr - mean time to respond, are the two key metrics we’re looking for to measure whether or not you are improving and/or you're doing a better job than you were doing 12 months ago. So any technology that increases your ability to do that and gives you more data in a quicker and more consumable way, to me is an improvement to your ability to perform security operations. I would also say that the second reason you would do it as if you are looking to formalise and actually start to deliver security operations rather than just people who look after security management platforms, you need to give these people the tools. They need a totally different dataset to somebody who's performing security engineering who’s maybe managing the management console of your favourite Endpoint security vendor. Because that fundamentally is giving you information about install state, and health and when the database was updated and how much coverage you've got, which are all very valid metrics but they're not security focused metrics and they're not the insight that somebody in that security operations role needs to actually tell you whether or not you are seeing abnormal behaviours on your network and also to give the relevant information to incident response teams and other interested parties, should, as Russel said, an incident happen.

Russel Humphries: I agree I think as you're doing your shopping those three capabilities need on top of them three honest answers to 3 questions. Do I have a SOC? Do I have anyone who has the appropriate capabilities that does not and if the answer is no, and for most people it will be, that does not mean you're not in the market for the EDR, it just means you need to pick the right EDR solution because there's EDR solutions that frankly if you were to look at them it looks like the console of the Starship Enterprise just in Klingon, there are other solutions that are designed for ease of use and more consumable and there are solutions that are designed to be able to address both. Be honest about your own internal capabilities, you may well have an IT individual, you may well have a few IT individuals, they may be able to do tier 1 and tier 2 type of incident response, but have a tool that allows a security partner and find a security partner who can do that tier 3 for you, who can come in if you need to do a more detail forensic deep dive, perhaps, but make sure you’ve pick the type of tooling and the type of partnership that allows you to do that if you don't have the SOC. Point two - if you do have the SOC, you're probably paying a six digit per year price for your top end security threat hunters, and I'm not far off it, if not that. What's the value of their time? Second question is, is your solution making the best use of their time, is the signal-to-noise ratio appropriate? Is it a tiered solution, is what I come back to, can the top 80% be given to your technical support team which are frankly a whole lot cheaper? And can you free up your SOC person, if you do have that SOC person? And finally with none of those three things the other acronym we haven’t mentioned is MDR - managed detection and response - what is that? Well as the name would suggest that's an EDR solution with the management of that solution outsourced and I believe that for some companies will be an attractive model. I think security as a service is definitely growing, it's a trend that I think we'll see continue, and I think EDR products should be designed such that they can be of utility to the customer internally and utility to the MDR provider.

Adam Louca: I totally agree I think the MDR space is massively and rapidly growing. I think customers have to be careful with, as a lot of things, buying more stuff just makes more noise and if you don't have the people who can understand the noise you're just standing in a room that's a cacophony of alerts. If you don't have the time and potentially the expertise to understand what that means, you just made it worse to yourself because actually you've now got even more noise to sift through than you had before so you’re even more confused and you’ve got even less certainty of what’s going on, so before you embark on this journey of creating and plugging more stuff in, and EDR is only one part of this, you can look at CIM, anything that is really a detective control that isn't preventative by nature. Every time you add a detective control all you're doing is shaking the tree more and more and unless you know whether or not what is falling out is a leaf or an apple, you've just got more stuff falling on the ground.

Russel Humphries: A wide selection of a few tools that can deliver the right level of signal to noise ratio is very important. This is where the context piece comes in and this is definitely where data science can help expand out dramatically, I mean think about, for example, I'll give you a real world example, we were doing some initial tests in the customer estates in how often PowerShell gets run - fairly small estate have 10000 PowerShell executions in a week.

Adam Louca: If you had to filter and investigate each one of those…

Russel Humphries: You wouldn’t be able to do much. Now imagine if you can add the context that machine learning and data science and labs can. PowerShell running memory spawned from

Adam Louca: WinWord

Russel Humphries: A document with a mark of the web, or a script where you can be scored because it's encoded, I mean that’s a heck of a tell, to start with right there. So by adding more context, by adding more layers that can come from curation. You can't beat people, you’ve said it before, having human beings in labs around the world who are keeping a track of what's happening is very important. Machine learning, scale the people, that's what machine learning does, think about the way your car is driven is because it's doing image recognition all the time, radar image recognition and all that good stuff, scaling up and then combine that together with sensible data model and presentation layer and now that 10000 signals can drop down to a couple of hundred maybe, and now that's consumable, now that's something that someone can look at.

Adam Louca: So I’ve got an interesting question for you, Russel, so one I got asked very recently for my opinion on. If you had to choose between Endpoint and network as your source of detection to provide this which one would you choose and why?

Russel Humphries: Endpoint every time.

Adam Louca: Why is that?

Russel Humphries: Can you guarantee that your laptop's going to be on the corporate network?

Adam Louca: I think that's fair.

Russel Humphries: I don't know about you, I spend entirely too time working in Starbucks, that's my caffeine addiction probably, once a developer always a developer! I think about a decentralised world now, I'm sure many of the people listening to this will be in their car now, they may even be in an aeroplane, lots of us travel, lots of us do work in the T5 lounge, at home, all over the place.

Adam Louca: The T5 lounge at home? Your house must be lovely!

Russel Humphries: The T5 lounge comma, at home comma. Sophos, you’re in head office, lovely office, we couldn't host everyone if everyone turned up on the same day, I'm sure it's true for many offices now, if every employee turned up who’s meant to have a desk, they wouldn't fit in the car park - that is the nature of modern work, so I’d pick the Endpoint. The other reason I’d pick the Endpoint is, it's an opinion, but you asked, most of the detections that are application or behavioural based via the network require a lot more intelligence to connect to try and contextualise whereas the Endpoint, the thing that generated the traffic, that sensor definitely has the most context of what is occurring on it. So I think it's probably the highest resolution.

Adam Louca: Interesting. I think the other question I would ask you is, customer is looking to buy EDR or some type of EDR, or CIM. Where do you put your money?

Russel Humphries: That's going to depend on the customer and that’s such a political answer isn't it?

Adam Louca: Just interested. I think it’s interesting, we speak to a lot of customers who are maybe looking at the next SIM project and they’re going, “Should I buy CIM?”

Russel Humphries: Depends, are they shareholders in Splunk? If you're a shareholder in Splunk say yes! So kidding aside there's a reason they charge by the gig. SEAM is not cheap.

Adam Louca: None of this technology is cheap.

Russel Humphries: That's true. I would posit this, if you're in an organisational industry where you have to deal with malicious insiders, very significant legislative audit requirements, you’re probably going to need the SEAM. I would posit you are going to need the EDR solution because your SEAM is almost a backdrop, your insurance policy.

Adam Louca: I’d agree.

Russel Humphries: But the EDR solution is your day to day threat hunting and incident response tool, so sadly I’d say both. Here's the good news, if you can afford the SEAM, the EDR solution is a relatively small percentage on top. For most customers, even with the relatively new announcement by key cloud vendors by the way who are trying to make their cloud stickier by sticking loads of data on it, that SEAM is more attainable, even if that were true and I posit isn't, EDR is more day to day usable by IT and threat hunters.

Adam Louca: It’s interesting, how we’ve come to this the wrong way round, to some extent. I think obviously SEAM’s a more historic technology and more customers are looking to SEAM as almost like it’s SEAM, then it's EDR, and you would probably say that actually in the real world probably EDR, then SEAM is probably better for most customers on their maturity journey, would you say?

Russel Humphries: I would definitely say so, to be blunt SEAM is actually relatively easy. Record everything, throw in a bloody great big data lake and then provide tools that then experts, and there's the magic word, tools that provide experts the ability to join the dots and do the peer velling. Intelligent filtering, getting the signal-to-noise ratio right, adding context and colour to the detections that you've got. So a SOC analyst in the real world of day-to-day can actually respond and find something, that’s where EDR lives. I believe if you were to look at SEAM, it's probably the great post case super detailed type of set of technologies. It was easier to do which is why it came first. SEAMS have been around quite a long time and I think machine learning definitely has the set of technologies that have evolved so you can put them on the Endpoint now, and that's definitely something, there's more than one type of ML technology. Deep learning as a technology allows you to do significant data science work on an Endpoint, with a 10mb footprint, that wasn't that possible before, it's the technologies again that are enabling EDR to actually deliver on some of the promise of SEAM, but there are still going to be industries where someone's going to say, “but what if…”, it's a fraction of the overall market, tends to be fortune 5000s that tend to be the bigger guys of course, but for those guys, yeah sure I'll take both.

Michael Bird: Why would an organisation not want EDR? what are the disadvantages of EDR?

Adam Louca: So we’ve kind of covered a couple of them as we’ve gone through, fundamentally this is going to create more alert noise. It’s just the truth, you will see more, therefore you will have to make decisions on the status of those alerts. So if you're already an organisation who is maxed, you already don't have time to look at the current potentially basic tools you've got today, I would argue that throwing EDR into the mix, while my provide you with more relevant, contextual and maybe more accurate alerts, if you already don't look at the alerts you’ve got today, it's probably not going to help because fundamentally your issue is bandwidth and resource, so my view of a lot of these things is that we do have to still be very careful that we are not just throwing more tools at the wall and hoping that it will fix our security problems. Good governance, good architecture, good processes and good people are fundamentally much more important than going in buying another bit of technology that you already can't leverage effectively.

Russel Humphries: I agree, no security tool on the planet’s going to help you if your username password’s admin admin still, which by the way I still see.

Michael Bird: And so is there an argument for organisations to not get an EDR solution?

Adam Louca: Yeah I think if I was sitting with somebody in the IT leadership team at a customer and they said to me, “Adam, we have X thousands of pounds over the next five years and we can either buy your snazzy EDR solution you showed us, or I can get a security professional in to add an extra body into my already overworked team,” I would tell them to get the extra body, because I know fundamentally that that will make that customer better at performing these security roles and the middle ground for that is organisations like ourselves and Sophos who are providing managed security wraps around the technology so I think as an industry we are adapting to the fact that resourcing is incredibly difficult to obtain, it’s incredibly expensive and it's incredibly limited. So fundamentally I no longer think it's about the product, it's about the outcome that it delivers and it's about the delivery, so, and whether that's you delivering it or somebody else delivering it, you know, make sure you are really exploiting your security tools because otherwise they are just boxes running in flashy light mode.

Michael Bird: Let's look to the future then. So for EDR, what does the future look like? Is there going to be a 4th generation mode for Endpoint protection?

Adam Louca: For me I genuinely believe that the next wave in security is integration so whether that's integration between different technologies within a vendor’s own stack, or its integration between different vendors across a stack, that for me is fundamentally how we’re going to solve this resource problem and I think it is on us as an industry to work out a way that we can work better together so that our tools can share data more effectively across, what I like to think of as frenemies, fundamentally everyone is a frenemy these days, we all share data, we all share threat intel, yet we all go and pitch for business against each other, but that's kind of how the industry has to work and we need to have this data sharing so that we can trigger and we can triage at the speed of machines rather than trying to always put human glue in between. I think for me that amazing next generation of EDR, it’s not about the technology somehow getting magically any better because I do believe we're not slowing down but I do think we've gone through a serious rate of change in terms of the improvement of the technologies and techniques we've got to detect malicious code. I personally, and from my experience, I can't see us going through another immediate step change of that again, I think probably that will start to curve off in terms of that technique but I think where we will start to see those improvements will be the introduction piece and sharing that data to trigger multiple events across the security ecosystem without the human having to do anything.

Russel Humphries: I can only amplify that actually. I think organisations are going to want to expand the scope beyond Windows, because frankly when you think about EDR today it is, to the vast majority, Windows Endpoints and that's just not the reality of a heterogeneous environment these days. I think the statement will be, “I want you to secure my workforce,” not, “I want you to secure my Windows device,” that's just a reflection of a hardware and software and operating system selection that the information worker may have chosen or may have been forced upon them. When you start thinking about as a service which I believe the industry will evolve to over the next five to seven years, then it will be protect my people, because that's protecting my business. Let’s just face some facts for a moment, other than us on the call, for most people security’s kind of a tax, to keep the business running, and to protect the reputation so they don't get sued or GDPR’d or whatever it may be and people think about their business as an entity and their people as an investment in that to protect my people that means that the solutions required need to be able to cover the Windows machine, their Mac machines, their mobile devices and their online presences.

Adam Louca: And the Saas apps and everything else.

Russel Humphries: Exactly, and their online presences. As I go in to Office 365 from my mobile device, because I do and I'm sure many listening to this do as well. I have a Mac, I have a Chromebook and a Windows machine – I’m a geek but lots of people do.

Adam Louca: The Chromebook EDR agent is not there is it?

Russel Humphries: Well actually, funnily enough it's coming. But yes as a general rule there really isn't much coverage other than Windows, there's a little bit of Mac and some people talking about Linux, I think it's important. I do believe that the data science investment will continue to pay dividends. I think we've only just seen the tip of the iceberg for what data science can give us, it's not the magic bullet, any organisation will require expertise and skills, you can't rely on ML to do all of it for you, but I am a great believer that it will democratise, at the moment, a series of specialised skills down to the level of an IT administrator, that should be our goal in the industry. There's always going to be the top 10% the top, we could argue what is is – 10, 5, 20 – there’ll always be the cream on the top of the coffee where you need greater expertise. It should get thinner and the vast majority of the difficulty should be automated and democratised through data science, through labs, through software.

Adam Louca: So we spoke about the fourth generation of Endpoint security being all about integrating things together, what role do you think EDR has to play in that integration?

Russel Humphries: Ok so that's a great question, I think it's very important people can get their information out just as easily as it's gone into any platform. APIs everywhere is a pretty darn good way to distil that down. We were talking earlier about EDR and SEAM and the customer may evolve from, I would posit, an EDR solution to perhaps requiring a larger data lake that’s a single source of truth. Having an API set and methods to be able to easily export information into that data lake would seem like a fairly obvious starting point. But above and beyond that I would expect a platform to allow a customer to do ad hoc questioning. I'm not going to be conceited enough to think that I could design a user interface that could cover every scenario that a customer may want to envisage to be able to ask questions about their estate. If however we lay our interface on top of an API set and expose it then customers or partners can customise on top of that API set to their heart’s content.

Michael Bird: So Adam, to summarise?

Adam Louca: To summarise, EDR is the next generation evolution of Endpoint protection software, it gives us lots more signals, gives us lots more contexts, gives us lots more information, but that comes with downsides of needing to interpret and/or have people who are able to interpret and take the value from that data to perform the right actions at the right time. Good EDR solutions for most organisations will look to include techniques that help use filter and sift from the signal to the noise that gets you to the right information straight away and that offers support to ask for help from external parties, whether that's programmatically, up to sandboxes, or alternatively human beings on the end of a telephone, and it provides organisations with a way to react and understand incidents from the beginning to the end, should the worst happen and you need to understand the repercussions of that incident.

Michael Bird: Fantastic. Well Adam and Russel thank you so much for your time. Listeners if there's anything in the show that has piqued your interest or if you'd like to speak to someone at Softcat about anything we've talked about in this episode do make sure that you check out the show notes where we’re going to put some information about some of the stuff we’ve talked about in this episode, as well as some contact details. So do you also make sure you click subscribe whatever you get your podcast and we will deliver the next episode to your device as soon as it lands. So thank you for listening to Explain IT from Softcat.