1. Tasks to be performed when utilizing EDR

Companies that implement EDR aim to raise their security level by strengthening detection and response. However, to achieve its effectiveness, it is essential that operators make continuous improvements, rather than just "implementing" it as a goal.

The tasks that should be performed to utilize EDR include, for example:

• Analyzing the impact of detection alerts and formulating response policies
• Plans for recovery and prevention of recurrence in the event of an incident
• Researching the latest threat trends and reviewing countermeasures
• Improved accuracy of reports
• Preparation and submission of regular security reports

2. What are the actual challenges faced in the field?

However, in reality, many challenges exist. Dependence on the skills and knowledge of personnel and the increasing burden of daily operations often mean that the tasks that should be focused on are put off. The following are some of the most common challenges.

• troubleshooting
  Dealing with problems that affect business operations, such as false positives and communication blocks in business applications, is difficult, and it takes time to identify the cause and set up exclusions. This tends to depend on knowledgeable personnel, and in many cases, recovery times are long.
• Sensor version selection and upgrade
  EDR recommends periodic sensor updates, but because behavior differs depending on the version, decisions must be made that involve verifying compatible operating systems and compatibility. Without experience or knowledge, it is difficult to make appropriate decisions, which poses a risk.
• Impact investigation when an attack is detected
  When an alert occurs, a deep understanding of EDR logs and process trees is essential to immediately understand "what happened" and "which devices were affected." Because it is highly dependent on skill, there are differences in response speed and accuracy depending on the person in charge.
• Skill gaps due to personnel changes
  When new staff members take up the position, a significant amount of time is required for education and training. Until they become accustomed to the operation, quality may not be stable, and security risks may increase.

As such, the daily work of EDR operations is heavily dependent on the skills of the person in charge, and if knowledge is insufficient, there is a risk that the "improvement of security levels" will not be fully achieved.

3. The solution: Introducing Assist Pass

To solve these issues, it is effective to utilize external resources with specialized knowledge and experience to complement in-house operations.

In particular, AssistPass, an operational support service specialized for CrowdStrike, uses a ticket-based model that allows you to receive professional support when you need it. This is an effective solution because you can receive pinpoint support that is tailored to your company's resources and skills.

Purpose of this service

Assist Pass addresses the following issues that are frequently encountered in actual operations:

Task	Assist details	Ticket consumption
Sensor upgrade decision support	Advice on selecting the latest version and verification points	4 sheets/times
Investigating whether or not attack methods can be defended against	Reports on whether CrowdStrike products are compatible with specific attack methods	8 pieces/time
Training for new employees and those in charge	Beginner to advanced training (hands-on format)	8 or more
Automation compatible	Support for automated notification and isolation using Falcon Fusion, etc.	4 sheets/times

By combining these, you can significantly reduce the burden of daily operations and create a system that allows personnel to focus on their primary focus: security strategies and improvement work.

Menu usage examples

Menu usage example