Typical EDR Reports Created For Management

egrizzly

Hi all,

What are some typical EDR reports you normally send to Management on a weekly basis so they're satisfied?  A plus if you're using CrowdStrike Falcon

UnixGuy

Metrics around number of incidents detected, investigated, false positives vs true positives, coverage, vendor updates/context if they're useful.

The reports will provide more value if they have some context.  For eg. Firewall stopped 54944 attacks.   Vs. Firewalls helped reduced phishing attacks by 40% this month due to some new configs.

I find it challenging sometimes to make the reports useful, as tools are only a small piece of the puzzle.

JDMurray

SOC analyst metrics such as Mean Time to Action (MTTA), Mean Time To Contain (MTTC), and Mean Time To Remediate (MTTR). Incident metrics such as Mean Dwell, Severity (impact), and Root Cause Analysis (RCA).

egrizzly

UnixGuy said:

Metrics around number of incidents detected, investigated, false positives vs true positives, coverage, vendor updates/context if they're useful.

The reports will provide more value if they have some context.  For eg. Firewall stopped 54944 attacks.   Vs. Firewalls helped reduced phishing attacks by 40% this month due to some new configs.

I find it challenging sometimes to make the reports useful, as tools are only a small piece of the puzzle.

Thanks dude. I think this is something I can action right away!!!

JDMurray

Isn't your management asking for what they want in your reports? Are they interested in metrics on threats, vulnerabilities, security operations performance, or how budget is being spent?

chrisone

All great answers to keep you busy.

I have a few ideas but not sure if CrowdStrike Falcon has such telemetry & reporting.

• Identify the types of alerts based on MITRE Framework. I see CrowdStrike supports this.
• Behavior analytics if supported by CrowdStrike. 
• Country of Origin for blocked attacks or blocked suspicious connections the EDR took action on.
• DASHBOARDS - build out dashboards on CrowdStrike, these are quick wins. 
• EDR coverage metrics. Hosts or Servers missing EDR protection?
• Baselines (critical for anomalous behavior)

Not sure what other products you manage for endpoints. But do you work with Vulnerability Assessment/Scanning?

• Pull reports for top 15 critical and high vulnerabilities/missing patches.
• Pull reports for the high profiled emergency vulnerabilities this year such as Log4j, PrintNightmare, Follina, VMware, etc. 
• Pull reports for strange and random installed third-party software. (unsupported software)

Endpoint Hardening (If you have a say in hardening the OS)

• Disable powershell for standard users
• Enabling powershell auditing/logging
• Disable powershell 2.0
• LAPS: Microsoft Local Admin Password Solution
• Browser hardening or browser standardization. 
• UAC & local Firewall enabled (believe me a lot of places disables these)
• Microsoft Credential Guard
• Microsoft Application Guard
• Standardized HelpDesk Remoting tools (I feel any domain is in trouble if all remote assitant tools are allowed on the network, need to standardize those)

Look up Windows OS hardening for other ideas you can work on. CrowdStrike may have articles on this as well. Always reach out to your customer rep. Also auditing, logging, hardening for SERVERS will be another journey with their own set of challenges. 

Hope this helps!