Why Endpoint Detection and Response (EDR) Matters

As director of security and compliance at Neural Payments, David Patrick knows he can’t be complacent about the Apple endpoints in his care. “Previously, we could just say, ‘It's an Apple device, there is no malware.’ That just isn't sufficient anymore.”

As the number of Apple devices in the enterprise has increased, so have efforts by bad actors to compromise them. Fortunately, Apple’s operating systems and a number of business-ready third-party tools have both evolved to address such security threats. So while those Apple endpoints aren’t impervious, they aren't defenseless, either.

We recently sat down with three Kandji customers—David Patrick as well as Mario LaPorte (IT manager at TensorIoT), and Ryan Donnon (director of IT at First Round Capital)—and Apple security expert Patrick Wardle, founder of the Objective-See Foundation. We talked about the evolution of threats to Apple endpoints and how EDR solutions can help address them.

Mac Threat Landscape

Patrick Wardle has witnessed the changes in the security landscape in real time: “I've been involved in Mac security space for almost ten years now,” he said. “When I started, Mac malware was really not that common, and the threats that were out there were very basic, very amateurish.”

“In the last few years, though, we've seen an uptick both in the prevalence and sophistication of these threats.”

Just this year, for example, we had the 3CX supply-chain attack. What was interesting about that attack, said Wardle, was that it had a specific macOS payload. 

“Previously, a lot of supply-chain attacks have been focused on Windows,” Wardle told us. “But now attackers realize that Macs are common in the enterprise and are adding Mac capabilities to their attacks.”

The same applies to other types of attacks, he said, citing the LockBit ransomware group.

Another change in the threat landscape: As SaaS products and open-source software become more popular with end users, the attack surface that security teams have to defend has expanded. 

“In the world we live in, where SaaS products are so prevalent, or where there are a million packages on GitHub that you can download,” said Ryan Donnon, “you need a product on everyone's computer that will ensure them that you have their back, even if they don't know it.”

Mac Security and Stakeholders

Fortunately, awareness of the threats among users, customers, and other stakeholders has been expanding, too.

“In the past, (customers) would ask broad questions like, ‘Do you use antivirus?’” said David Patrick. “We relied on XProtect in macOS, so we just answered yes. And that was usually sufficient.”

But it didn’t last. “Our customers—primarily because of recent security events—are asking very direct questions. They don't want us just to check the box. They want to know specifics: What are we doing? How are we doing it?”

Industry requirements were also a factor in forcing companies to boost their security games.

“The industry I'm in—financial technology—has significant compliance requirements,” Patrick told us. “But they're very vague. They just say that you need some kind of antivirus—that's pretty broad.”

Even users began to demand tighter security for their Apple endpoints.

“Historically, at other companies, I’d had a lot of pushback from end users,” said Mario La Porte. “There was a lot of: Why do we need to have this?” 

“But when I came to the company I'm with now, it was, ‘Why don't we have an antivirus? When are we doing to implement one?’ They want to stay safe because they realize that downloading packages and libraries from Git isn’t.”

Mac Security and User Experience

But safety isn’t the only concern that users might have. If they were forced to choose between their own productivity and the organization’s security, there might be some pushback on the latter. As Ryan Donnon put it, “You don't want to slow them down because, ultimately, your job is to enable people to get their work done.”

Privacy is their other big concern. With his previous EDR solution, Mario La Porte said, his tech-savvy users had questions: “‘Why does it need an SSL certificate to sniff traffic? What is it tracking? What does that mean when I'm browsing on my laptop?’” 

Clear communication can address both concerns. Explaining exactly what your security solution is doing (and not doing) can go a long way to maintaining the goodwill and collaborative culture you need as an admin. Making things easy for users actually helps security.

 “If you stop people from doing what they want or need to do,” said Donnon, “they will very quickly find ways to work around you.”

Ideally, if you didn’t tell them you were implementing a new security solution, your users wouldn’t know. When he first started testing Kandji EDR, David Patrick told us, “The general feelings of our users were neutral—which is exactly what I want,” David Patrick told us. “They haven't been impacted at all.”

The point is that productivity and security actually have to go hand in hand: You can’t have one without the other. Getting in the way of endpoint performance hurts both. Providing a great user experience is essential to providing great security. In our next post, we’ll talk about how these IT leaders use MDM to make that happen.

To see the entire discussion, head over to our MDM + EDR event page.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to how IT, InfoSec, and Apple device users work today and tomorrow.