Skip to content
Get A Demo
Sign Up Free
    July 10, 2023

    The Benefits of Pairing Blumira With EDR

    “I already use an EDR. Why do I need another agent when you integrate with my EDR?

    Since an endpoint detection and response (EDR) platform is already designed to thwart cyberattacks, why layer another platform on top of it? 

    These questions have become common after we released Blumira Agent, which sends Windows logs directly to the Blumira cloud over any internet connection to add support for work-from-home environments.

    A common concern is that the Blumira Agent could interfere with the NGAV/EDR/MDR that you may already have in place, or that they’re a total duplication of effort. Let’s discuss why this isn’t the case. 

    But First: What is EDR?

    Endpoint detection and response (EDR) is a product category that refers to security solutions that continuously monitor end user devices (such as workstations or servers) to detect and respond to threats. 

    Some EDR vendors include antivirus or next-generation antivirus (NGAV) features bundled into their EDR solutions. NGAV may use machine learning/artificial intelligence to detect and prevent malware/fileless malware attacks. Traditional antivirus (AV) focuses on file-based malware signatures (known threats). AV can catch malware, but it can’t tell you where it came from.

    An EDR should identify attacker behaviors, rather than focus on signatures like traditional AV. But to get the full benefits of EDR, you need to have security experts writing detections for your EDR and monitoring and investigating the unusual behaviors that it identifies.

    While most cyber insurance providers mandate the use of EDR, most end users don’t really utilize the capabilities of their EDR. If your EDR isn’t managed and monitored by security experts, in-house or third party, you’re likely mainly using the NGAV functionality and using “EDR” in name only.

    How Does Blumira Agent Work?

    While Blumira has supported Windows logs for years using NXlog and Sysmon, collecting them was a function of the Blumira Sensor, an Ubuntu VM that sits behind the firewall. So having visibility behind the firewall was a prerequisite for collecting them. This wasn’t ideal in a remote-first world. 

    To solve this, we partnered with LimaCharlie, integrating their Windows “sensor” to ship all Windows data we need securely and directly over the internet.. This allows us to seamlessly send customer Windows logs directly to the Blumira cloud for analysis and automated detection of security threats, sending you prioritized findings and playbooks for guided response.  

    The Blumira Agent doesn’t have a tray icon. It doesn’t show up in Add/Remove programs. Users won’t even know it’s there. We’ve seen about a 5x performance increase vs the NXlog+Sysmon approach. Afterall, you’re consolidating from two ‘agents’ down to one. Another huge benefit is that the Blumira Agent updates itself. So no more nastygrams from your vulnerability scanner telling you that Sysmon is out of date. 

    Learn More About How Blumira Agent Works 

    Blumira Agent vs. EDR

    Since the Blumira Agent’ focus is log shipping, it doesn’t replace your NGAV, and your NGAV won’t block it either. Blumira Agent runs very lightweight next to any existing NGAV solutions to provide you with in-depth telemetry and targeted system log collection. This allows for enhanced threat detection, hunting, and compliance satiation. It enables roaming and critical machines to have log collection that doesn’t depend on a sensor behind the firewall.  

    Blumira’s real-time detection capabilities and analytical detections gather more detailed information than Sysmon or many other NGAVs can by combining curated EDR and system log collection into one package. And since all of Blumira’s detections and guided responses are delivered after the logs are received in the cloud, there won’t be any fighting between our agent and your current endpoint protection of choice.  

    Most EDRs keep logs between 30-90 days. Some offer expanded storage for a fee. The logs captured by the Blumira Agent are kept for 1 year.

    The Benefits of Blumira + Your EDR

    Increased security value. Defense in depth is predicated on the idea that any single solution shouldn’t be the sole source of protection. Security in layers combines multiple tools and strategies to provide a more comprehensive approach. Having layers that overlap isn’t wasted effort; conversely, it strengthens your security posture and minimizes the likelihood of a breach. 

    If you’re already using an EDR or managed detection and response (MDR) platform, using Blumira’s XDR or SIEM+ will increase security value when pairing them together. 

    Meets Compliance and Cyber Insurance Requirements. Combining Blumira with an EDR or MDR will help you check multiple cyber insurance checkboxes for EDR, SIEM, data retention and 24/7 SOC. 

    Most EDR/MDRs do not retain logs for a long period of time; if optional, it’s often at a significant added cost. When logs are needed for incident response (IR) purposes, one year is the desired requirement that will ensure a quicker and more successful engagement. The Blumira Agent ships logs to the Blumira cloud where we collect and keep all of the data sent to it for 1 year in our XDR and SIEM+ editions (SIEM+, formerly known as Advanced+ to Blumira MSP Partners). 

    Faster detections. There are some significant strengths that Blumira has in Windows detection that may allow detection of attacker behavior sooner than an MDR offering that you may already have in place. Again, security in layers provides significant protection. For example, our Lead Incident Detection Engineer, Amanda Berlin literally wrote the handbook on Blue Team Defense. The experience of the people who write the detections and response playbooks matter, and we’ve got the best of the best.

    The agent also includes automated host isolation. Though many EDRs also include host isolation, using ours will allow for continuous log collection which enables real-time investigations on an isolated host and no gap in data retained if needed later for incident response. The Agent consumes Microsoft Defender data and Windows network traffic as well, giving Blumira more security visibility than we had previously into the host devices.

    Learn More

    To learn more, check out our Blumira Agent documentation:

    See our pricing and contact us to get a demo or learn more about how you can get Blumira Agent.

    More from the blog

    View All Posts