Download our Comprehensive AI Playbook for the Mid-Market:
Playbook: Eliminating Breach Risks — 2025 Edition for midmarket organizations. Download to learn more
The Ultimate Guide to Endpoint Security for the Midmarket
.png)
An organization’s endpoints—devices such as laptops, smartphones, tablets, and IoT devices used in daily work—are easy entry points for attackers. According to Unit 42 data, endpoints are a primary attack surface in 61% of cyberattacks.
Thus, endpoint security is a crucial component in any organization’s defense against cyberattacks and breach risks. Many midsized organizations, however, may be challenged when evaluating the managed endpoint detection and response (EDR) solutions available as well as properly implementing these tools.
This article is the second in our series on how midmarket organizations can get the best benefit from their security investments—including the tools they already have. As with our first article on Microsoft security, we sat down with Michael DeNapoli, a senior solutions architect at Pondurance. His insights include how to:
Improve endpoint security across your organization
Implement managed EDR for maximum effectiveness
Determine the best managed EDR solution to meet your security needs
Q: What are the risks and consequences of not fully implementing managed EDR?
Michael: EDR platforms are not “set and forget.” They require continuous updates from the vendor and ongoing maintenance from the organization. If updates aren’t deployed, the tool can’t adapt to new threat intelligence or detection techniques.
But technology drift is only part of the problem. Organizations themselves are constantly changing. They add applications, modify business processes, hire and terminate employees, and—without strong device management—users install their own software. All of these changes affect what a managed EDR tool sees and how it responds.
Without regular maintenance and tuning, organizations face two types of risk:
1. Good-to-bad:
An application that was previously benign becomes risky or malicious. If the organization created an exclusion years earlier to allow that application, the exception must be reviewed and removed quickly.
Stale exclusions are dangerous because teams often forget they exist. When a new advisory is released—for example from CISA or another intelligence source—teams may struggle to identify and remediate outdated exceptions.
2. Bad-to-good:
The managed EDR tool blocks something that is actually legitimate—sometimes even business-critical—because it appears suspicious. This often happens after an application update or new software rollout.
IT or security teams must tune the platform, create an appropriate exclusion, and deploy it across endpoints. Without tuning, organizations risk business disruption when critical tools are suddenly unavailable.
To mitigate these two types of risk, every device owned by the organization—or accessing organizational data—should have managed EDR software installed unless there is a clearly documented, defensible reason it cannot. Excluding even a small group creates an easy attack path. From an attacker’s perspective, one unprotected endpoint is enough.
If managed EDR software truly cannot be installed due to compatibility issues with a critical system, the organization must implement compensating controls.
Q: There are numerous managed EDR solutions available. How can an organization determine which one will best mitigate these types of risks?
The simplest way to cut through the noise is to ignore the labels and focus on how the technology works.
At its core, endpoint security relies on two types of detection: static analysis and behavioral (dynamic) analysis.
When a file is written to disk, the EDR tool compares it to known malware signatures. If it matches, the EDR tool blocks it. Static detection quickly stops known threats before they execute.'
However, attackers routinely modify, encrypt, or obfuscate malware so it won’t match known signatures. That’s where behavioral detection comes in.
Behavioral—or dynamic—analysis focuses on what a file or process does, not just what it looks like. If a process begins encrypting large numbers of files, escalating privileges, or injecting code into another process, managed EDR can detect that suspicious behavior, stop execution, quarantine artifacts, and initiate remediation.
Most modern endpoint platforms combine both approaches:
Static detection to block known threats immediately
Behavioral detection to catch novel or modified attacks during execution
Managed extended detection and response (XDR) builds on this capability by correlating activity across endpoints—and often across identity systems, cloud environments, and networks—to identify coordinated attacks rather than isolated events. In practice, many leading platforms provide managed XDR capabilities regardless of branding.
Because vendors market their EDR solutions differently, organizations should evaluate capabilities, not terminology. Look for:
Strong static and behavioral detection
Cross-endpoint visibility and event correlation
Clear response and remediation capabilities
Integration with identity and cloud systems
Finally, remember that technology alone isn’t enough. Whether managed internally or through a managed detection and response (MDR) provider such as Pondurance, someone must continuously monitor alerts, investigate suspicious activity, and take action beyond the endpoint.
Q: How should an organization implement managed EDR to ensure the most effective endpoint security?
Michael: If possible, partner with an MDR provider which provides managed EDR. Alert volume can be overwhelming, especially during initial rollout. An MDR team helps interpret alerts, reduce noise, and ensure threats are handled properly. If MDR isn’t an option, plan carefully and roll out in stages to avoid disruption.
A practical implementation typically includes three phases:
Phase 0: Pilot.
Deploy the managed EDR agent to a small group of IT users in a non-enforcement state. The software runs but does not block activity. This confirms compatibility with operating systems and business applications before wider deployment.
Phase 1: Visibility mode.
Roll out broadly in “alert-only” mode for about two weeks. The managed EDR reports what it would have blocked or terminated but does not take action. This phase identifies false positives, highlights business-critical applications that require exclusions, and gives the security team visibility into normal behavior patterns.
Skipping this step is risky. Without alert-only mode, managed EDR could terminate or delete files tied to critical applications across the organization. Recovery can be painful—especially if files are destroyed rather than quarantined.
Phase 2: Enforcement mode.
Once tuning and exclusions are in place, move users into active protection profiles. Malicious activity is now automatically blocked or terminated. From here, regular monitoring and policy refinement continue indefinitely.
When configuring policies, start with vendor-recommended default profiles—typically low, medium, or high protection levels—rather than locking everything down immediately. Over time, tune policies to align with business needs and accommodate legitimate one-off software or legacy tools.
Bottom line: Effective endpoint security comes from phased deployment, careful tuning, and sustained operational oversight.
Q: What role does Pondurance play in ensuring managed EDR security is effective?
Michael: Pondurance strengthens managed EDR security in three ways:
Providing managed detection and response: Pondurance MDR monitors EDR/XDR activity, investigates suspicious patterns, and takes action (for example, locking accounts or isolating machines).
Identifying gaps in coverage using services like the Pondurance Exposure & Vulnerability Service to identify devices on the network that are missing the EDR agent.
Advising and helping with tuning: This includes recommending settings, helping create exclusions for critical applications, and notifying customers of “good-to-bad” situations via advisories and outreach when there’s a known threat.
Pondurance integrates with top-tier managed EDR providers, including CrowdStrike, SentinelOne, and Microsoft Defender XDR. Learn more.
