The original post: /r/cybersecurity by /u/m0wax on 2024-11-12 21:06:40.

The organisation I work for has about 1600 staff and ~600 servers. Client devices are typically Windows 10 and the server estate is a mix of Windows Server and Linux. The C-Suite have decided that we should have Crowdstrike on our client estate and Microsoft Defender for Endpoint on our server estate, for the reason being that out of the box if one EDR doesn’t pick up the bad guy, then the other one will. However, several Red Team exercises over the last 18 months has shown that they will quite easily use the same techniques and manage to bypass both of them. This means that we are having to write custom detections in KQL and then again in FQL, which defeats the purpose of having two EDRs and doubles the amount of work our engineers need to do.

What do you do at your organisation, do you have one or two EDRs? Do you think it’s sensible to have two?