I started a security questionnaire for new SaaS vendors last year to assess their security measures. One of the questions I ask is whether all the production servers that run or interact directly with their SaaS platform use some kind of Endpoint Detection and Response (EDR) software. Surprisingly, I've found that around 80% of the vendors have replied 'no'. They often mention using tools like GuardDuty instead, but I think that's not really comparable to EDR. These vendors are compliant with SOC 2 and ISO 27001 standards and aren't just small-time operations. I've never worked at a SaaS company, so is this situation typical?
5 Answers
Yes, it's normal. The 'E' in EDR stands for Endpoint, which typically includes devices like laptops and phones, not servers. Servers don’t face those same threats since they usually have minimal software and aren't exposed to the same risks as endpoints. Plus, running EDR on servers can waste resources when there are other protections in place.
A lot of SaaS today run on PaaS platforms, which makes installing EDR impractical. Running your own infrastructure isn't really the norm anymore; they usually rely on well-packaged solutions from cloud providers to ensure efficiency and cost-effectiveness.
It's pretty common for SaaS vendors not to use EDR because they often rely on PaaS solutions instead of traditional servers. If they aren't managing Windows or Linux servers, EDR might not even be applicable for them. So don’t be too surprised by that response!
Exactly! The EDR question typically comes up only if they're using EC2 instances or virtual machines.
You have to consider that SaaS providers might not want to disclose their security software for good reasons. Revealing the specifics could expose them to security risks, especially if their software has known vulnerabilities. It's more about discussing capabilities rather than specifics to get customer contracts.
True, they don't need to disclose brand names to prove they have measures in place.
Or they could just not have any EDR at all!
Most importantly, a lot of EDR tools can cause significant outages when integrated into a SaaS environment unless there’s a solid team to manage it. For example, I know a vendor whose EDR scanning processes caused major performance issues on their database.
Exactly! And if you have to run EDR on a database server for compliance, just make sure it doesn’t scan the DB folder; otherwise, it can mess things up.