What is endpoint detection and response (EDR)?
Endpoint detection and response (EDR) platforms are a category of endpoint security tools, built to provide endpoint visibility, and are used to detect and respond to cyber threats and exploits.
Gartner’s Senior analyst Anton Chuvakin defined the term in 2013 as tools that are primarily focused on detecting and investigating suspicious activities (and traces of such) on hosts/endpoints.
Endpoint data has a clear advantage when it comes to protecting against advanced threats. Endpoints are where hacker activity takes place. They provide an accurate, first hand view of a hacking operation as it unfolds.
Endpoints provide critical forensics information including process actions, file access information, network events and endpoint configuration changes.
Endpoint detection and response platforms were built to provide comprehensive visibility to endpoints and servers, monitor behaviors and spot abnormal behaviors that are indicative of malicious activity. By continuously monitoring and analyzing activities on the endpoint EDR tools enable detection and response to cyber attacks that managed to pass other security protection tools.
Here's a list of the seven essential elements of advanced endpoint security programs:
They enable detection
They cross-correlate data across the whole environment
They combine whitelisting and blacklisting with behavioral analysis
They are able to observe endpoint activity without interfering
They empower IR and forensics investigation
They enable effective cleanup and remediation
They work with your antivirus
Antivirus was once the main way to protect endpoints. This software was designed to detect malicious programs, block them from running and offer security professionals a way to remove them.
But threats have grown more advanced and malware is no longer the only threat vector adversaries use, significantly decreasing AV’s effectiveness at protecting companies. Today attackers can use fileless malware, zero-day exploits and advanced persistent threats in an attack campaign. These new threats don’t use signatures so traditional antivirus programs can’t detect and stop them.
With AV losing its edge, security vendors have named next-generation antivirus (NGAV) as the legacy product’s successor. But what exactly constitutes NGAV is unclear since there’s no accepted definition for this term. At a minimum, next-generation products need to go beyond just performing signature-based detection and incorporate some type of advanced technology.
Both AV and NGAV handle detection by looking for specific characteristics and don’t account for human ingenuity or attacker behavior. Opponents will adapt, change their tactics and eventually figure out how to get around next-generation antivirus. Neither the legacy product nor its successor offer true behavioral detection.
Next-generation antivirus products still look for certain file attributes that are associated with malicious activity
Many NGAV look at one machine at a time: they lack the ability to cross-correlate data from multiple endpoints and only know what’s happening on one machine.
NGAVs focus only on preventing attacks. For the attacks that NGAV can’t prevent, these solutions offer little or no visibility into what actually happened.
EDR platforms provide you with the visibility to understand when an NGAV has missed a threat, and evolved beyond a simple malware infection. EDR solutions pull together all the related attack activities, and show you their scope and impact for forensic investigation. When organizations combine EDR and NGAV, they are investing in a true next-generation endpoint security platform.
There are many companies that offer endpoint detection and response tools as part of their offerings. Gartner provides a list of endpoint detection and response solutions here, which includes their ranking and more information.