What is Endpoint Detection and Response and why is EDR important?
10th July 2019
Reading Time: 3 minutes
What is Endpoint Detection and Response (EDR) 101?
Gartner’s Anton Chuvakin first coined the term Endpoint Threat Detection and Response (ETDR) in July 2013 to define “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” Commonly referred to as Endpoint Detection and Response (EDR), it is a relatively new category of solutions that is sometimes compared to Advanced Threat Protection (ATP) in terms of overall security capabilities.
Endpoint Detection and Response is a new technology that amplifies the traditional anti-virus and allows for continuous monitoring and response capabilities. Endpoint Detection and Response is a form of advanced threat protection.
How does Endpoint Detection and Response work?
The core features of EDR technologies is that they monitor all endpoint and network events, looking for suspicious or anomalous behaviour from internal and external sources that does not conform to normal patterns of behaviour from devices or users.
By taking into account context surrounding events associated with device and user behaviour, the scourge of false positives can be greatly reduced so that remediation action can be taken in a more efficient manner.
Threat intelligence is key to EDR, helping 81% of organisations to improve their prevention, detection and response capabilities, according to the SANS Institute. Threat intelligence can be gathered from within the network and endpoints, as well as from feeds that analyse vast swathes of samples collected in the wild as well as submitted by organisations that have encountered them. In order to effectively make sense of the huge number of intelligence events, machine learning enables the analysis of big data sets to spot hidden patterns such as indicators of compromise that could indicate a threat, even where no alert has been raised. Threat and malware variants uncovered are stored in a knowledge base to enable automated remediation when the same or a similar threat is detected again. The value of machine learning increases over time as the knowledge base grows. When combined with behavioural analysis, organisations can even uncover events that evade machine learning capabilities.
The use of threat intelligence and automated detection is key to threat hunting enablement, whereby security analysts proactively search for advanced threats that evade existing security solutions, helping to reduce exposure to and improving the accuracy of response to threats in order to reduce the likelihood of security breaches.
Why is EDR Important?
Zero-day attacks and advanced persistent threats are among the most serious security issues any organization faces these days. In cybersecurity, what you don’t know can hurt you. EDR is a valuable tool in dealing with these threats.
Every device that connects to a network is a potential attack vector for cyber threats, and each of those connections is a potential entry point to your data. With the rise of BYOD (bring your own devices), mobile attacks and sophisticated hacking techniques have only increased your risk of data breaches.
EDR monitors endpoints to detect suspicious activities and capture data for forensic and security investigations, focusing on each stage of an attack — often referred to as the “kill chain.”
EDR solutions can help monitor and protect against Advanced Persistent Threats (APT), which often use malware-free hacking techniques and security vulnerabilities to gain access to a network. Older anti-virus software is able to detect malware only when there is a matching signature, and is unable to determine that an attacker has access to a computer just by monitoring their activity.
The EDR console can show you specific details about an attack: where it started, what kind of attack it is, where it went, how it is behaving and when it began.