Business and Enterprise
Protect your company from cybercriminals.Start Free Trial
Endpoint Detection and Response (EDR), also known as Endpoint Threat Detection and Response (ETDR), is an umbrella term for a software solution that continuously monitors endpoint devices, including end-user computers and laptops, servers, mobile devices and Internet of Things (IoT) devices, to gather and analyze threat data, and alert security teams to breaches in real time.
Because EDR is a very broad term, the specific features and capabilities of individual EDR solutions vary greatly between vendors and even implementations. In general, endpoint detection and response tools fall into one of the following three categories:
EDR solutions work by aggregating telemetry from endpoint devices, including logs, file details, running processes, performance monitors, and configuration data, and analyzing it to detect potential threat patterns.
The simplest EDR systems are pure alerting tools. They collect, analyze and display data for human personnel to view and act on. The data is saved in a central database and can usually be fed into a SIEM solution.
More advanced EDR systems include features such as:
EDR systems are growing in popularity due to the explosion in endpoint devices connected to organisational networks, including computers and laptops, as well as phones and IoT devices. Threat actors see these devices as “soft targets” by which they can breach networks, and they’re using increasingly sophisticated attack methods and malware to attack them.
Endpoint detection and response tools are sometimes confused with antivirus solutions. Many EDR systems are either bundled with antivirus software or leverage data from an antivirus solution’s database.
However, antivirus software protects endpoint devices only against known malware types that are listed in the product’s database. Conversely, EDR uses smart analytics to detect new and emerging threats, including threats that antivirus software can’t detect, such as fileless malware, attacks that leverage stolen credentials, Advanced Persistent Threats (APTs) and malware that is so new, it’s not yet cataloged in any antivirus database.
Antivirus solutions provide users with only basic information, namely how many threats the software blocked, and what kind, in a given period of time. EDR systems record additional, highly valuable contextual data about attacks, such as information about the threat actor, and uncover historical trends that organisations can use to inform their security strategy.
In addition to detecting threats that would otherwise get past antivirus solutions and other security tools, EDR systems accelerate incident response, assist with mitigation efforts, provide security teams with complete visibility into endpoint behavior across the data environment and enable proactive threat hunting.
Having security personnel play an active role in endpoint security is key to a successful EDR deployment. In addition to following up with EDR alerts, organisations must have a robust patch management strategy to keep endpoint devices up to date. Software updates frequently include important security patches, and neglecting to apply them in a timely fashion can severely compromise endpoint security.
Cloud misconfigurations are another common problem that can degrade endpoint security. The visibility that EDR solutions provide into endpoint configurations help IT and security teams prevent misconfigured cloud settings, and likewise, a properly maintained cloud environment enhances endpoint security.