What is an endpoint detection and response?
- IAM Glossary
- What is an endpoint detection and response?
Endpoint Detection and Response (EDR), also known as Endpoint Threat Detection and Response (ETDR), is an umbrella term for a software solution that continuously monitors endpoint devices, including end-user computers and laptops, servers, mobile devices and Internet of Things (IoT) devices, to gather and analyze threat data, and alert security teams to breaches in real time.
How does Endpoint Detection and Response (EDR) work?
Because EDR is a very broad term, the specific features and capabilities of individual EDR solutions vary greatly between vendors and even implementations. In general, endpoint detection and response tools fall into one of the following three categories:
- A dedicated EDR platform
- A collection of smaller tools that, used together, perform endpoint detection and response
- An EDR feature that’s built into another security product, such as next-generation antivirus software. Some Security Information and Event Management (SIEM) vendors offer EDR as part of their packages
EDR solutions work by aggregating telemetry from endpoint devices, including logs, file details, running processes, performance monitors, and configuration data, and analyzing it to detect potential threat patterns.
The simplest EDR systems are pure alerting tools. They collect, analyze and display data for human personnel to view and act on. The data is saved in a central database and can usually be fed into a SIEM solution.
More advanced EDR systems include features such as:
- Automated response mechanisms that can take certain corrective actions if a threat is detected, such as logging off an end user, stopping compromised processes or disabling the endpoint device altogether.
- Threat response tools that help human security personnel understand what’s happening, which devices and systems are being affected, how to stop the attack and how to prevent future attacks.
- Machine learning and AI-powered analytics features that use behavioral analysis to put device activity in context and identify new and emerging threats, including threats that don’t fit the EDR’s preconfigured rules. This may include mapping anomalous behavior to the free MITRE ATT&CK framework to help detect patterns.
- Forensic tools that help security personnel establish timelines, identify affected systems and gather evidence during incident response and post-breach analysis. Security personnel may also use EDR forensics tools to proactively search for other, undetected threats in the data environment.
The importance of EDR
EDR systems are growing in popularity due to the explosion in endpoint devices connected to organizational networks, including computers and laptops, as well as phones and IoT devices. Threat actors see these devices as “soft targets” by which they can breach networks, and they’re using increasingly sophisticated attack methods and malware to attack them.
Endpoint detection and response tools are sometimes confused with antivirus solutions. Many EDR systems are either bundled with antivirus software or leverage data from an antivirus solution’s database.
However, antivirus software protects endpoint devices only against known malware types that are listed in the product’s database. Conversely, EDR uses smart analytics to detect new and emerging threats, including threats that antivirus software can’t detect, such as fileless malware, attacks that leverage stolen credentials, Advanced Persistent Threats (APTs) and malware that is so new, it’s not yet cataloged in any antivirus database.
Antivirus solutions provide users with only basic information, namely how many threats the software blocked, and what kind, in a given period of time. EDR systems record additional, highly valuable contextual data about attacks, such as information about the threat actor, and uncover historical trends that organizations can use to inform their security strategy.
How companies use EDR
In addition to detecting threats that would otherwise get past antivirus solutions and other security tools, EDR systems accelerate incident response, assist with mitigation efforts, provide security teams with complete visibility into endpoint behavior across the data environment and enable proactive threat hunting.
Having security personnel play an active role in endpoint security is key to a successful EDR deployment. In addition to following up with EDR alerts, organizations must have a robust patch management strategy to keep endpoint devices up to date. Software updates frequently include important security patches, and neglecting to apply them in a timely fashion can severely compromise endpoint security.
Cloud misconfigurations are another common problem that can degrade endpoint security. The visibility that EDR solutions provide into endpoint configurations help IT and security teams prevent misconfigured cloud settings, and likewise, a properly maintained cloud environment enhances endpoint security.