Cybereason Blog | Cybersecurity News and Analysis

Endpoint Detection and Response (EDR) 101

Written by Lital Asher-Dotan | Dec 21, 2017 6:38:20 PM

What is endpoint detection and response (EDR)?

Endpoint detection and response (EDR) platforms are a category of endpoint security tools, built to provide endpoint visibility, and are used to detect and respond to cyber threats and exploits.

Gartner’s Senior analyst Anton Chuvakin defined the term in 2013 as tools that are primarily focused on detecting and investigating suspicious activities (and traces of such) on hosts/endpoints.

Why do organizations need an EDR Solution?

Endpoint data has a clear advantage when it comes to protecting against advanced threats. Endpoints are where hacker activity takes place. They provide an accurate, first hand view of a hacking operation as it unfolds.

Endpoints provide critical forensics information including process actions, file access information, network events and endpoint configuration changes.

Endpoint detection and response platforms were built to provide comprehensive visibility to endpoints and servers, monitor behaviors and spot abnormal behaviors that are indicative of malicious activity. By continuously monitoring and analyzing activities on the endpoint EDR tools enable detection and response to cyber attacks that managed to pass other security protection tools.

What are the Essential Elements of EDR solutions?

Here's a list of the seven essential elements of advanced endpoint security programs:

  1. They enable detection

  2. They cross-correlate data across the whole environment

  3. They combine whitelisting and blacklisting with behavioral analysis

  4. They are able to observe endpoint activity without interfering

  5. They empower IR and forensics investigation

  6. They enable effective cleanup and remediation

  7. They work with your antivirus

    If you consider buying an EDR or an endpoint security solution, consider the criteria mentioned in our blog post.

What IS THE difference between EDR, Antivirus and Next Generation Antivirus (NGAV)?

Antivirus was once the main way to protect endpoints. This software was designed to detect malicious programs, block them from running and offer security professionals a way to remove them.

But threats have grown more advanced and malware is no longer the only threat vector adversaries use, significantly decreasing AV’s effectiveness at protecting companies. Today attackers can use fileless malware, zero-day exploits and advanced persistent threats in an attack campaign. These new threats don’t use signatures so traditional antivirus programs can’t detect and stop them.

With AV losing its edge, security vendors have named next-generation antivirus (NGAV) as the legacy product’s successor. But what exactly constitutes NGAV is unclear since there’s no accepted definition for this term. At a minimum, next-generation products need to go beyond just performing signature-based detection and incorporate some type of advanced technology.

Both AV and NGAV handle detection by looking for specific characteristics and don’t account for human ingenuity or attacker behavior. Opponents will adapt, change their tactics and eventually figure out how to get around next-generation antivirus. Neither the legacy product nor its successor offer true behavioral detection.

  1. Next-generation antivirus products still look for certain file attributes that are associated with malicious activity

  2. Many NGAV look at one machine at a time: they lack the ability to cross-correlate data from multiple endpoints and only know what’s happening on one machine.

  3. NGAVs focus only on preventing attacks. For the attacks that NGAV can’t prevent, these solutions offer little or no visibility into what actually happened.

EDR platforms provide you with the visibility to understand when an NGAV has missed a threat, and evolved beyond a simple malware infection. EDR solutions pull together all the related attack activities, and show you their scope and impact for forensic investigation. When organizations combine EDR and NGAV, they are investing in a true next-generation endpoint security platform.

ENDPOINT DETECTION AND RESPONSE Vendors

There are many companies that offer endpoint detection and response tools as part of their offerings. Gartner provides a list of endpoint detection and response solutions here, which includes their ranking and more information.