See Cynet 360 AutoXDR™ in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

Request a Demo

What Are Endpoint Detection and Response (EDR) Tools? Definition, Features & Top 6 Tools [2022]

Today, Endpoint Detection and Response (EDR) is approached as an essential part of EPP. Central to EDR is the detection of attackers that evaded the prevention layer of an EPP solution and are active in the target environment. In this article, we’ll provide an overview of the endpoint security market and offer insight into EDR security capabilities. We’ll also address 6 top EDR tools, covering their solution scope, delivery, and EDR features.

This is part of an extensive series of guides about data security.

What Is Endpoint Detection and Response (EDR)?

Anton Chuvakin of Gartner coined the term EDR to refer to a solution that records behavior on endpoints, detects suspicious behavioral patterns using data analytics and context-based information, blocks threats, and helps security analysts remediate and restore compromised systems.

EDR encompasses several tools that can detect endpoint threats and help analysts investigate them. An EDR solution typically provides threat hunting, detection, analysis, and response functions. 

Endpoint detection and response tools are a central component of a modern endpoint security strategy because they are the most effective means of detecting intrusions. They monitor the target environment to identify attacks and collect telemetry data to support rapid triage and investigative processes.

What are EDR Tools?

EDR tools are technology platforms that can alert security teams of malicious activity, and enable fast investigation and containment of attacks on endpoints. An endpoint can be an employee workstation or laptop, a server, a cloud system, a mobile or IoT device.

EDR solutions typically aggregate data on endpoints including process execution, endpoint communication, and user logins; analyse data to discover anomalies and malicious activity; and record data about malicious activity, enabling security teams to investigate and respond to incidents. In addition, they enable automated and manual actions to contain threats on the endpoint, such as isolating it from the network or wiping and reimaging the device.

What are EDR Tools? image

EDR Security Capabilities

EDR capabilities often vary between vendors. However, the following features are typically provided by most vendors:

  1. Integration – EDR solutions extend visibility into endpoints by collecting and aggregating data. Since endpoint security does not cover all possible threats, it should be integrated with additional security tools. Organizations should ensure that the EDR tool they choose can smoothly integrate with their existing stack.
  2. Insights – basic EDR tools provide only data collection and aggregation. Analysts can use the tool to view the aggregated data, locate trends, and manually derive insights. Advanced EDR solutions employ artificial intelligence (AI) algorithms and machine learning to automate threat identification and alerting processes. Some tools can detect patterns by mapping suspicious behavior to the MITRE ATT&CK framework.
  3. Response – EDR tools provide response features to help operators remediate and investigate issues. Advanced tools can also help investigate live system memory, gather artifacts from suspected endpoints, and combine historical and current situational data to create a comprehensive picture during an incident.
  4. Forensics – EDR tools offer forensics capabilities to help track threats and surface similar activities that may otherwise be missed. It can help establish timelines and identify affected systems before a breach occurs.
  5. Automation – advanced EDR solutions can automatically remediate activities. For example, automatically stop or disconnect compromised processes and alert relevant parties, and isolate or disable suspected endpoints and accounts.

How EDR Works

EDR solutions continuously ingest data from endpoints, including event logs, running applications, and authentication attempts. Here is how the process usually works:

Ingesting telemetry from endpoints 

The solution collects telemetry data from endpoints by installing software agents on each endpoint through other, indirect means.

Sending the ingested telemetry to the EDR platform 

The solution sends data from all endpoint agents to a central location, usually a cloud-based EDR platform. It can also work on-premises or as a hybrid cloud to help meet compliance requirements.

Correlating and analyzing data 

The solution employs machine learning to correlate and analyze the data. Typically, the solution uses this technology to establish a baseline of normal endpoint operations and user behavior and then looks for anomalies. 

Some EDR solutions include threat intelligence feeds to introduce context in the form of real-world examples of cyberattacks. The technology compares network and endpoint activity with these examples to detect attacks.

Flagging and responding to suspicious activity

The solution flags suspicious activity and pushes alerts to notify security analysts and relevant personnel. It also initiates automated responses according to predetermined triggers. For example, temporarily isolating an endpoint to block malware from spreading across the network. 

Retaining data for future use 

EDR solutions retain data to enable future investigations and proactive threat hunting. Analysts and tools can use this data to consolidate events into one incident to investigate existing prolonged attacks or previously undetected attacks. It can also provide the context for threat hunting, helping security experts and tools actively look for malicious activity

Top 6 EDR Tools

Below is a quick review of our top 6 endpoint protection tools that include an EDR component: FireEye, Symantec, RSA, CrowdStrike, Cybereason, and our own Cynet Security Platform. For each vendor we explain the context of the EDR module within the broader security solution, and list EDR features as described by the vendors.

Cynet 360 Autonomous Breach Protection Platform

Solution scope:
The 360 Security Platform is an integrated security solution that goes beyond endpoint protection, offering NGAV, EDR, UEBA, deception, network monitoring and protection.

Delivery model:
On prem, Cloud or hybrid

Cynet EDR Features:

  • Correlation—leverages the integrated security platform, provides visibility into network traffic and user activity, together with endpoint-specific activity
  • Validation—correlation of all activity signals enables strict validation on any suspicious behavior, reducing false positive
  • Alert—provides full context for rapid and efficient triage, prioritization and onward steps on a single screen
  • Deep investigation—instant access to data from all endpoints, with granular search filters to go beyond the local detected event and view all related malicious activity
  • Remediation—enables control at the host, file and process level—from complete host isolation to surgical actions like scheduled task deletion
  • Automation—enables custom remediation workflows that are applied automatically when a similar incident recurs
  • Threat hunting—provides validated IOCs remediation actions, enabling analysis to hunt for threats across the environment and uncover hidden attack instances

Symantec Endpoint Protection

Solution scope:
Symantec’s endpoint solution includes legacy antivirus, NGAV with emulator for detecting hidden packages, memory exploit prevention, deception technology, device network firewall and intrusion prevention, and EDR.

Delivery model:
Virtual or physical appliance

Product page:
https://www.symantec.com/products/endpoint-protection

EDR Features:

  • Correlation—leverages the integrated security platform, provides visibility into network traffic and user activity, together with endpoint-specific activity
  • Validation—correlation of all activity signals enables strict validation on any suspicious behavior, reducing false positive
  • Alert—provides full context for rapid and efficient triage, prioritization and onward steps on a single screen
  • Deep investigation—instant access to data from all endpoints, with granular search filters to go beyond the local detected event and view all related malicious activity
  • Remediation—enables control at the host, file and process level—from complete host isolation to surgical actions like scheduled task deletion
  • Automation—enables custom remediation workflows that are applied automatically when a similar incident recurs
  • Threat hunting—provides validated IOCs remediation actions, enabling analysis to hunt for threats across the environment and uncover hidden attack instances

RSA NetWitness Endpoint

Solution scope:
RSA NetWitness Endpoint is a solution focused on EDR capabilities. Malware protection, network monitoring, log analysis and other capabilities are offered as part of the broader NetWitness Platform.

Delivery model:
Physical or virtual appliance

Product page:
https://www.rsa.com/en-us/products/threat-detection-response/endpoint-security-endpoint-detection-response

EDR Features:

  • Continuous Endpoint Monitoring—visibility into processes, executables, events and user behavior
  • Rapid Data Collection—creates endpoint inventories and profiles in minutes, using a lightweight agent
  • Scalable and Efficient—scales easily to hundreds of thousands of endpoints, storing data in a central database
  • Behavioral Detection with UEBA—baselines “normal” endpoint behavior, detects deviations, and prioritizes incidents based on potential threat level
  • Analyzes root cause and full attack scope

CrowdStrike Falcon Insight

Solution scope:
Falcon Insight is an EDR module as part of the Falcon Endpoint Protection Enterprise solution, which also includes NGAV, threat intelligence, USB device protection, and threat hunting.

Delivery model:
Cloud

Product page:
https://www.crowdstrike.com/endpoint-security-products/falcon-endpoint-protection-enterprise/

EDR Features:

  • Automatically uncovers stealthy attackers—applies behavioral analytics to detect traces of suspicious behavior.
  • Integrates with threat intelligence—faster detection of the activities, tactics, techniques and procedures identified as malicious
  • Real-time and historical visibility—hundreds of security-related events such as process creation, drivers loading, registry modifications, disk access, memory access, network
  • Fast remediation and real-time response—isolates an endpoint under attack from the network; provides built-in remote execution commands including deleting a fill, killing a process, running a script, restart/shutdown
  • Information collectors—enable analysts to explore file system, list running processes, retrieve Windows event lots, extract process memory, collect environment variables, etc.
  • Remediation actions enable teams to take action to contain or remediate a threat with speed and decisiveness.

Cybereason Endpoint Detection and Response

Solution scope:
A module within the Cybereason Defense Platform, which also includes NGAV and Managed Detection and Response (MDR).

EDR Features:

  • Threat examination—shows entire process tree, timeline, and all malicious activity across machines for each process
  • Third party alerts—combines EDR data with alerts from firewall and SIEM tools
  • Attack full scope—see all related attack elements, including root cause, affected machines and users, incoming and outgoing communications, attack timeline
  • Customization—custom rules and behavioral whitelisting
  • Guided remediation—execute commands from a complete remediation toolbox on the endpoint, enables access to remote shell
  • Enterprise-wide remediation—responds to threats affecting many machines, by executing remediation actions on all affected machines in one step

FireEye Endpoint Security

Solution scope:
Endpoint solution including an agent with four detection engines, NGAV capabilities, and EDR.

Delivery model:
Appliance or cloud

EDR Features:

  • Triage Viewer and Audit Viewer—enables analysis of threat indicators
  • Enterprise Security Search—helps analysts find and contain threats
  • Data Acquisition—in-depth endpoint inspection and analysis
  • Exploit Guard—detects and alerts on endpoint exploit processes

Learn More About EDR Tools

Endpoint Detection and Response: The Ultimate RFP Template

Endpoint Detection and Response (EDR) is a key part of your endpoint protection strategy, and can help your analysts investigate and respond to attacks as they happen. If you’re evaluating EDR security solutions, it can be valuable to have a well organized list of capabilities, and ask each vendor what exactly their solution provides.

Use our Request for Proposal to check exactly what each vendor provides in monitoring, prevention, response capabilities, and more

Read more: Endpoint Detection and Response: The Ultimate RFP Template

What Does EDR Stand For? Endpoint Detection & Response 101

Endpoint Detection and Response (EDR) is a new security category defined by Gartner in 2013. It fills an important gap in protection of endpoints, helping security teams gain visibility into malicious activity on an endpoint, and remotely control endpoints to contain and mitigate attacks.

This article will help you understand the core capabilities of EDR, how it is different from Endpoint Protection Platforms (EPP) and antivirus, and how it can help you secure your organization from the growing threat of endpoint-targeted attacks.

Read more: What Does EDR Stand For? Endpoint Detection & Response 101

EDR Cybersecurity: Unlocking the Black Box of Endpoint Protection

On modern networks there is an explosion in the number of endpoints, including physical and virtual workstations, servers, and cloud machine instances. Each endpoint is potentially vulnerable to attack, but security teams have limited access to endpoints, limited visibility into malicious activity taking place on an endpoint, and limited ability to reach out to an endpoint to investigate and contain an attack.

Learn what is Endpoint Detection and Response (EDR), which threats EDR can protect against, and how the EDR process works

Read more: EDR Cybersecurity: Unlocking the Black Box of Endpoint Protection

EDR: Everything You Need to Know to Protect the Network From Endpoint Threats

EDR is a subset of cyber security that enables security teams to investigate and mitigate security threats on endpoints. EDR security solutions are a last line of defense against attackers who have already breached endpoints. They can help defend against severe threats like multi stage attacks, fileless malware, and malicious insiders.

Learn what is EDR security, what type of threats EDR software detects, and how to leverage EDR solutions to protect your network from endpoint threat

Read more: EDR: Everything You Need to Know to Protect the Network From Endpoint Threats

EPP vs. EDR: What Matters More, Prevention or Response?

Endpoint Protection Platforms (EPP) help prevent security threats, including known and unknown malware, on your endpoint devices. Endpoint Detection and Response (EDR) solutions help you detect and respond to incidents that managed to bypass your EPP or other security measures. Which is more important? Can you do without one or the other?

Learn the differences between EPP and EDR, why both are critical to endpoint security. Discover how Cynet 360 can help ensure your endpoints are protected.

Read more: EPP vs. EDR: What Matters More, Prevention or Response?

EDR vs Antivirus: Understanding Endpoint Protection Options

Endpoint detection and response (EDR) collects data from endpoints, and provides advanced measures for detecting threats, with the ability to identify where an attack originated from and how it is spreading. It is often a component of an endpoint protection platform (EPP)

Learn about the difference between EDR, antivirus, and endpoint protection platforms (EPP) – and how each of these can help you protect your organization.

Read more: EDR vs Antivirus: Understanding Endpoint Protection Options

EDR vs SIEM: How to Choose?

Gartner defines endpoint detection and response (EDR) as a solution for recording endpoint-system-level behaviors, detecting suspicious behavior in a system, and providing information in context about incidents. Security information and event management (SIEM) offers enterprises detection, analysis, and alerting for security events.

Discover the differences between EDR and SIEM, and the relation to a new security solution that is the evolution of both – eXtended Detection and Response.

Read more: EDR vs SIEM: How to Choose?

10 Reasons Your Business Needs Endpoint Protection Software

Cyberattacks are a threat to every business, small and large. Learn why endpoint protection software is a critical component in your IT security toolbox.

Read more: 10 Reasons Your Business Needs Endpoint Protection Software

See Our Additional Guides on Key Data Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of data security.

Endpoint Security

Endpoint protection

Incident Response

EDR Tools Questions and Answers 

What Does EDR Mean?

Endpoint Detection and Response (EDR) is a security category defined by Gartner in 2013. It is intended to fill security gaps on endpoint devices like employee workstations, servers, and mobile devices. EDR helps security teams investigate and immediately respond to malicious activities at remote endpoints to contain and mitigate attacks.

Why is EDR Important?

Compared with traditional endpoint security solutions, EDR provides real time information about malicious activity on endpoint devices, automatically responds to some attack scenarios, and shortens response time by security teams. EDR is an essential tool for responding to advanced persistent threats, and any attack that manages to bypass preventative defenses on an endpoint device.

How Does an EDR Work?

EDR systems deploy agents on end-user devices, which are used to continuously monitor activity and network traffic to and from the device. These events are recorded in a central database. EDR tools analyze the data to identify incidents, investigate them, and use the data to find similar threats on other endpoints across the organization. 

Most importantly, EDR allows security teams to immediately see what is happening on the endpoint and take action to contain and eradicate threats.

What is the Difference Between EDR and Antivirus?

Antivirus software can stop threats based on malware, but is not effective against other types of threats. It also cannot protect against malware that evades detection. EDR is able to detect and respond to threats that evade antivirus and other traditional defenses on the endpoint device.

Can EDR Replace Antivirus?

EDR solutions, on their own, do not replace antivirus. EDR is typically part of an endpoint protection platform (EPP), which includes advanced antivirus and anti-malware protection. EDR works together with antivirus – it relies on antivirus to stop some threats, but is able to detect and respond to threats that were not captured by antivirus software.

Let’s Get Started

Ready to extend visibility, threat detection and response?

Request a Demo