Today, Endpoint Detection and Response (EDR) is approached as an essential part of EPP. Central to EDR is the detection of attackers that evaded the prevention layer of an EPP solution and are active in the target environment. In this article, we’ll provide an overview of the endpoint security market and offer insight into EDR security capabilities. We’ll also address 6 top EDR tools, covering their solution scope, delivery, and EDR features.
EDR tools are technology platforms that can alert security teams of malicious activity, and enable fast investigation and containment of attacks on endpoints. An endpoint can be an employee workstation or laptop, a server, a cloud system, a mobile or IoT device.
EDR solutions typically aggregate data on endpoints including process execution, endpoint communication, and user logins; analyse data to discover anomalies and malicious activity; and record data about malicious activity, enabling security teams to investigate and respond to incidents. In addition, they enable automated and manual actions to contain threats on the endpoint, such as isolating it from the network or wiping and reimaging the device.
Want to dive deep into EDR? Here are some resources
According to Gartner: “An Endpoint Protection Platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts.”
In 2018, the endpoint security market was valued at $11.18 billion, and it is predicted to reach a value of $19.69 billion by 2024. The market is characterized by:
Enterprise adoption of SaaS-based or cloud-delivered endpoint security solutions is growing—benefits attracting companies, including computing scalability, reduced costs, and low maintenance demands.
More endpoints with more sensitive data—the number of enterprise endpoints is growing, and with increased connectivity, collaboration and data sharing, there are much higher changes an endpoint will contain sensitive organizational data.
Endpoints are a gateway for attackers—in the past two decades organizations invested major resources in safeguarding the network perimeter. Attackers have found it is much easier to penetrate organizations by sidestepping network defenses and directly penetrating endpoints.
Endpoint agent consolidation—while in the past, multiple security tools were installed on endpoints, today the trend is towards consolidation, where one platform with a single software footprint is installed on an endpoint, providing multiple security solutions, and enabling central management of security functions.
Consolidation of EPP and EDR—Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) tools are no longer considered two separate systems, but are not offered together. The term Endpoint Protection Platform has been expanded to include EDR as well.
Top 6 EDR Tools
Below is a quick review of our top 6 endpoint protection tools that include an EDR component: FireEye, Symantec, RSA, CrowdStrike, Cybereason, and our own Cynet Security Platform. For each vendor we explain the context of the EDR module within the broader security solution, and list EDR features as described by the vendors.
Cynet 360 Autonomous Breach Protection Platform
Solution scope: The 360 Security Platform is an integrated security solution that goes beyond endpoint protection, offering NGAV, EDR, UEBA, deception, network monitoring and protection.
Correlation—leverages the integrated security platform, provides visibility into network traffic and user activity, together with endpoint-specific activity
Validation—correlation of all activity signals enables strict validation on any suspicious behavior, reducing false positive
Alert—provides full context for rapid and efficient triage, prioritization and onward steps on a single screen
Deep investigation—instant access to data from all endpoints, with granular search filters to go beyond the local detected event and view all related malicious activity
Remediation—enables control at the host, file and process level—from complete host isolation to surgical actions like scheduled task deletion
Automation—enables custom remediation workflows that are applied automatically when a similar incident recurs
Threat hunting—provides validated IOCs remediation actions, enabling analysis to hunt for threats across the environment and uncover hidden attack instances
RSA NetWitness Endpoint
Solution scope: RSA NetWitness Endpoint is a solution focused on EDR capabilities. Malware protection, network monitoring, log analysis and other capabilities are offered as part of the broader NetWitness Platform.
Automatically uncovers stealthy attackers—applies behavioral analytics to detect traces of suspicious behavior.
Integrates with threat intelligence—faster detection of the activities, tactics, techniques and procedures identified as malicious
Real-time and historical visibility—hundreds of security-related events such as process creation, drivers loading, registry modifications, disk access, memory access, network
Fast remediation and real-time response—isolates an endpoint under attack from the network; provides built-in remote execution commands including deleting a fill, killing a process, running a script, restart/shutdown
Information collectors—enable analysts to explore file system, list running processes, retrieve Windows event lots, extract process memory, collect environment variables, etc.
Remediation actions enable teams to take action to contain or remediate a threat with speed and decisiveness.
Cybereason Endpoint Detection and Response
Solution scope: A module within the Cybereason Defense Platform, which also includes NGAV and Managed Detection and Response (MDR).
Threat examination—shows entire process tree, timeline, and all malicious activity across machines for each process
Third party alerts—combines EDR data with alerts from firewall and SIEM tools
Attack full scope—see all related attack elements, including root cause, affected machines and users, incoming and outgoing communications, attack timeline
Customization—custom rules and behavioral whitelisting
Guided remediation—execute commands from a complete remediation toolbox on the endpoint, enables access to remote shell
Enterprise-wide remediation—responds to threats affecting many machines, by executing remediation actions on all affected machines in one step
FireEye Endpoint Security
Solution scope: Endpoint solution including an agent with four detection engines, NGAV capabilities, and EDR.
Delivery model: Appliance or cloud
Triage Viewer and Audit Viewer—enables analysis of threat indicators
Enterprise Security Search—helps analysts find and contain threats
Data Acquisition—in-depth endpoint inspection and analysis
Exploit Guard—detects and alerts on endpoint exploit processes
Endpoint Detection and Response (EDR) is a security category defined by Gartner in 2013. It is intended to fill security gaps on endpoint devices like employee workstations, servers, and mobile devices. EDR helps security teams investigate and immediately respond to malicious activities at remote endpoints to contain and mitigate attacks.
Why is EDR Important?
Compared with traditional endpoint security solutions, EDR provides real time information about malicious activity on endpoint devices, automatically responds to some attack scenarios, and shortens response time by security teams. EDR is an essential tool for responding to advanced persistent threats, and any attack that manages to bypass preventative defenses on an endpoint device.
How Does an EDR Work?
EDR systems deploy agents on end-user devices, which are used to continuously monitor activity and network traffic to and from the device. These events are recorded in a central database. EDR tools analyze the data to identify incidents, investigate them, and use the data to find similar threats on other endpoints across the organization.
Most importantly, EDR allows security teams to immediately see what is happening on the endpoint and take action to contain and eradicate threats.
What is the Difference Between EDR and Antivirus?
Antivirus software can stop threats based on malware, but is not effective against other types of threats. It also cannot protect against malware that evades detection. EDR is able to detect and respond to threats that evade antivirus and other traditional defenses on the endpoint device.
Can EDR Replace Antivirus?
EDR solutions, on their own, do not replace antivirus. EDR is typically part of an endpoint protection platform (EPP), which includes advanced antivirus and anti-malware protection. EDR works together with antivirus – it relies on antivirus to stop some threats, but is able to detect and respond to threats that were not captured by antivirus software.