Endpoint Detection and Response (EDR) is a new security category defined by Gartner in 2013. It fills an important gap in protection of endpoints, helping security teams gain visibility into malicious activity on an endpoint, and remotely control endpoints to contain and mitigate attacks.
This article will help you understand the core capabilities of EDR, how it is different from Endpoint Protection Platforms (EPP) and antivirus, and how it can help you secure your organization from the growing threat of endpoint-targeted attacks.
If you want to learn about Extended Detection and Response (XDR), the next stage in the evolution of EDR, click here.
EDR is a security practice and technology defined by Gartner in 2013. EDR stands for:
The primary function of EDR solutions is to alert security teams to malicious activity on endpoints, and enable real-time investigation of the root cause and scope of an attack. EDR has three key mechanisms:
There are several components to a comprehensive endpoint security solution, and the various associated terms are often confused or conflated. Let’s clear up this misunderstanding with precise definitions of the related concepts of EDR, EPP, AV/NGAV, and SIEM.
According to Gartner, an Endpoint Protection Platform (EPP) is a security solution designed to detect malicious activity on endpoints, prevent malware attacks, and enable investigation and remediation of dynamic security incidents. This definition includes EDR as an integral part of EPP solutions.
EPP platform functionality can be divided into two broad categories:
Many people confuse the capabilities of EDR and antivirus (AV), assuming they only need to use one of them. However, these two technologies complement each other. Antivirus is a preventative tool that relies on signature-based detection, and it doesn’t provide visibility into how attacks play out. AV can catch the malware, but it doesn’t tell you where it came from or how it spread in your network.
EDR, on the other hand, provides a full picture of how an attacker gained access to your system and what they did once inside. EDR can detect malicious activity on an endpoint as a result of zero-day exploits, advanced persistent threats, fileless or malware-free attacks, which don’t leave signatures and can therefore evade legacy AV and even NGAV.
Security Information and Event Management (SIEM) collects log and event data from across your network to help identify behavior patterns, detect threats, and investigate security incidents. It is broader than EDR, which addresses endpoint activity specifically.
In a large organization, EDR will likely be one of the data inputs of a SIEM. The SIEM can combine information on endpoint security incidents coming from the EDR system, with information from other parts of the security environment, such as network monitoring and alerts from other security tools.
SIEM is also responsible for collecting historical data, for example recording endpoint data over several years, allowing analysts to see if this type of attack has happened before.
Some common EDR features include:
EDR solutions only deal with the process behavior that prompts alerts. Organizations can use EDR tools to attend to specific parts of common Tactics, Techniques, and Procedures (TTP) attackers use. However, EDR products are blind to other attack types.
Let’s turn our attention to the example of credential theft. The default process used by attackers involves dumping password hashes from memory using a customized tool or an open source tool. In this example, the attack method includes anomalous behavior, thus an EDR tool should identify these types of attacks. However, an attacker can acquire the same hashes by scraping the network traffic between two hosts, a process that doesn’t include anomalous activity.
A second example involves the attack technique of lateral movement. In this scenario, the attacker may be able to compromise many user account credentials and logs, connected to many hosts in the network. Here, the anomaly is the user activity and not the process behavior. The EDR would thus not identify the attack at all or would see the attack but without sufficient context, and this would trigger false positives. Therefore, process data is important, but organizations cannot rely on it as the only source of their security data.
Another limitation of EDR tools is that they are restricted to endpoints and cannot help mitigate attacks or restore operations at the user or network level.
Cynet 360 platform is a comprehensive cyber solution that is developed to run in the entire environment of an organization and not only its endpoints. To achieve this Cynet 360 protects all attack surfaces by tracking the three planes; network traffic, process behavior, and user activity. Attackers typically manifest themselves on one or several of these three planes.
Continuous monitoring to detect and stop threats over this triad provides increased threat visibility. Organizations thus have the chance to monitor more stages in the attack’s lifecycle so they can identify and block threats with greater success.
As a subset of these capabilities, Cynet employs EDR technology with the following capabilities:
Cynet 360 threat protection goes beyond attack detection and prevention. Using Cynet organizations can proactively monitor their internal environments, such as endpoints, hosts, files, and network. This can help organizations reduce their attack surface and the potential for multiple attacks. When it comes to active attacks, an organization must work to enclose the capabilities of the attacker to eradicate the presence of the attacker entirely. This includes disabling compromised users, deleting malicious processes and files, isolating infected hosts and blocking traffic controlled by the attacker.
Learn more about the Cynet 360 security platform.
Ready to extend visibility, threat detection and response?