What Does EDR Stand For? Endpoint Detection & Response 101
Endpoint Detection and Response (EDR) is a new security category defined by Gartner in 2013. It fills an important gap in protection of endpoints, helping security teams gain visibility into malicious activity on an endpoint, and remotely control endpoints to contain and mitigate attacks.
This article will help you understand the core capabilities of EDR, how it is different from Endpoint Protection Platforms (EPP) and antivirus, and how it can help you secure your organization from the growing threat of endpoint-targeted attacks.
EDR is a security practice and technology defined by Gartner in 2013. EDR stands for:
Endpoint—an endpoint is a device such as a user workstations, or server
Detection—EDR technology helps detect attacks on endpoint devices and provide security teams with fast access to information that can help investigate the attack
Response—EDR solutions can automatically response to attacks by performing actions at the device level, such as quarantining the endpoint or blocking malicious processes
The primary function of EDR solutions is to alert security teams to malicious activity on endpoints, and enable real-time investigation of the root cause and scope of an attack. EDR has three key mechanisms:
Endpoint data collection—aggregates data on events such as process execution, communication, and user logins.
Detection engine—performs behavioral analysis to establish a baseline of typical endpoint activity, discover anomalies, and determine which anomalies represent malicious activity on the endpoint.
Data recording—provides security teams with real-time data about security incidents on endpoints, which they can use to investigate an incident in real time, contain and mitigate it.
Endpoint Security—Understanding the Terminology
There are several components to a comprehensive endpoint security solution, and the various associated terms are often confused or conflated. Let’s clear up this misunderstanding with precise definitions of the related concepts of EDR, EPP, AV/NGAV, and SIEM.
What is the Difference Between EDR and EPP?
According to Gartner, an Endpoint Protection Platform (EPP) is a security solution designed to detect malicious activity on endpoints, prevent malware attacks, and enable investigation and remediation of dynamic security incidents. This definition includes EDR as an integral part of EPP solutions.
EPP platform functionality can be divided into two broad categories:
Prevention – an EPP goes beyond legacy antivirus (AV). It provides Next-Generation Antivirus (NGAV) technology that can detect malware and exploits even if they don’t match a known file signature. This aspect of EPP focuses on detecting a high percentage of attacks on endpoints and blocking them.
Detection and Response – this part is provided by EDR technology. It focuses on detecting attacks that manage to bypass the endpoint’s defensive measures, taking measures to prevent the attack from spreading, and notifying security analysts.
What is the Difference between EDR and Antivirus?
Many people confuse the capabilities of EDR and antivirus (AV), assuming they only need to use one of them. However, these two technologies complement each other. Antivirus is a preventative tool that relies on signature-based detection, and it doesn’t provide visibility into how attacks play out. AV can catch the malware, but it doesn’t tell you where it came from or how it spread in your network.
EDR, on the other hand, provides a full picture of how an attacker gained access to your system and what they did once inside. EDR can detect malicious activity on an endpoint as a result of zero-day exploits, advanced persistent threats, fileless or malware-free attacks, which don’t leave signatures and can therefore evade legacy AV and even NGAV.
What is the Difference Between EDR and SIEM?
Security Information and Event Management (SIEM) collects log and event data from across your network to help identify behavior patterns, detect threats, and investigate security incidents. It is broader than EDR, which addresses endpoint activity specifically.
In a large organization, EDR will likely be one of the data inputs of a SIEM. The SIEM can combine information on endpoint security incidents coming from the EDR system, with information from other parts of the security environment, such as network monitoring and alerts from other security tools.
SIEM is also responsible for collecting historical data, for example recording endpoint data over several years, allowing analysts to see if this type of attack has happened before.
Some common EDR features include:
Endpoint visibility— allowing security teams to monitor activity at all endpoints, including applications, processes, and communications, from one central interface.
Data collection— build a repository of recorded events for analytics, which can help you understand attacker behaviors and prevent future breaches.
Threat intelligence— understand how incidents occur and how you can avoid or remediate them. EDR can identify Indicators of Compromise (IoCs) and correlate them with threat intelligence to provide information about attacks and threat actors.
Automated alerts and forensics— real-time alerts about endpoint security incidents, with access to additional context and data to allow analysts to investigate the incident in depth.
Trace back to original breach point— compiles data on the potential entry points for an attack, providing more context for analysts beyond the currently-affected endpoint.
Automated response measures on the endpoint— blocking network access on a device, disabling certain processes, or performing other actions to prevent an attack from spreading to other endpoints.
Cynet: EDR and More
EDR solutions only deal with the process behavior that prompts alerts. Organizations can use EDR tools to attend to specific parts of common Tactics, Techniques, and Procedures (TTP) attackers use. However, EDR products are blind to other attack types.
Let’s turn our attention to the example of credential theft. The default process used by attackers involves dumping password hashes from memory using a customized tool or an open source tool. In this example, the attack method includes anomalous behavior, thus an EDR tool should identify these types of attacks. However, an attacker can acquire the same hashes by scraping the network traffic between two hosts, a process that doesn’t include anomalous activity.
A second example involves the attack technique of lateral movement. In this scenario, the attacker may be able to compromise many user account credentials and logs, connected to many hosts in the network. Here, the anomaly is the user activity and not the process behavior. The EDR would thus not identify the attack at all or would see the attack but without sufficient context, and this would trigger false positives. Therefore, process data is important, but organizations cannot rely on it as the only source of their security data.
Another limitation of EDR tools is that they are restricted to endpoints and cannot help mitigate attacks or restore operations at the user or network level.
Cynet 360 holistic cybersecurity solution
Cynet 360 platform is a comprehensive cyber solution that is developed to run in the entire environment of an organization and not only its endpoints. To achieve this Cynet 360 protects all attack surfaces by tracking the three planes; network traffic, process behavior, and user activity. Attackers typically manifest themselves on one or several of these three planes.
Continuous monitoring to detect and stop threats over this triad provides increased threat visibility. Organizations thus have the chance to monitor more stages in the attack’s lifecycle so they can identify and block threats with greater success.
As a subset of these capabilities, Cynet employs EDR technology with the following capabilities:
Advanced endpoint threat detection —complete visibility and predicts how an attacker could operate, based on continuous monitoring of behavioral analysis and endpoints.
Investigation and validation —search and analysis of historic or current incident data on endpoints, validate alerts and investigate threats. This lets you confirm the threat prior to responding, this reduces dwell-time and helps perform faster remediation.
Rapid deployment and response —deploy across thousands of endpoints in just two hours. You can then use it to perform manual or automatic remediation of threats on the endpoints, minimize damage caused by attacks, and disrupt malicious activity.
Cynet 360 threat protection goes beyond attack detection and prevention. Using Cynet organizations can proactively monitor their internal environments, such as endpoints, hosts, files, and network. This can help organizations reduce their attack surface and the potential for multiple attacks. When it comes to active attacks, an organization must work to enclose the capabilities of the attacker to eradicate the presence of the attacker entirely. This includes disabling compromised users, deleting malicious processes and files, isolating infected hosts and blocking traffic controlled by the attacker.