Endpoint detection and response (EDR) is a category of security tools that monitor end-user hardware devices across a network for a range of suspicious activities and behavior, reacting automatically to block perceived threats and saving forensics data for further investigation.
An EDR platform combines deep visibility into everything that’s happening on an endpoint device — processes, changes to DLLs and registry settings, file and network activity — with data aggregation and analytics capabilities that allow threats to be recognized and countered by either automated processes or human intervention. Endpoint here generally means any end-user device, from a laptop to a smartphone, and can encompass IoT gadgets as well.
The first recognition of the category of endpoint detection and response is widely accepted to be in a 2013 blog post by Gartner analyst Anton Chuvakin who was trying to come up with a “generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” He used the phrase endpoint threat detection and response, but the more succinct endpoint detection and response is what caught on.
A good way to understand a category like EDR is to explore what differentiates it from similar offerings. EDR is often contrasted with antivirus programs, or with endpoint protection platforms (EPPs), which are umbrella offerings that integrate antivirus/antimalware capabilities with other familiar security tools — data encryption, firewalls, intrusion prevention systems, and so on. The tools that make up EPPs tend to be preventative in nature and signature based, meaning they match potential threats against a database of known malicious code in order to stop attacks before they begin execution.
But as threats grow more nimble, this sort of defense, which depends on a static library of known threats and firm perimeter defense, grows less effective — and that’s where EDR comes in. All the action happening on endpoints — from configuration changes to processes launched or killed to files being accessed, copied, or exfiltrated — is the meat of a hacking operation, and EDR platforms aim to provide a front-row seat for security staff along with a certain degree of automated response.
How does this work in practice? EDR platforms generally consist of agents installed on end user devices; these agents monitor activity and send information back to a centralized server, which may be on-prem or in the cloud. The server can automatically detect problems and attempt to correct them or alert a security staffer; it also surfaces information via dashboards monitored by infosec teams.
In what sort of scenarios would EDR really shine? The archetypical EDR use case would be a scenario when an active threat plays out in multiple forms across an endpoint, looking at patterns of action rather than simpler signals like a specific virus or the breaching of a firewall. For example, an attacker who steals valid credentials through a phishing attack can log into a system normally without triggering any alarms or using any malware. They would initially have free reign of the endpoint, but their activities after that, like trying to elevate privileges or move horizontally to other systems, will likely get flagged by a good EDR system, or will at least leave traces in the data that a human infosec pro can spot.
In a 2016 blog post, Gartner’s Chuvakin lays out the top-level use cases for EDR:
There’s a lot of specific capabilities that EDR platforms need to deliver within that framework, but as is true for many broad product categories, there’s no single canonical list of EDR features. But after taking a look at the offerings from various vendors, including Digital Guardian, Cybereason, and Carbon Black, along with the Gartner post that started it all, we’ve put together a list of some of the most commonly offered EDR capabilities.
There are a number of endpoint detection and response vendors offering platforms on the market. For a deep dive into three of them, which can give you a sense of the variations across product offerings, take a look at these reviews from CSO and IDG:
Other prominent offerings include:
The EDR market is already big—and it’s growing. Statista estimates that the market for EDR tools will be worth $1.5 billion by 2020. Gartner thinks an EDR platform will become a must-have for big companies: they project that by 2025, 70% of organizations with more than 5,000 endpoints will have EDR software deployed.
But one thing to keep in mind is that the whole EDR market is in some ways an attempt to put an umbrella label on a somewhat heterogenous category, and is thus always evolving. With many vendors offering both EDR and EPP platforms—and allowing the different tools on each platforms to work together—they’re helping drive the rise of a more general unified endpoint protection market that could account for more than $7 billion in sales.
This story, “How EDR stops hackers in their tracks” was originally published by