The alphabet soup of cybersecurity can be daunting to navigate at times. There is no shortage of tools or gaps to cover in a security stack, nor lack of acronyms to learn.
In an effort to help you make sense of these tools, we’ve started an ongoing blog series to define the common security terms and acronyms you should understand. And today, we’re going to explore an important one: EDR.
EDR, or endpoint detection and response, is one of the most frequently talked about tools on the market—but it can also be one of the more confusing. Realistically, this isn’t because of the overarching goal of EDR. Detecting and alerting on endpoint threats is a fairly straightforward mission that most understand, but the confusion lies more with how these tools achieve the desired outcome.
So, let’s dive in!
What Is EDR?
Endpoint detection and response (EDR) is an integrated endpoint security solution designed to detect, investigate and respond to cyber threats.
EDR solutions offer greater visibility into what’s happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior. If the EDR technology detects any of these malicious signs, it will provide security analysts with the necessary information to conduct both reactive and proactive threat investigations and minimize the impact of an attack.
Primary Functions of EDR
In general, endpoint detection and response solutions serve five primary functions.
Monitor and Collect Endpoint Data: First and foremost, EDR solutions should actively monitor endpoints and collect data from activities that may indicate a threat. A few examples of this data are running processes, network telemetry and registry modification; however, realistically it can be any data that the agent is designed to collect from the host.
Assemble Collected Data for Analysis: All of that data needs to be assembled for analysis, and this can be done in many ways. Some solutions handle this on the agent, which can result in a heavier process load on the individual system, others merely collect this data and then push it to a cloud repository where the heavy lifting is accomplished without bogging down the endpoint. And some solutions use a combination of both styles.
Analyze the Data: Once data is assembled, analysis takes place. This is really the key to any EDR solution, but the process can differ significantly from product to product. Some may rely solely on artificial intelligence or machine learning to scan for known threat patterns. Others may push data up to a cloud where a team of humans handle the threat hunting. And again, some are a combination of these two processes. But in any case, EDR tools are analyzing and interpreting all of this data to learn from it and be able to detect traces of suspicious behavior.
Alert on Findings: EDR technology will notify security personnel that a threat has been detected. This generally happens within the product interface or via integration with a ticketing system. Alerts can also vary in complexity. Some may show a comprehensive timeline of an event, while others may be more succinct.
Remediation Assistance: This is another area where things can vary widely. Some EDR products only offer alerting, leaving the response decision to the IT department or security personnel. Other products can support response efforts where the agent assists in removing the threat that has been found to alleviate more of the workload. This incident response can also be automated, manual, or a combination of the two.
A Brief History of EDR
The first mention of endpoint detection and response was back in 2013 when Anton Chuvakin from Gartner classified these emerging tools on the market as “endpoint threat detection and response.” Then in 2015, it was shortened to the EDR we know today.
But before we had a name for EDR, endpoints had become one of the largest attack surfaces. Windows, in particular, had grown so complex over the years and was ripe with vulnerabilities that attackers could exploit. Attackers also knew that many organizations were putting their IT budget on purely protective measures at the expense of other important categories like detection and response. This meant that once hackers found a way around those outer barriers (and boy did they), there was nothing else in their way.
As attacker tactics became more sophisticated, the world realized we needed more than just another antivirus or preventive product. We needed something that had greater visibility into systems, could collect and process significant amounts of data and could raise a red flag when something didn’t look right—and that’s how EDR was born.
EDR technology was designed to be a window into the day-to-day functions of an endpoint. As EDR has evolved over time, we’ve collected more and more data about the endpoint and all of its processes, registry settings and even network traffic. Today, EDR excels at collecting and analyzing data to surface potential attacks. If an attacker finds their way into an environment with EDR tools in place, any action they take will become an opportunity for detection. And the more data EDR collects, the better visibility we have into those actions.
What To Look For in an EDR Solution
Now that we have an understanding of why EDR is table stakes for today’s security stacks, the question now becomes: how do you find the right EDR solution for your organization?
Well, my advice would be to look internally first. If you have security-savvy team members who have been trained and are dedicated to doing actual threat hunting, then it’s possible that a good fit could be a software-only EDR solution that provides mainly alerting.
Alternatively, if you don’t have dedicated security personnel on-site, one of the drawbacks to software-only EDR solutions is the volume of alerts produced and a higher likelihood of false positives. This can be the more cumbersome side to EDR, but it’s also why we’ve seen EDR vendors offer a managed detection and response component. In this case, the vendor has a team of specialists who can do the heavy lifting and handle the threat hunting much more efficiently. If you lack the expertise and time to parse through alerts, then you absolutely should consider a vendor that offers managed EDR.
Another topic that is important to understand is the EDR vendor’s philosophy on threat hunting. What is their methodology? Are they AI and software-based only, or do they utilize human threat hunters, for instance? Developing an understanding of how their product works will inform you about potential gaps.
There is no one product out there that will be a silver-bullet solution. There will be gaps, so what’s crucial to understand is where those gaps are and how you can layer complementary products to fill in any holes and achieve a more secure posture. While detection and response remain a challenge for many businesses, EDR solutions can help fill those holes and enable teams to quickly identify and respond to today’s most determined threats.