Close
Free Trial

Endpoint Detection and Response (EDR)

Learn about what endpoint detection and response (EDR) is, including how it works, why it's important and how EDR fits into a security stack.

This article is from The Defender's Handbook: a knowledge base for cybersecurity enthusiasts to level up their cyber knowledge—one article at a time.

Introduction

The endpoint is the scene of the crime, and today's threat actors are notorious for attempting to circumvent traditional antivirus software.

As attackers try to disguise their malicious activity, endpoint detection and response (EDR) makes it a whole lot harder for them to evade. 

Read on to learn:

  • What is endpoint detection and response (EDR)?
  • How does endpoint detection and response work?
  • What are the primary functions of endpoint detection and response?
  • Why is endpoint detection and response important?
  • How does endpoint detection and response fit into a security stack?

Common Questions

What is endpoint detection and response (EDR)?

EDR is an integrated endpoint security solution designed to continuously monitor, detect and enable investigations and responses to cyber threats. Read more

How does endpoint detection and response work? Endpoint detection and response offers visibility into what’s happening on endpoints by recording granular endpoint activity and raising the alarm when malicious behavior is observed. Read more
Why is endpoint detection and response important? Preventing a threat actor from entering a network is only half the battle; having tools to combat threat actors once they make it past the preventive tools is key to neutralizing an attack. Read more
Is endpoint detection and response a firewall? Both are needed in a security stack. Firewalls are devoted to monitoring network traffic in and out, so malicious traffic from the Internet meet a hard brick wall before attacking an endpoint. EDR can take network traffic into account but goes many steps further than firewalls by observing processes and changes on the computer itself. Read more
Can endpoint detection and response replace antivirus?

The two are not mutually exclusive. Often, the technologies can overlap and complement each other. However, it should be recognized that antivirus lacks the modularity and functionality that EDR technologies offer to protect against a wide range of threats. Many security vendors have guidance on how an antivirus solution can be configured and choreographed with EDR to provide layered defense in depth. Read more

Where does endpoint detection and response fit into a security stack?

The key to understanding where EDR fits into a security stack is first understanding the gaps that need to be addressed and how you can layer complementary products, like EDR, to fill in any holes and achieve a more secure posture. Read more

Key Terms

Antivirus: Antivirus (AV) is software designed to prevent, search for, detect and remove viruses and other malware from a computer.

Endpoint: A remote computing device (like a user’s workstation or company server) that communicates back and forth with a network. Endpoints provide hackers an entry point to critical assets and applications, creating a potential cybersecurity vulnerability. 

Endpoint Detection and Response (EDR): EDR is a set of cybersecurity tools that proactively monitor, detect and remediate threats on endpoint devices as they happen.

Firewall: A type of network security system that monitors traffic to or from a network.

Security stack: Layers of security solutions that work together to minimize the risk of cyber threats.

What Is Endpoint Detection and Response (EDR)?

EDR was initially known as Endpoint Threat Detection and Response, a term coined in 2013 by Anton Chuvakin of Gartner. Chuvakin described it as tools that work together to allow organizations to investigate security incidents and detect malicious activity quickly. 

EDR is an evolution from traditional antivirus tools by continuously collecting and analyzing data from all endpoints. EDR can identify and respond to cyber threats before they occur or while they are in progress.

How Does Endpoint Detection and Response Work?

EDR solutions offer greater visibility into what’s happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior and advanced threats in real-time. 

Once an attacker finds their way into an environment, any EDR tools in place will turn the actions they take into an opportunity for detection. The more data EDR collects, the better visibility into those actions.

Five Functions of EDR

Data Collection and Analytics

EDR solutions actively monitor endpoints and collect data from activities that may indicate a threat.

Examples include:

  • Process creation
  • Drivers loading
  • Registry changes
  • Disk accesses
  • Network connections

From the data collected, EDR will then perform a behavioral analysis to uncover any potential threats and malicious activity that may already be in progress.

Detection

As the name suggests, EDR will detect advanced threats or traces of suspicious behavior.

Visibility

EDR technology notifies when a threat has been detected, allowing visibility into the attack. 

Response

EDR will begin to take actions to eliminate or contain the attack. 

Reporting and Alerts

Create immediate dashboards and alerts for action once a threat is detected.

Why Is Endpoint Detection and Response Important?

As cyber criminals developed evasive techniques for antivirus, there was a clear need for something more than just another antivirus or preventive product. 

EDR not only plays a role in protecting and preventing attacks but offers a solution for what to do once an attack is in place. EDR will proactively monitor, detect and enable threats to be contained and remediated on endpoint devices as they happen. 

EDR is incredibly valuable because it responds to threats in real-time.

Is Endpoint Detection and Response a Firewall?

Firewalls help control network traffic by acting as barriers for incoming traffic, whereas antivirus tools, like EDR, protect systems against internal attacks by observing and detecting malicious patterns of behavior taking place on the computer.

Can Endpoint Detection and Response Replace Antivirus?

An antivirus tool relies on a signature-centric approach, which searches for pre-identified malicious patterns and behaviors exhibited by a program, script or a command. AV works well when identifying and stopping known malware and viruses. The problem with AV, however, is that if something new shows up on AV that has yet to be identified, it has no way of determining if it is malicious. 

Antivirus and Endpoint Detection and Response similarities are notable. A great EDR solution can incorporate AV and other endpoint security tools, creating a comprehensive, fully-featured solution.

How Does Endpoint Detection and Response Fit Into a Security Stack?

EDR is a minimum requirement for today’s security stacks, but the question now is where and how do you find and fit the right EDR solution for your organization? This tends to depend on what your organization is able to do. The key here is to look inward and know what is needed. 

Suppose you have a security-savvy team equipped to do the heavy lifting when it comes to threat hunting. In that case, it’s possible that an unmanaged EDR solution may fit nicely into your stack. It’s worth noting, however, that one of the drawbacks to unmanaged EDR solutions is the volume of alerts produced and the higher likelihood of false positives.

This is the more cumbersome side of EDR, but it’s also why EDR vendors offer a Managed Detection and Response (MDR) component. 

In this case, the vendor has a team of specialists who can do the heavy lifting and handle threat hunting much more efficiently. If you lack the in-house expertise and time to parse through alerts, you should consider a vendor that offers MDR.

Want to see what EDR looks like in action?

See how Huntress' managed EDR solution was put to the test when VMware Horizon servers were hit with Cobalt Strike.
See Managed EDR in Action

Want to learn more about managed EDR?

Advanced cyberattacks are designed to evade traditional prevention and detection techniques. The Huntress Managed Security Platform shows you what's happening inside your protected endpoints, providing unparalleled visibility and detection of organizational threats. 

If you’d like to see The Huntress Managed Security Platform in action, sign up for a free 21-day trial.

Start Your Trial