What is EDR?
Endpoint detection and response (EDR) solutions provide real-time continuous visibility into endpoint activity alongside automated response capabilities. Anton Chuvakin of Gartner initially introduced this security product category. He recognized the need for tools to protect increasingly complex networks from endpoint threats.
Here are key capabilities of EDR:
- Continuous monitoring—EDR solutions continuously collect activity data from endpoints connected to the network and monitor for indicators of threats.
- Analysis capabilities—EDR tools can analyze collected endpoint data and identify threat patterns.
- Automated response—after identifying a threat, EDR tools can initiate automated actions that contain or remove a threat while notifying security personnel.
- Forensics tools—EDR solutions provide forensics tools to help investigate identified threats and look for suspicious activities.
Why is EDR Important?
In the past, endpoints were known and expected components like routers and company-owned PCs connected to the network. IT teams had control over these endpoints and could establish a perimeter that protected corporate networks from external intrusion. Today’s networks are complex and highly dynamic distributed environments that constantly allow or restrict connectivity with numerous endpoints.
Today’s endpoints include not only networking components and company devices but also personally-owned laptops, mobile devices, tablets, Internet of Things (IoT) technologies, cloud computing resources, VPNs that enable remote access, third-party integrations, and more. EDR solutions help achieve visibility into this volatile endpoint activity and enable organizations to protect their networks without compromising flexibility and scalability.
EDR solutions can catch threats that traditional antivirus solutions cannot detect, including advanced persistent threats (APT) that deploy hacking techniques that bypass malware detection. Traditional antivirus software detects malware by comparing detected patterns to known signatures. EDR solutions proactively hunt for unknown threats, trying to detect sophisticated APT attacks. EDR can also promote data security by protecting endpoints that have access to sensitive data in the organization.
Top Capabilities of EDR Solutions
Here are the main capabilities offered by EDR solutions.
1. Threat Detection
EDR regularly scans endpoints to identify threats. Typically, an endpoint will also have advanced antivirus and other preventative security measures. The objective of an EDR solution is to identify threats that were not captured by these defenses and have managed to penetrate the device. For example, EDR can flag suspicious files or processes on the device which may be related to malicious activity.
2. Behavioral Blocking and Containment
EDR performs behavioral analysis to identify unusual behavior on the endpoint, even if it does not match any known threat pattern. When it identifies suspected malicious behavior, it can block the affected processes or files, quarantine them, and if necessary, contain the entire network by isolating it from the network. EDR can do all this even after the threat has been executed on the device.
3. Monitoring and Alerting
EDR continuously monitors endpoint devices and alerts security teams when it discovers malicious activity. It provides in-depth forensic information from the endpoint to help security analysts investigate an alert. If analysts confirm a security incident, EDR gives them direct access to the endpoint to complete their investigation and take immediate action to contain the threat.
4. Application and Browser Whitelists
EDR can be configured to block known bad applications or websites, and prevent the endpoint from using them. Conversely, administrators can whitelist safe applications, if they see these applications result in a large number of false-positive alerts.
5. Automated Threat Response
An important capability of EDR is to automatically respond to threats on an endpoint. This is significant because attacks do not always occur during business hours, and even if they do, it takes time for security teams to identify and investigate an alert. During this time, EDR can act to immediately contain a threat. This works even better when EDR integrates with SIEM or zero trust identity management systems.
Endpoint Detection and Response Best Practices
The following best practices can help you use EDR more effectively in your organization.
Integrate with Other Tools
EDR is most effective when it integrates with other security systems. EDR only protects endpoints, yet threats can operate across multiple parts of the IT environment. For maximum protection, integrate EDR with solutions like patch management, DNS protection, firewalls, and encryption.
It is also critical to ensure data from the EDR is fed into your organization’s security information and event management (SIEM) system. This will allow security teams to view EDR alerts holistically, together with alerts from network and application security tools. This will make it easier to identify and respond to threats that operate across the IT environment and are not confined to endpoints.
Use Network Segmentation
EDR solutions are typically able to isolate an endpoint from the network to prevent threats from spreading. However, this capability should be treated as the last line of defense. Use segmentation to ensure that endpoints can only access the services and data they need to operate, and to isolate sensitive endpoints from other systems. This can reduce the damage done by a successful attack, and applies defense-in-depth approach.
Recruit or Outsource Security Talent to Manage EDR
An EDR solution cannot operate unattended. It requires expert security staff who can monitor endpoint alerts and respond to threats. To benefit from an EDR solution, an organization must have security staff who can manage and operate it. Due to the global security skills shortage, many security teams are short-staffed, and a common solution is to outsource EDR operations to managed detection and response (MDR) providers. These are third-party security providers who offer EDR software as well as the human resources to operate it.
In this article, I explained the basics of EDR and the key capabilities offered by EDR solutions:
- Threat detection—the ability to identify threats on the device which managed to penetrate existing defenses.
- Behavioral blocking—machine learning analysis of behavior on the device to identify and block malicious activity.
- Monitoring and alerting—continuously monitoring the endpoint, generating alerts, and providing data that can help analysts investigate them.
- Application and browser whitelists—defining specific applications that should always be allowed on the endpoint, or should be blocked by default.
- Automated threat response—automatically executing security actions to contain a threat on endpoints, before human analysts can respond.
I hope this will be useful and you improve the security posture of your organization’s sensitive endpoints.
ABOUT THE AUTHOR:
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.