Back in 2013, Gartner’s Anton Chuvakin set out to name a new set of security solutions to detect suspicious activity on endpoints.
After what he called “a long agonising process that involved plenty of conversations with vendors, enterprises, and other analysts” Chuvakin came up with this phrase: endpoint threat detection and response.
Since then, this moniker has been shortened to endpoint detection and response or EDR. But as the name got smaller, the market got bigger. Not only has the market exploded and advanced, but new variations such as extended detection and response (XDR) and managed endpoint detection and response (MDR or Managed EDR) have grown and almost taken over what was once the leading detection and response solution.
Even EDR is evolving beyond the endpoint itself, with a recent study by Gartner® claiming, “By 2025, 60% of EDR solutions will include data from multiple security control sources, such as identity, cloud access security brokers (CASBs) and data loss prevention (DLP).”
With that in mind, let’s take a step back and assess EDR’s place in your overall cybersecurity strategy, as well as the gaps it simply can’t fill.
What Is EDR Security?
EDR security, also known as endpoint detection and response security, is a branch of cybersecurity focused on visibility and investigation of endpoint activity and potential threats.
Gartner® themselves defines the security solution as one that “records and stores endpoint-system-level behaviours, uses various data analytics techniques to detect suspicious system behaviour, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems.”
It’s important not to confuse EDR with endpoint protection platform (EPP) solutions. The two are closely related, but not interchangeable. EPP refers to multiple technologies (like antivirus software) meant to protect a network’s endpoint from cyber threats like malware. EDR, however, monitors the endpoints and offers threat detection, investigation, and response. They are two pieces that work together to better protect the endpoint.
How Does EDR Security Work?
EDR is focused on visibility and threat response, and offers up the most important data points organisations need to know about the various endpoints in their network. An effective EDR tool allows security teams to focus on detecting and investigating suspicious activities on endpoints, allowing for faster, more effective responses.
EDR works by installing a lightweight agent, called an endpoint agent, on endpoints within the organisation. The agent monitors 24×7, looking for any activity that is potentially malicious or matches a known attack indicator. EDR then sends telemetry to a central management system, which automatically performs analysis and correlation before sending an alert.
From there, an analyst investigates the alert to determine if the attack is false or actionable. If real, they can gather details about the attack and, based on this information, develop an appropriate response. Having this response capability is what differentiates EDR from other endpoint-focused security solutions.
All attacks land on an endpoint eventually, which is what makes this kind of solution a necessary component of any cybersecurity strategy.
While EDR features vary, most include the ability to isolate the host system from the rest of the network to prevent the attack from spreading to other endpoints in the environment.
In addition to isolation capabilities, some EDR vendors offer advanced responses, such as terminating processes.
What is the Value of an EDR Solution?
EDR security has a few components that make it unique from other detection solutions, including:
- Automatically detecting endpoint threats
- Utilising advanced technology to constantly monitor endpoints
- Working proactively to prevent major breaches
Additional benefits of EDR solutions include:
- Visibility. Visibility is critical not only for being able to understand vulnerabilities or threats within a security environment, but for assessment and action. Real-time visibility helps an organisation act against malicious threats before major damage occurs.
- Behavioural Protection. Unlike tools that only monitor for known threats, EDR can identify new, suspicious activity and flag it as a possible threat for the IT or security team. Many EDR solutions now employ machine learning (ML) or artificial intelligence (AI) to better understand user and system behaviour patterns to make threat identification more precise.
- Insight and context. Insight is as critical as visibility. To further the security journey, an organisation needs to understand where threats are coming from and why they need to harden their endpoints and overall environment. Insight and context also help in the moment, allowing an organisation to tailor their response to a threat’s specific characteristics.
- Remediation Speed. If an organisation can quickly identify a threat and respond accordingly, that speeds up remediation — accelerating the investigation and limiting breach damage.
What Are the Drawbacks of EDR Security
EDR detects abnormal activity on endpoints — assuming those devices are running EDR agents — which gives you a better chance of detecting unknown malware strains in zero-day attacks or more advanced attacks. However, this detail can add complexity to the solution — a facet particularly problematic for small and medium-sized enterprises (SMEs), which often lack the in-house security expertise to manage EDR. Before SMEs can correctly wield EDR, they need security engineers who know how to tap into its full potential.
In-house engineers, or an IT team that can handle setting up and maintaining an EDR solution, are hard to come by for several reasons:
- Budget restraints, especially for SME’s
- Resource constraints — a small IT team that is already stretched thin
- Complex solutions can create alert fatigue, causing threats to be ignored or missed entirely
In addition, EDR solutions are limited to the endpoint. While all attacks land on the endpoint, wouldn’t it be better to detect them before they escalate to that point?
EDR is completely blind to certain indicators of network compromise. For example, let’s say a password to a database has been stolen, allowing a hacker to log in and start exfiltrating personal information remotely. At this point, there is nothing EDR can do. This is worrisome, considering the application layer accounts for an increasing number of attacks, with hackers getting in through SQL injections, zero-day vulnerabilities, and other forms of web-based attack that are beyond the scope of EDR. Additionally, the use of cloud applications is increasing every year, and there is no endpoint with the cloud. This could leave an organization’s cloud infrastructure or valuable data open to attack.
Because of this outsized emphasis on endpoint detection of threats, rather than proactive prevention, EDR alone will not guarantee that a threat is mitigated and can often put an organisation into a cycle of reacting to endpoint alerts instead of hardening their overall environment.
While endpoint detection and response solutions are still a cornerstone of cybersecurity, EDR alone is no longer enough to protect either endpoints or a network at large. Today, the industry has largely moved on to MDR and XDR solutions.
EDR vs. MDR
Managed Detection and Response (MDR) and EDR are not an “either/or” choice for organisations. Rather, EDR is a part of MDR, which utilises the same features (threat hunting and detection) and expands it beyond endpoints to the broader security architecture.
A managed detection and response (MDR) solution goes beyond endpoints to offer multi-dimensional monitoring of endpoint, network, identity, and cloud workloads. With this holistic oversight, organisations are better able to effectively identify and respond to threats no matter where they originate.
MDR also has a crucial “managed” component, which alleviates the burden on organisations of responding to alerts and escalated threats. By having an external team that can monitor 24×7, investigate alerts, and help provide critical context, organisations save time and budget, and increase effective, rapid responses.
EDR Alternatives and Security Operations
As the cyber threat landscape advances and sophisticates, the fact is that EDR alone won’t solve an organisation’s security problems. It can’t monitor everything you need and can’t provide the expertise required to direct a response once a breach has been detected. If your organisation has specific regulatory or compliance requirements as well, EDR will need to be supplemented by security that can tackle network, identity, and the cloud, and can handle log retention, which EDR can’t achieve.
What you need is 360-degree visibility across endpoints, as well as across your network and cloud environment, along with the necessary security expertise to help direct your response — you need security operations.
Security operation solutions such as those offered by Arctic Wolf provide:
- 24×7 monitoring of endpoints, network, cloud, and identities
- The ability to process trillions of events and filter through them, alerting organisations to only the most important
- Personal protection through continuous adaption of both technology and human support
- Broad visibility that works with existing technology stacks
Explore the Arctic Wolf Security Operations Cloud.
Learn more about MDR with “A Security Leader’s Guide to Leveraging MDR for Security Maturity and Development.”