Back in 2013, Gartner’s Anton Chuvakin set out to name a new set of security solutions that sniff out suspicious activity on endpoints. After what he called “a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts,” Chuvakin came up with this phrase: endpoint threat detection and response.
Since then, this moniker has been shortened to “endpoint detection and response” or EDR. But as the name got smaller, the market got bigger. In fact, Gartner now predicts that the global EDR space will grow at a compound annul rate of 45.3 percent through 2020, by which time it will be worth a whopping $1.5 billion.
With that hype in mind, it’s important to take a step back and assess EDR’s place in your overall cybersecurity strategy, as well as the gaps that it cannot fill.
EDR is not as simple as you think
Unlike traditional endpoint protection (EPP) – which can only identify and block known threats – EDR can detect abnormal activity on endpoints, assuming those devices are running EDR agents. Thus, it has a better chance of detecting unknown malware strains in zero-day attacks.
But Gartner analyst Avivah Litan sees one setback to its adoption: its complexity.
“EDR functionality will have to become more mainstream, proactive, and simple to use and operate before product adoption reaches its full potential,” Litan wrote.
This is particularly problematic for small and medium-sized businesses, which often lack the in-house security expertise to manage EDR. Before SMBs can correctly wield EDR, they need security engineers that know how to extract value from it.
Not the only player on your team
EDR is sort of like an important player on a team sport. It serves a role, and that’s to detect anomalous activity on an endpoint. However, it is completely blind to indicators of a network compromise. For instance, let’s say a password to a database has been stolen, allowing a hacker to log in and start exfiltrating personal information remotely. At this point, there is nothing EDR can do.
This is worrisome considering the application layer accounts for an increasing number of attacks. Hackers are getting in through SQL injections, zero-day vulnerabilities and other forms of web-based attack according to CSO contributor John Maddison. These are beyond the scope of EDR.
In other words, EDR can’t do it alone. You need 360-degree visibility across endpoint, and application and data security tools. In a recent webinar titled “Endpoint Detection and Response is Not Enough,” Narayan Makaram, senior director of product marketing, Arctic Wolf Networks, highlighted those solutions and explained how they all fit together in a security operations center to create a complete security strategy.
To further familiarize yourself with managed detection and response (MDR), check out our white paper.