What is endpoint detection and response (EDR)?

EDR collects data continuously from all endpoints on the network - desktop and laptop computers, servers, mobile devices, IoT (Internet of Things) devices and more. It analyzes this data in real time for evidence of known or suspected cyberthreats, and can respond automatically to prevent or minimize damage from threats it identifies.

First recognized by Gartner in 2013, EDR enjoys wide enterprise adoption today, with good reason.

Studies estimate that as many as 90% of successful cyberattacks and 70% of successful data breaches originate at endpoint devices. While antivirus, anti-malware, firewalls, and other traditional endpoint security solutions have evolved over time, they're still limited to detecting known, file-based, or signature-based endpoint threats. They're much less effective, for example, at stopping social engineering attacks, such as phishing messages that lure victims into divulging sensitive data or visiting fake websites containing malicious code. (Phishing is the most common delivery method for ransomware.) And they're powerless against a growing number of 'fileless' cyberattacks that operate exclusively in computer memory to avoid file or signature scanning altogether.

Most important, traditional endpoint security tools can't detect or neutralize advanced threats that sneak past them. This allows those threats to lurk and roam the network for months, gathering data and identifying vulnerabilities in preparation for launching a ransomware attack, zero-day exploit or other large-scale cyberattack.

EDR picks up where these traditional endpoint security solutions leave off. Its threat detection analytics and automated response capabilities can - often without human intervention - identify and contain potential threats that penetrate the network perimeter before they can do serious damage. EDR also provides tools that security teams can use to discover, investigate, and, prevent suspected and emerging threats on their own.

While there are differences among vendors, EDR solutions typically combine five core capabilities: Continuous endpoint data collection, real-time analysis and threat detection, automated threat response, threat isolation and remediation, and support for threat hunting.

EDR continuously collects data - data on processes, performance, configuration changes, network connections, file and data downloads or transfers, end-user, or device behaviors - from every endpoint device on the network. The data is stored in a central database or data lake, typically hosted in the cloud.

Most EDR security solutions collect this data by installing a lightweight data collection tool, or agent, on every endpoint device; some may rely instead on capabilities in the endpoint operating system.

EDR uses advanced analytics and machine learning algorithms to identify patterns indicating known threats or suspicious activity in real time, as they unfold.

In general, EDR looks for two types of indicators: indicators of compromise (IOCs), which are actions or events consistent with a potential attack or breach; and indicators of attack (IOAs), which are actions or events that are associated with known cyberthreats or cybercriminals.

To identify these indicators, EDR correlates its own endpoint data in real time with data from threat intelligence services, which deliver continuously updated information on new and recent cyberthreats - the tactics they use, the endpoint or IT infrastructure vulnerabilities they exploit, and more. Threat intelligence services can be proprietary (operated by the EDR provider), third-party, or community-based. In addition, many EDR solutions also map data to Mitre ATT&CK, a freely accessible global knowledge base of hackers' cyberthreat tactics and techniques to which the U.S. government contributes.

EDR analytics and algorithms can also do their own sleuthing, comparing real time data to historical data and established baselines to identify suspicious activity, aberrant end-user activity, and anything that might indicate a cybersecurity incident or threat. They also can separate the 'signals,' or legitimate threats, from the 'noise' of false positives, so that security analysts can focus on the incidents that matter.

Many companies integrate EDR with a SIEM (security information and event management) solution, which gathers security-related across all layers of the IT infrastructure - not only endpoints but applications, databases, web browsers, network hardware and more. SIEM data can enrich EDR analytics with additional context for identifying, prioritizing, investigating and remediating threats.

EDR summarizes important data and analytic results in a central management console that also serves as the solution's user interface (UI). From the console, security team members get full visibility into every endpoint and endpoint security issue, enterprise-wide, and launch investigations, threat responses and remediations involving any and all endpoints.

Automation is what puts the 'response' - really the rapid response - in EDR. Based on predefined rules set by the security team - or 'learned' over time by machine learning algorithms - EDR solutions can automatically

• Alert security analysts to specific threats or suspicious activities
• Triage or prioritize alerts according to severity
• Generate a 'track back' report that traces an incident or threat's every stop on the network, all the way back to its root cause
• Disconnect a endpoint device, or log an end-user off the network
• Halt system or endpoint processes
• Prevent an endpoint from executing (detonating) a malicious or suspicious file or email attachment
• Trigger antivirus or anti-malware software to scan other endpoints on the network for the same threat

EDR can automate threat investigation and remediation activities (see below). And it can be integrated with SOAR (security orchestration, automation and response) systems to automate security response playbooks (incident response sequences) that involve other security tools.

All this automation helps security teams respond to incidents and threats faster, to prevent minimize the damage they can do to the network. And it helps security teams work as efficiently as possible with the staff they have on hand.

Once a threat is isolated, EDR provides capabilities that security analysts can use to further investigate the threat. For example, forensic analytics help security analysts pinpoint the root cause of a threat, identify the various files it impacted, and identify the vulnerability or vulnerabilities the attacker exploited enter and move around the network, gain access to authentication credentials, or perform other malicious activities.

Armed with this information, analysts can use remediation tools to eliminate the threat. Remediation might involve

• Destroying malicious files and wiping them off endpoints
  
• Restoring damaged configurations, registry settings, data and application files
• Applying updates or patches to eliminate vulnerabilities
• Updating detection rules to prevent a recurrence

Threat hunting (also called cyberthreat hunting) is a proactive security exercise in which a security analyst searches the network for as-yet unknown threats, or known threats yet to be detected or remediated by the organizations automated cybersecurity tools. Remember, advanced threats can lurk for months before they're detected, gathering system information and user credentials in preparation for a large-scale breach. Effective and timely threat hunting can reduce the time it takes to detect and remediate these threats, and limit or prevent damage from the attack.

Threat hunters use a variety of tactics and techniques, most of which rely on the same data sources, analytics and automation capabilities EDR uses for threat detection, response and remediation. For example, a threat-hunting analyst might want to search for a particular file, configuration change or other artifact based on forensic analytics, or MITRE ATT&CK data describing a particular attacker's methods.

To support threat hunting, EDR makes these capabilities available to security analysts via UI-driven or programmatic means, so they can perform ad-hoc searches data queries, correlations to threat intelligence, and other investigations. EDR tools intended specifically for threat hunting include everything from simple scripting languages (for automating common tasks) to natural language querying tools.

An EPP, or endpoint protection platform, is an integrated security platform that combines next-generation antivirus (NGAV) and anti-malware software with web control/web filter software, firewalls, email gateways and other traditional endpoint security technologies.

Again, EPP technologies are focused primarily on preventing known threats, or threats that behave in known ways, at the endpoints. EDR has the capability to identify and contain unknown or potential threats that get past traditional endpoint security technologies. Nevertheless, many EPPs have evolved to include EDR capabilities such as advanced threat detection analytics and user behavior analysis.

Like EDR, XDR (extended detection and response) and MDR (managed detection and response) are analytics- and AI-driven enterprise threat detection solutions. They differ from EDR in the scope of protection they provide, and the way they're delivered.

XDR integrates security tools across an organization’s entire hybrid infrastructure – not only endpoints, but networks, email, applications, cloud workloads and more – so these tools can interoperate and coordinate on cyberthreat prevention, detection and response. Like EDR, XDR integrates SIEM, SOAR and other enterprise cybersecurity technologies. A still-emerging but rapidly evolving technology, XDR has the potential to make overwhelmed security operations centers (SOCs) much more efficient and effective by unifying security control points, telemetry, analytics and operations into a single, central enterprise system.

MDR is an outsourced cybersecurity service that protects an organization against threats that get past its own cybersecurity operations. MDR providers typically offer 24 x 7 threat monitoring, detection and remediation services from a team highly skilled security analysts working remotely with cloud-based EDR or XDR technologies. MDR can be an attractive solution for an organization that needs security expertise beyond what it has on staff, or security technology beyond its budget.