Endpoint detection and response (EDR) is a security solution that collects detailed data from endpoints to establish a baseline of normal usage patterns. This helps security teams monitor for any signs of compromise. EDR aims to provide actionable intelligence on intruder behavior, enabling effective containment and remediation.
Why is EDR important now?
Traditional endpoint defense methods such as endpoint protection platforms (EPPs) defend against known threat behaviors—but may be helpless in the face of new, evolving, and complex threats. EPPs also do nothing to repel social engineering attack methods such as phishing, which are currently the most common and successful types of cyberattacks.
Today, the most damaging endpoint attacks can come from intruders who get into systems quietly (with stolen credentials, for example). Once they’re in, attackers will make the most of their “sleeper” status, spending days or weeks stealthily searching resources and laying the groundwork to launch ransomware attacks or exfiltrate data. Often, the business may not even know about the lurkers until they receive their demands.
EDR is intended to detect this activity during latency, the period before it turns into a damaging incident. And with the ability to see how an intruder entered, where they have been, and what operations they’ve performed, EDR enables targeted remediations, sometimes automating them itself. Done right, EDR might even help security teams feel like they have the upper hand.
Endpoint detection and response vs. managed detection and response
Managed detection and response (MDR) is essentially EDR outsourced to a third-party provider that also provides skilled personnel to manage it. This way, an organization can benefit from the provider’s experience, expertise, and economies of scale.
EDR is focused only on the endpoint. MDR solutions, however, focus across all technology that a client has within its environment, including the endpoint as well as cloud, Kubernetes, SaaS, network, and more. This approach provides a more holistic and complete view of threat detection and response.
How does EDR work?
In-depth visibility
EDR systems use small data-collection agents at endpoints and other sensitive locations throughout a network, generating data streams that provide both continuous, real-time visibility and a valuable historical record. These data points may include:
- All user accounts logged into and out of
- Administrative tool usage
- Network activity such as DNS requests, connections, and port status
- File creation
- Removable media usage
- Database interactions
For organizations that already use a security information and event management (SIEM) tool, an EDR can integrate SIEM data, as well as assuming its data collection and processing functions.
Analysis at scale
To make use of all this data, EDR software automates analysis in real time to identify:
- Indicators of compromise (IOCs): Unusual behaviors that may indicate a possible security breach as defined against a model of normal activity the software has built or trained in over time. This is where EDRs can catch identity-based attacks.
- Indicators of attack (IOAs): Behavior that signals a potential attack based on known previous attacks, defined by the EDR’s own threat intelligence or provided by third-party data
Keep in mind that an EDR’s effectiveness depends on the quality of its threat intelligence. Threat intelligence can come from EDR providers themselves, other managed security providers, community-based crowdsourcing, or open platforms such as the MITRE ATT&CK platform, a free database of cyberattack data from the federal government.
Detection
Once suspicious activity has been identified, an EDR solution can observe the behavior of its agent and track its history. Ideally, threats can be detected while they’re still in a latent state.
Response and remediation
Using automation or direction from a security team, the response from EDR can:
- Triage and prioritize events and alert analysts to suspicious activity or specific threats
- Log off an end user
- Prevent an endpoint from executing commands, like opening a suspicious file or email
- Isolate an endpoint or disconnect it altogether
- Defend against malware programs
Investigation and threat hunting
Without an EDR solution, many organizations hit by a cyberattack struggle to understand the full scope and extent of the damage. Even after mitigation efforts, zombie malware or infected files might persist, unnoticed as business returns to normal. However, with an EDR’s data and analysis, security teams gain detailed insights into intruder behavior—a comprehensive historical record that equips them with the knowledge needed to fully mitigate and repair the damage.
Feedback and refinement
How did an intruder first gain access? What can their behavior tell us about system vulnerabilities and weaknesses? The digital trails that EDR creates can also be used to inform improvements and changes to security posture.
Challenges of EDR
The biggest technical challenge facing organizations building their own EDR systems is the vast amount of data that the systems produce. EDR systems may also produce tidal waves of alerts, especially at first. Machine-learning-powered software that automates EDR processes is essential.
A more significant challenge might be the costs and shortage of skilled personnel. EDR is advanced technology that requires highly skilled operators in a specialized field. Recruiting, onboarding, and retaining these experts is notoriously difficult. Additionally, implementing an in-house EDR solution can be time-consuming, both to develop and deploy.
