What is EDR? An analytical approach to endpoint security

Endpoint detection and response (EDR) security tools monitor end-user hardware devices across a network for a range of suspicious activities and behavior, reacting automatically to block perceived threats and saving forensics data for further investigation. Endpoint here generally means any end-user device, from a laptop to a smartphone to IoT gadgets.

An EDR platform combines deep visibility into everything that’s happening on an endpoint device — processes, changes to DLLs and registry settings, file and network activity — with data aggregation and analytics capabilities that allow threats to be recognized and countered by either automated processes or human intervention.

The first recognition of the category of EDR is widely accepted to be in a 2013 blog post by Gartner analyst Anton Chuvakin, who was trying to come up with a “generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” He used the phrase “endpoint threat detection and response,” but the more succinct (though somewhat less accurate) endpoint detection and response caught on.

How EDR works and why it’s important

EDR systems work by recording and analyzing activity taking place on endpoints of all types. Many EDR offerings do so by installing agent programs on the endpoints they protect, which send telemetry back to the central EDR tool for analysis. There is also a class of agentless EDR systems that gather data from built-in OS tools on endpoints as well as relevant network data; these systems are easier to roll out across an organization but often can’t provide the same under-the-cover insights into what’s happening on endpoints that agented EDR can.

Whichever way EDR gets information about endpoint behavior, it then uses data analytics and AI/ML to determine whether that activity is unusual or a sign of a potential breach. The EDR systems can raise an alarm over such behavior for security teams and record information for later forensic analysis.

That’s the “detect” part of EDR. The “response” part consists of automated steps that can be taken to block attacks in progress, including shutting down suspicious processes, deleting files that look like malware, and isolating endpoints that seem to have been compromised from the rest of the network. While human intervention is usually necessary to truly stomp out compromises, these sorts of quick responses can make the difference between a minor incident and a disaster.

It was the focus on endpoint behavior that made EDR important and innovative when it first arrived on the scene. That’s the major distinction between EDR and its evolutionary predecessor: the venerable antivirus program.

EDR vs. antivirus: What’s the difference?

Antivirus software has similar goals to EDR, in that it aims to block malware from installing on and infecting endpoints (usually user PCs). The difference is that antivirus spots malicious activity by trying to match it to signatures — known patterns of code execution or behavior that the security community has recorded and correlated to specific types of attacks.

Most EDR solutions also include signature-based detection capabilities. But the limitations are obvious: It’s a somewhat rigid way of looking for breaches that fails when confronted with novel or unusual attacks.

EDR uses more sophisticated analysis to detect unusual user or process behavior or data access, and then flags or possibly blocks it. More importantly, EDR systems have extensive capabilities to detect and fight attacks and malware infections after they’ve happened, whereas antivirus systems are often ineffective if they fail to catch malware as it arrives.

EDR vs. extended detection and response (XDR)

EDR isn’t the only detection and response security software on the market. Just as EDR focuses on endpoints, there’s also network detection and response (NDR), which works similarly but focuses on network traffic. And then there’s extended detection and response (XDR), which bundles together detection and response capabilities that focus on multiple infrastructure components, including endpoints and networks, as well as email, cloud environments, and beyond.

When we say “bundle,” we mean it: XDR offerings tend to be a managed collection of individual tools focused on different infrastructural layers, and the array of services billed as XDR can be a bit bewildering. In fact, many XDR offerings began life as EDR tools that accrued new layers and features. Intrusion detection and prevention systems (IDSes/IPSes), which like antivirus are signature-based, are among the traditional security tools being swallowed up into NDR and XDR solutions.

Key features and capabilities of EDR solutions

EDR solutions implement the following capabilities:

• Detection. The “D” in EDR lays the foundation for everything EDR solutions do. Your EDR tool will implement continuous file analysis, checking out every file that interacts with your endpoint to make sure it doesn’t produce threatening behavior.  EDR also makes use of aggregated threat intelligence to spot patterns of behavior suggestive of emerging attack patterns.
• Containment. After detecting suspicious activity, EDR tools should immediately try to cauterize the wound, either by containing a suspicious file in a sandboxed area on the endpoint or cutting off the infected endpoint or endpoints from the rest of the network.
• Investigation. Once the immediate danger has passed, EDR should help you figure out how it arose in the first place. EDR can gather and analyze data to determine how intruders gained access to your endpoint, and they can sandbox malicious files for testing and monitoring.
• Elimination. Knowledge gained in the previous steps will lead you to a point where the problem can be eliminated, either automatically or by security staff working with the data EDR has provided. This elimination is only possible thanks to the visibility into the endpoint systems and the attackers that EDR offers — visibility that should be available both in real-time and in the form of detailed archives that security teams can analyze to understand what happens and prevent it from happening again.

Benefits of implementing EDR

At this point, the benefits of implementing EDR should be clear: Its capability to detect and block attacks in progress and to spot attackers moving laterally and contain them helps harden corporate security.

Beyond that, EDR’s intelligence-gathering capabilities can help your security team understand how attackers enter your infrastructure and how those attacks unfold. The visibility and forensic evidence they offer can help you batten down the hatches for the future.

Challenges in adopting EDR

EDR is not a simple product you can just buy, install, and turn on: It’s a complex solution that must be customized for your environment. EDR also operates in a world where you probably already have significant investments in a security stack, and integrating it with, say, your security information and event management (SIEM) tools can prove challenging or impossible. 

That complexity comes with a cost — both upfront in paying for a solution (or recurring if you’re going the managed EDR route) and in the staff resources required to take advantage of EDR’s capabilities. Although EDR tools are rife with automation, the reality is that much of the information they generate needs to be chased down by infosec staff, and small or midsize companies might not have that capacity. Also, EDR generates a lotof information in the form of telemetry data and alerts, and properly configuring the resources to ingest and maintain all that data can be a challenge.

Also, EDR isn’t a panacea for all your security needs — attackers can and routinely do evade EDR system defenses, a task made easier with systems that are not properly configured or up to date.

What to look for in an EDR solution

If you’re beginning your search for an EDR tool suite, here’s what you should be looking for.

• Detection capabilities: Remember, there’s no EDR without “D.”  You want EDR that can observe events, report and respond to them in near real-time, and scale up with your network.
• Support for in-depth analysis and investigation. Take a look at potential solutions’ data collection and processing capabilities that will allow your security teams to understand potential security threats and quickly take steps to remediate them.
• Integration capabilities. Firewalls, SIEM, SOAR, incident response tools — a good EDR solution will use APIs or other hooks to integrate with them all and share data.
• Centralized management and data dashboards. These shouldn’t require extensive training and should show the current status of all endpoints across the enterprise.
• Feature parity across multiple endpoint OSes. An EDR solution should deploy across all your endpoints, but some offerings lack support for all of the big five (Windows, macOS, Linux, Android, and iOS). If you need to support legacy versions of one or more OSes, you’ll want to investigate that, too.

For more details on your search, including a list of the major vendors, read CSO’s EDR buyer’s guide.