Learn about what endpoint detection and response (EDR) is, including how it works, why it's important and how EDR fits into a security stack.
This article is from The Defender's Handbook:
A knowledge base for cybersecurity enthusiasts to level up their
cyber knowledge - one article at a time.
The endpoint is the scene of the crime, and today's threat actors are notorious for attempting to circumvent traditional antivirus software.
As attackers try to disguise their malicious activity, endpoint detection and response (EDR) makes it a whole lot harder for them to evade.
Read on to learn:
EDR was initially known as Endpoint Threat Detection and Response, a term coined in 2013 by Anton Chuvakin of Gartner. Chuvakin described it as tools that work together to allow organizations to investigate security incidents and detect malicious activity quickly.
EDR evolved from a recognized trend of attackers bypassing traditional antivirus tools. EDR can identify and respond to cyber threats before they occur or while they are in progress.
As cyber criminals developed evasive techniques for antivirus, there was a clear need for something more than just another antivirus or preventive product.
EDR not only plays a role in protecting and preventing attacks but offers a solution for what to do once an attack is in place. EDR will proactively monitor, detect and enable threats to be contained and remediated on endpoint devices as they happen.
EDR is incredibly valuable because it responds to threats in real-time.
Firewalls help control network traffic by acting as barriers for incoming traffic, whereas antivirus tools protect systems against internal attacks by observing and detecting malicious patterns of behavior taking place on the computer.
An antivirus tool relies on a signature-centric approach, which searches for pre-identified malicious patterns and behaviors exhibited by a program, script or a command. AV works well when identifying and stopping known malware and viruses. The problem with AV, however, is that if something new shows up on AV that has yet to be identified, it has no way of determining if it is malicious.
Antivirus and Endpoint Detection and Response similarities are notable. A great EDR solution can incorporate AV and other endpoint security tools, creating a comprehensive, fully-featured solution.
EDR is a minimum requirement for today’s security stacks, but the question now is where and how do you find and fit the right EDR solution for your organization? This tends to depend on what your organization is able to do. The key here is to look inward and know what is needed.
Suppose you have a security-savvy team equipped to do the heavy lifting when it comes to threat hunting. In that case, it’s possible that an unmanaged EDR solution may fit nicely into your stack. It’s worth noting, however, that one of the drawbacks to unmanaged EDR solutions is the volume of alerts produced and the higher likelihood of false positives.
This is the more cumbersome side of EDR, but it’s also why EDR vendors offer a Managed Detection and Response (MDR) component.
In this case, the vendor has a team of specialists who can do the heavy lifting and handle threat hunting much more efficiently. If you lack the in-house expertise and time to parse through alerts, you should consider a vendor that offers MDR.
EDR was initially known as Endpoint Threat Detection and Response, a term coined in 2013 by Anton Chuvakin of Gartner. Chuvakin described it as tools that work together to allow organizations to investigate security incidents and detect malicious activity quickly. EDR empowers security teams to visualize, detect and respond.
EDR solutions offer greater visibility into what’s happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior and advanced threats in real-time. Once an attacker finds their way into an environment, any EDR tools in place will turn the actions they take into an opportunity for detection. The more data EDR collects, the better visibility into those actions.
EDR solutions actively monitor endpoints and collect data from activities that may indicate a threat.
Examples include:
From the data collected, EDR will then perform a behavioral analysis to uncover any potential threats and malicious activity that may already be in progress.
As the name suggests, EDR will detect advanced threats or traces of suspicious behavior.
EDR technology notifies when a threat has been detected, allowing visibility into the attack.
EDR will begin to take actions to eliminate or contain the attack.
Create immediate dashboards and alerts for action once a threat is detected.
EDR is an endpoint security solution designed to continuously monitor, detect and enable investigations and responses to cyber threats.
Endpoint detection and response offers visibility into what’s happening on endpoints by recording granular endpoint activity and raising the alarm when malicious behavior is observed.
Preventing a threat actor from entering a network is only half the battle; having tools to combat threat actors once they make it past the preventive tools is key to neutralizing an attack.
Both are needed in a security stack. Firewalls are devoted to monitoring network traffic in and out, so malicious traffic from the Internet meet a hard brick wall before attacking an endpoint. Many attackers, however, have discovered ways to masquerade as legitimate network traffic as a means to bypass typical firewalls. EDR can take network traffic into account but goes many steps further than firewalls by observing processes and changes on the computer itself.
The two are not mutually exclusive. Often, the technologies can overlap and complement each other. However, it should be recognized that antivirus lacks the modularity and functionality that EDR technologies offer to protect against a wide range of threats. Many security vendors have guidance on how an antivirus solution can be configured and choreographed with EDR to provide layered defense in depth.
The key to understanding where EDR fits into a security stack is first understanding the gaps that need to be addressed and how you can layer complementary products, like EDR, to fill in any holes and achieve a more secure posture.
Antivirus (AV) is software designed to prevent, search for, detect and remove viruses and other malware from a computer.
A remote computing device (like a user’s workstation or company server) that communicates back and forth with a network. Endpoints provide hackers an entry point to critical assets and applications, creating a potential cybersecurity vulnerability.
EDR is a set of cybersecurity tools that proactively monitor, detect, and remediate threats on endpoint devices as they happen.
A type of network security system that monitors traffic to or from a network.
Layers of security solutions that work together to minimize the risk of cyber threats.
See how the global Huntress SOC can augment your team with 24/7 coverage and unmatched human expertise. Start your free trial today.
Try Huntress for Free