What is endpoint detection and response (EDR)?
Endpoint detection and response (EDR) is a system to gather and analyze security threat-related information from computer workstations and other endpoints, with the goal of finding security breaches as they happen and facilitating a quick response to discovered or potential threats. The term “endpoint detection and response” only describes the overall capabilities of a tool set. Therefore, the details and capabilities of an EDR system can vary greatly depending on the implementation.
An EDR implementation may be:
- a specific purpose-built tool;
- a small portion of a larger security monitoring tool; or
- a loose collection of tools used together to accomplish the task.
As attackers continuously update their methods and capabilities, traditional protection systems may fall short. EDR combines data and behavioral analysis, which makes them effective against emerging threats and active attacks, such as:
- novel malware;
- emerging exploit chains;
- ransomware; and
- advanced persistent threats (APT).
The historical data collected by endpoint detection and response tools can provide peace of mind and remediation for actively exploited zero-day attacks, even when a mitigation isn’t available. The IT security industry considers EDR a form of advanced threat protection.
Endpoint detection and response use and capabilities
EDR is primarily concerned with endpoints, which can be any computer system in a network, such as end-user workstations or servers. They can protect most operating systems (i.e., Windows, macOS, Linux, BSD, etc.) but do not include network monitoring.
A system that gathers information from many sources, such as endpoints, firewalls, network scans and internets logs, is considered security information and event management (SIEM). Security vendors may offer EDR as part of a SIEM package, however, for use by a security operations center (SOC) to investigate and respond to threats.
EDR is an integral part of a complete information security posture. It is not antivirus software, but it may have antivirus capabilities or use data from another antivirus product. Antivirus software is primarily responsible for protecting against known malicious software, while a well-executed endpoint protection and response program finds new exploits as they are running and detect malicious activity by an attacker during an active incident. This allows EDR to detect fileless malware attacks and attackers using stolen credentials, which traditional antivirus alone will not stop. Many EDR systems are part of next-generation antivirus products, however.
The role of an EDR system falls broadly into two categories:
- information collection and analysis; and
- threat response.
Because EDR capabilities can vary greatly from vendor to vendor, an organization researching EDR systems should carefully investigate the capabilities of any proposed system. They should also take into consideration how well it can integrate with their current overall security capabilities.
The information collection and analysis capabilities of EDR gathers and organizes data from endpoints, and then uses that information to identify irregularities or trends. It uses many data sources from an endpoint, which can include:
- logs;
- performance monitoring;
- file details;
- running processes; and
- configuration data or other information.
A dedicated agent installed on the endpoint can collect this data, or the system may use built-in OS capabilities and other helper programs.
EDR systems organize and analyze the collected data. A client device may perform portions of this, but, generally, a central system — hardware device, a virtual server or a cloud service — performs these functions.
Simple EDR systems may only collect and display this data or aggregate it and show trends. Operators may find following and making decisions based on this type of data difficult.
Advanced EDR systems can include machine learning or AI to automatically identify and alert on new and emerging threats. They may also use aggregate information from the product vendor to better flag threats. Some systems allow mapping of observed suspicious behavior to the MITRE ATT&CK framework to help detect patterns.
Threat response capabilities of EDR help the operator take corrective action, diagnose further issues and perform forensic analysis, which may allow for issue tracking and can help surface similar activity or otherwise aid an investigation. Forensic capabilities help establish timelines, identify affected systems post breach and may be able to gather artifacts or investigate live system memory in suspect endpoints. Combining historical and current situational data help to provide a fuller picture during an incident.
Some endpoint detection and response systems can perform automated remediation activities, such as disconnecting or stopping compromised processes or alerting the user or information security group. They also may be able to actively isolate or disable suspect endpoints or accounts. A good incident response system will also help coordinate teams during an active incident, helping to reduce its impact.
[embedded content]
Endpoint detection and response tools
Several popular vendors offer EDR capabilities either as standalone products or as part of a service package:
- McAfee MVision EDR is a cloud-native EDR tool with AI-guided investigation capabilities.
- CrowdStrike Falcon Insight offers high visibility and endpoint-security-posture analysis with crowdsourced information gathering to help detect and mitigate attacks.
- VMware Carbon Black Cloud Endpoint is a cloud next-generation antivirus product with cloud EDR behavioral analytics.
- Broadcom EDR can be used with the Symantec Endpoint Protection (SEP) suite or as a dissolvable agent.
- FireEye Endpoint Security tool offers EDR capabilities and can perform automated response and management using behavioral analysis and indicators of compromise.
- Several open source tools exist, but they may require extensive configuration or extra systems to be full featured. These tools include:
- OSSEC
- Wazuh
- TheHive Cortex
- Open EDR
Endpoint detection and response tools enable organizations to continually monitor endpoints and servers to spot potentially malicious behaviors. Effective EDR tools can detect and respond to these events to mitigate damage to the endpoint and the wider network.