What Is Endpoint Detection and Response?

In 2013, Gartner’s Anton Chuvakin suggested the term Endpoint Threat Detection & Response (ETDR) to describe the “tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.”

ETDR eventually became EDR.

What are the Benefits of Endpoint Detection and Response?

Endpoint Detection and Response is one of the two critical pieces of the endpoint security puzzle – the other being an Endpoint Protection Platform or EPP. Often, EPP and EDR are combined to create an integrated, multi-layered approach to endpoint security.



An EPP solution goes beyond the limited capabilities of antivirus tools to offer better protection, even against advanced threats. However, while it can identify vulnerabilities and prevent attacks, it cannot take action if active threats have already moved past endpoints. This is where an EDR solution can be a valuable addition to an endpoint security program.

EDR expands EPP support by collecting and analyzing data from network endpoints to actively neutralize attacks. Instead of reactive, detection-based cyber defence, EDR proactively identifies and removes threats, and prevents them from causing too much damage. It also remediates endpoints to pre-infection state. Once an attack is stopped, the EDR can be used to trace its source and prevent similar attacks from recurring.

With real-time continuous monitoring, endpoint data analytics, and rule-based automated response, an EDR can stop an attack at the earliest signs of detection, and often before the human security personnel even realize the threat exists.

EDR Use and Capabilities

Endpoint Detection and Response tools:

• Monitor and collect activity data from endpoints
• Analyze this data to identify vulnerabilities and threats
• Automatically respond to threats to remove or contain them
• Notify security personnel about the threat and its removal
• Trace threat source to prevent recurrence

As EDR tools monitor endpoints and network events, they record this information in a central database, where the data is then analyzed, investigated and reported on. They also identify internal threats and external attacks, and respond to them automatically to minimize their damaging impact.

Endpoint Data Collection Agents

A software agent installed on host systems enables Endpoint Detection and Response tools to monitor endpoints and collect data about them, such as running processes, data transfers, logs, configurations, files, activity volumes and connections. It then places this data into a centralized threat database. This information can be contextually enriched to help security teams identify irregularities or anomalous trends that may indicate signs of an attack.

Data Analytics and Threat Hunting

An EDR tool may provide both real-time analytics and forensics tools. The analytics engine searches for patterns, and enables fast analysis of threats that may not fit the software’s pre-configured rules. Forensics tools are ideal for establishing timelines and analyzing the source of an attack that has already happened. They provide a combination of current situational data and historical data to guide the actions of security teams, and help prevent recurrence. They also enable security personnel to hunt for threats (e.g. malware) that may be lurking undetected on endpoints.

Real-time Visibility

Endpoint Detection and Response tools provide real-time, full-spectrum endpoint visibility so security teams can view the activities of bad actors as they attempt to breach the endpoint, and take action to stop them immediately.

Behavioral Protection

Effective EDR tools (such as Evolve’s SIEM and EDR tools) adopt a behavioural approach, carefully monitoring typical user activities in order to search for Indicators of Attack (IOA). Anomalous activity is then flagged before a compromise or breach.

Automated Incident Response and Remediation

EDR provides rule-based automated response to any detected threat. These pre-configured rules recognize when incoming data indicates a threat, and trigger an automatic response to mitigate or deflect it. The response could be to send an automatic alert to a security administrator or log the suspected user off of the network.

Incident Triage

An EDR solution can automatically triage and validate potentially suspicious events. This enables security teams to prioritize investigations and focus their efforts on the incidents or threats that truly matter, saving valuable time and resources in the prevention of chasing false flags. It also reduces “alert fatigue,” which will help both the morale and longevity of your employees!

Threat Intelligence

Integrated threat intelligence capabilities provide additional context and details about current threats and adversaries, and their characteristics. This strengthens the EDR’s ability to identify, respond to, and neutralize attacks.

Evolve’s on-demand SIEM and EDR capabilities provide comprehensive visibility across all endpoints. Unlimited and easy-to-deploy EDR agents work in tandem with the SIEM to provide immediate information and alerts about security breaches and malicious activities.

The EDR applies powerful behavioural analytics to automatically detect suspicious behaviours and stealthy attackers. It can easily be scaled to meet changing business requirements. For more information, download our Evolve On-demand SIEM and EDR Capabilities brochure here.

Conclusion

Endpoints have increasingly become common entry points for malicious actors. That’s why it’s important to continuously monitor them and catch threats and attacks before they spread. Endpoint Detection and Response provides the means to do so, with improved endpoint visibility, contextualized threat hunting, rapid threat investigations, and automated remediation. All in all, EDR is one of the best investments modern organizations can make.