The Language of Cybersecurity

What is EDR? Your guide to endpoint detection and response

Endpoint detection and response (EDR) solutions detect and investigate suspicious activities and other problems on network hosts and endpoints. Offering an additional layer of protection above that of traditional anti-virus software, EDR is meant to counter hackers seeking to install malware used to steal passwords, record keystrokes, encrypt files and hold them for ransom, or perform other malicious activity. EDR gathers and analyzes information on possible security threats from computer workstations and other endpoints, and alerts IT staff to potential and active attacks.

Breaking It Down: Endpoint, Detection and Response

Endpoint. An endpoint is any device that people or software use to connect to a network. An endpoint’s operating system and applications may allow users to connect to the internet, send and receive email, process financial transactions or perform many other activities. Some common endpoints include:

  • Desktop and laptop computers
  • Smartphones and tablets
  • Servers
  • Workstations
  • Internet-of-things (IoT) devices

Detection. EDR software agents collect information from endpoints, including activity rates, data and process logs, performance monitoring, file details, and data transfers. Sophisticated analytics then identify patterns and flag anomalies, such as rare processes or events, strange or unrecognized connections, or other activities that diverge from baseline comparisons.

Response. Network operators use EDR threat response capabilities to diagnose and track issues, take action against threats, and perform forensic analysis. Preconfigured rules identify incoming data mapping to known security breaches and trigger protective responses such as disconnecting users or sending alerts to security staff. Forensic tools can establish timelines, identify systems affected by a breach, and even gather artifacts or investigate live system memory in suspect endpoints. Combining historical and real-time situational data gives security staff a fuller picture of any incident and supports targeted response.

70% of organizations are facing new pandemic-related security challenges1

Collecting all endpoint activity

How EDR Works

EDR solutions use a software agent on the host system to give IT staff continuous, comprehensive real-time visibility into all endpoint activity on a network. This information is saved in a central database for further analysis, detection, investigation, reporting, and alerts. A real-time analytics engine uses behavioral analysis algorithms to evaluate and correlate large volumes of data, searching for patterns and generating rules delineating common and acceptable network activity. The analytics engine also assesses any potential threats, flagging those that don’t adhere to the rules. Forensics tools actively search for known threats; after an attempted or successful breach, they provide IT security professionals with post-mortem findings, which also support ongoing protection. IT teams also use these tools to hunt for threats, such as malware, that may be lurking on a network endpoint.

Common Threats Detected by EDR

EDR solutions analyze both data and behavior, making them effective against emerging threats and active attacks such as:

  • Malware, including viruses, keyloggers, worms, trojans, logic bombs, and adware
  • Exploit chains
  • Ransomware
  • Advanced persistent threats (APTs)
EDR Must-Haves

Make sure any EDR solution you choose has these important features:

  • Continuous endpoint monitoring provides visibility into processes, executables, events and user behavior.
  • Fusing data from other solutions, such as network detection and response systems, provides even greater visibility and detection.
  • Intelligent filtering reduces false positives, alert fatigue – and the likelihood of real threats breaching the barriers.
  • Advanced threat blocking stops threats both on detection and throughout the life of an attack.
  • Rapid data collection uses a lightweight agent to quickly inventory and profile endpoints in even the most complex networks.
  • Scalability makes it possible to store data on hundreds of thousands of endpoints in one central database or download files in bulk from any endpoints.
  • Behavioral detection with UEBA (user and entity behavior analytics) sets a baseline for expected endpoint behavior, detects deviations, and prioritizes incidents by potential threat level.
  • Root cause analysis exposes the scope and effects of each attempted attack or breach.
  • Automated risk scoring for files and hosts helps prioritize threats.
Benefits of EDR
  • Lower mean time for detection, investigation and response
  • Improved response times
  • Reduced breach impact
  • Faster incident response and reduced dwell time
  • Greater visibility into endpoint behavior anomalies, for early threat detection
  • Ability to pinpoint suspicious users and compromised accounts with threat-aware authentication
  • Faster root cause analysis
  • Ability to assess the full scope of an attack across endpoints and network

Related resources

[1] Michael Hill, “70% of Orgs Facing New Security Challenges Due to #COVID19 Pandemic,” Infosecurity Magazine, March 1, 2021.