Endpoint Detection and Response (EDR), also referred to as Endpoint Threat Detection and Response (ETDR), is an integrated endpoint security solution that combines continuous, real-time monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. The term was proposed by Anton Chuvakin at Gartner to describe new security systems that detect and investigate suspicious activity on hosts and endpoints and employ a high level of automation to enable security teams to quickly identify and respond to threats.
The functions of an EDR security system are:
- Monitor and collect activity data from endpoints that could indicate a threat.
- Analyze this data to identify threat patterns.
- Automatically respond to identified threats to remove or contain them and notify security personnel.
- Forensics and analytics tools to investigate identified threats and search for suspicious activity.
Implementation of EDR solutions
EDR adoption is expected to grow significantly over the next few years. According to Stratistics MRCS Endpoint Detection and Response-Global Market Outlook (2017-2026), revenue from EDR solutions-both on-premises and cloud-based-is expected to reach $7.27 billion by 2026, with a compound annual growth rate of nearly 26%.
One of the factors driving the rise in EDR adoption is the increase in the number of endpoints connected to networks. Another key driver is the increasing sophistication of cyberattacks, which often focus on endpoints as easier targets for infiltrating a network.
New types of endpoints and endpoint attacks.
The average IT department manages thousands of endpoints on your network. These include not only desktops and servers but also laptops, tablets, smartphones, Internet of Things (IoT) devices, and even smartwatches and digital assistants. The SANS Endpoint Protection and Response Survey report that 44% of IT teams manage between 5,000 and 500,000 endpoints. Any one of these endpoints can become an open door for cyberattacks; therefore, endpoint visibility is critical.
While today’s antivirus solutions can find and block many new types of malware, hackers are constantly creating more. Many types of malware are hard to detect using standard methods. For example, fileless malware-a newer development-works in the computer’s memory, avoiding malware signature scanners.
To strengthen security, an IT department can implement a variety of endpoint security solutions over time, as well as other security applications. However, having too many standalone security tools can complicate the threat detection and prevention process, especially if they overlap and generate similar security alerts. It’s much better to have an integrated endpoint security solution.
Key components of EDR Security
EDR Security provides an integrated hub for collecting, correlating, and analyzing endpoint data and coordinating alerts and responses to immediate threats. EDR tools have three basic components:
Endpoint data collection agents: Software agents perform endpoint monitoring and collect data such as processes, connections, activity volumes, and data transfers in a central database.
Automated response: Preconfigured rules in an EDR solution can detect when incoming data indicates a known type of security breach and trigger an automated response, such as to log off the end-user or send an alert to an employee.
Analysis and Forensics: An endpoint detection and response system can include real-time analytics to quickly diagnose threats that don’t quite match pre-configured rules, as well as forensic tools to search for threats or perform post-mortem analysis of an attack.
- A real-time analysis engine uses algorithms to evaluate and correlate large amounts of data and look for patterns.
- Forensics tools allow IT, security professionals, to examine previous breaches to better understand how an exploit works and how it penetrated security. IT security professionals also use forensics tools to look for threats in the system, such as malware or other exploits that may be lurking undetected on an endpoint.
New EDR capabilities improve threat intelligence.
New features and services enhance EDR Solutions’ ability to detect and investigate threats.
For instance, third-party threat intelligence services such as McAfee Global Threat Intelligence increase the effectiveness of endpoint security solutions. Threat intelligence services equip an organization with a global pool of information on current threats and their characteristics. This collective intelligence helps increase an EDR’s ability to identify exploits, especially multi-layered and zero-day attacks. Many EDR security vendors can provide threat intelligence subscriptions as part of their endpoint security solution.
In addition, new investigation capabilities in some EDR solutions can leverage AI and machine learning to automate steps in an investigation process. These new capabilities can quickly learn an organization’s baseline behavior and use that information, along with a variety of other sources of threat intelligence, to interpret results.
One other typ of threat intelligence is the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) project being conducted at MITRE, a nonprofit research group working with the U.S. government. ATT&CK is a knowledge base and framework based on the study of millions of real-world cyberattacks.
ATT&CK categorizes cyber threats based on a variety of factors, including the tactics used to infiltrate an IT system, the types of system vulnerabilities exploited, the malware tools used, and the criminal groups associated with the attack. The work focuses on identifying patterns and characteristics that remain unchanged regardless of minor changes to an exploit. Details like IP addresses, registry keys, and domain numbers can change frequently. But an attacker’s methods-or “modus operandi”-generally stay the same. An EDR can use these behaviors to find threats that may have changed in other ways.
As IT security professionals face increasingly complex cyber threats and a greater variety of endpoints and types accessing the network, they need more help from the automated analysis and response that endpoint detection and response solutions provide.