A DEFINITION OF ENDPOINT DETECTION AND RESPONSE
Gartner’s Anton Chuvakin first coined the term Endpoint Threat Detection and Response (ETDR) in July 2013 to define “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” Commonly referred to as Endpoint Detection and Response (EDR), it is a relatively new category of solutions that is sometimes compared to Advanced Threat Protection (ATP) in terms of overall security capabilities.
Endpoint detection and response is an emerging technology that addresses the need for continuous monitoring and response to advanced threats. One could even make the argument that endpoint detection and response is a form of advanced threat protection.
HOW ENDPOINT DETECTION AND RESPONSE WORKS
Endpoint detection and response tools work by monitoring endpoint and network events and recording the information in a central database where further analysis, detection, investigation, reporting, and alerting take place. A software agent installed on the host system provides the foundation for event monitoring and reporting.
Ongoing monitoring and detection are facilitated through the use of analytic tools. These tools identify tasks that can improve a company’s overall state of security by identifying, responding to, and deflecting internal threats and external attacks.
Not all endpoint detection and response tools work the same way or offer the same spectrum of capabilities. Some endpoint detection and response tools perform more analysis on the agent, while others focus on the backend via a management console. Some vary in collection timing and scope or in their ability to integrate with threat intelligence providers.
However, all endpoint detection and response tools perform the same essential functions with the same purpose: to provide a means for continuous monitoring and analysis to more readily identify, detect, and prevent advanced threats.
ENDPOINT DETECTION AND RESPONSE: NOT JUST TOOLS, BUT CAPABILITIES
While Anton Chuvakin coined the term “endpoint detection and response” to classify an emerging set of tools, the term may also be used to describe a much broader set of security capabilities. For instance, a tool may offer endpoint detection and response in addition to application control, data encryption, device control and encryption, privileged user control, or network access control.
Both endpoint detection and response tools and those offering EDR as part of a broader set of capabilities are suitable for a multitude of endpoint visibility use cases. Anton Chuvakin groups these cases within three broader categories of endpoint visibility (which do not account for the “response” portion of EDR):
- Data search and investigations
- Suspicious activity detection
- Data exploration
Most endpoint detection and response tools address the “response” portion through sophisticated analytics that identifies patterns and detect anomalies, such as rare processes, strange or unrecognized connections, or other risky activities flagged based on baseline comparisons. This process can be automated so that anomalies trigger alerts for immediate action or further investigation. Many endpoint detections and response tools also allow for manual or user-led analysis of data as well.
THE NEED FOR ENDPOINT SECURITY
Endpoint detection and response is still an emerging field, but EDR capabilities are quickly becoming an essential element of enterprise security solutions. Organizations that are looking for the most advanced security system available should pay attention to EDR capabilities when evaluating vendors.
Here are several key EDR features to look for when considering an endpoint security solution:
- Filtering: Lower-quality solutions tend to struggle with filtering out false positives. Alerts are triggered for events that are now threats, creating alert fatigue and increasing the possibility for real threats to slip through unnoticed.
- Advanced Threat Blocking: A good solution will prevent threats the moment they are detected and throughout the life of the attack. Persistent attacks could eventually overcome security measures on products with weaker offerings.
- Incident Response Capabilities: Threat hunting and incident response can help prevent full-blown data breaches. Having a solution that aids security personnel in these efforts is critical for DLP.
- Multiple Threat Protection: Advanced attacks, or perhaps multiple different attacks at once, can overwhelm endpoint unless the installed security solution is prepared to handle multiple types of threats at the same time (i.e. ransomware, malware, suspicious data movements).