Endpoint detection and response (EDR) is a type of software solution that enables IT and security teams to identify endpoint threats such as malware, viruses, fileless attacks and the misuse of legitimate applications—be that malicious or mistaken. But not only do EDR solutions help organizations to detect these threats; they also help them to remediate security incidents and analyze them, to help prevent the same thing from happening in the future.
The overall cost of a successful endpoint attack has increased dramatically in recent years, now reaching an average of $8.94 million—with the largest contributors to this cost being loss of IT and end-user productivity as well as data theft. Many organizations can’t afford to dedicate their already-limited IT resource to resolving a security incident, let alone afford to lose almost $9 million as the result of an attack.
And while the cost of system downtime due to endpoint attacks has decreased in recent years, the average company affected by ransomware—one of the most prevalent endpoint threats businesses are facing today—experiences 21 days of downtime, resulting in a huge loss of productivity that can ultimately drive customers to find alternative, more reliable services.
So, while taking steps to prevent an attack from occurring in the first place is important, it’s also crucial that organizations are able to detect and remediate successful endpoint attacks as quickly as possible.
That’s where endpoint detection and response solutions come in.
But what exactly is EDR and, with so many available options on the market, what features should you look for to make sure you’re choosing the right EDR solution for your business?
What Is EDR And Why Is It Important?
81% of businesses have experienced an attack involving some sort of malware, and 53% of organizations were hit by a successful ransomware attack in the last year alone. It’s clear that organizations need to protect their endpoints against threats such as these, and implementing an EDR solution is one of the ways in which they can do that.
Endpoint detection and response solutions enable IT and security teams to more efficiently identify malicious activity across their organizations’ endpoints, and then quickly and effectively remediate that activity.
EDR solutions monitor each endpoint—be it a desktop, laptop, mobile device, cloud system or server—in real-time for suspicious or unusual behavior that could indicate the system has been compromised. When a threat is detected, the solution can either initiate a response automatically to contain and remediate the threat, or provide suggestions to the security team to help inform their manual threat response processes. The level of automated remediation available varies from solution to solution, and is usually configurable so that system admins can integrate the platform’s remediation actions with the security team’s existing workflows.
As well as helping organizations to identify and respond to threats, many EDR solutions also offer threat intelligence functionality, which helps security teams work out exactly how each threat entered their system and what actions allowed it to spread. This enables them to fix the root cause of the problem and prevent repeat attacks.
How Is EDR Different To Endpoint Protection And Antivirus?
While the names sound similar, endpoint detection and response solutions are very different from endpoint protection and antivirus solutions.
Endpoint protection (EPP) or endpoint security solutions use behavioral analysis powered by machine learning to identify known and unknown malware and viruses across an organization’s endpoints. They also scan for vulnerabilities that could be exploited by a cybercriminal if not patched.
Antivirus software solutions scan individual endpoints for malware, combining signature-based detection to identify known threats, heuristic analysis to compare suspicious application behaviors to a database of known security issues, and integrity checking to inspect an endpoint’s files for corruption.
Antivirus differs from endpoint protection because, while modern cloud-hosted antivirus solutions offer threat detection based on machine learning, many legacy solutions do not. On top of that, antivirus software is managed on a per-machine basis, while endpoint protection solutions allow admins to manage all devices centrally. This makes endpoint protection much better suited to an enterprise use case, while antivirus is a strong solution for consumers and small- to mid-sized businesses (SMBs).
EDR solutions contain the core functionality of EPP and antivirus software, but extend that functionality by enabling security teams to analyze threats in more detail, as well as automatically contain and remove threats. While endpoint protection and antivirus software passively scan for threats, EDR solutions take a more proactive stance on helping businesses mitigate threats before they spread, and prevent repeat attacks.
How Is EDR Different From MDR?
Managed detections and response (MDR) solutions are very similar to EDR; they provide similar threat monitoring and detection capabilities, as well as threat intelligence and analytics surrounding each incident. However, MDR solutions also offer the expertise of a dedicated team of security experts, who are available to help lead an organization’s response to a security incident—from detection, through the investigative process, to the guided remediation of the threat.
The cybersecurity industry is facing an increasing talent gap, and security incident and response is one of the most commonly-cited areas of skills shortage. MDR solutions directly address this challenge by enabling organizations that don’t have a full in-house security team whose time and resources they can dedicate to incident response, to benefit from the expertise of a security operation center (SOC) without having to find, train and retain a SOC team themselves.
But when it comes to EDR and MDR, the choice isn’t “either-or”—some EDR providers offer managed threat response as an add-on to their core EDR functionality.
What Should I Look For In An EDR Solution?
Endpoint Threat Detection
Threat detection is a core EDR capability that’s critical to how well the solution functions. Once the solution is deployed, it uses machine learning-based behavioral analytics to collect data on each endpoint and user activities on those endpoints—including user logins, process execution and communications—so that it can accurately map out the “normal” behavior of each endpoint. From this baseline, the EDR solution can identify suspicious or potentially malicious activities, as well as known system vulnerabilities.
Another important feature to look out for in an EDR solution is its threat intelligence capabilities. This is one of the key differentiators between EDR and endpoint protection or antivirus software, giving your security team contextual information on each threat, such as the techniques and processes that an attacker is using to access your company’s endpoint data.
The strongest EDR solutions create a map of all the security-related events surrounding a detected security incident, using the behavioral data they’ve aggregated to create a trail of the attacker’s activities from the moment they entered the network and then as they moved around between machines.
This enables IT and security teams to patch any vulnerabilities—human or technical—that enabled the attacker to enter the network, so they can prevent repeat attacks. It also reduces the amount of time they have to spend on post-breach analysis, as the EDR solution maps out the attack and the attacker’s strategy automatically.
Alert Triaging To Reduce False Positives
According to recent research, 45% of all security alerts are false positives—and false positives cause the same amount of down time as actual attacks. But they don’t have to.
The best EDR solutions carry out deep investigations into any suspicious activities detected across end-user devices, so that they can identify whether the activity is genuinely malicious. If it is, the security team are alerted to the incident. Some EDR tools also triage security alerts so that IT teams know which incidents to prioritize. This enables them to respond more quickly and efficiently to genuine attacks, reducing their response time, and thus, the overall damage caused by—and cost of—the breach.
Automated Incident Response Capabilities
Another key feature to look for in an EDR solution sits right in the platform’s name: response. But before you can start comparing incident response features, you need to decide which level of response support your business needs:
- Some solutions offer “guided remediation”, which means that the EDR solution offers suggestions on how their security team should respond to a threat, but doesn’t actually take steps to implement that response.
- Other solutions offer “automated incident response”, which means that security admins can integrate the EDR solution with their other security tools and configure the automation of their incident response workflows. While this won’t be suitable for every kind of attack, it can help security teams to quickly and effectively contain certain threats, such as malware or viruses, and prevent them from spreading across the network. This is often the most popular remediation option.
- Finally, some solutions offer “managed threat response”—usually at an extra cost. This means that your organizations will also benefit from the expertise of a SOC team provided by the EDR vendor. This team of experts will guide your own security team through the entire remediation process, making this the highest level of remediation available. It’s most popular among organizations that don’t have the in-house resource to effectively deal with security incidents.
Central Dashboard For Endpoint Visibility
Even the most technologically advanced protection features in the world won’t protect your organization if they aren’t easy to use. Because of this, our final recommendation is that you look for a solution with a user-friendly, intuitive admin console for general management. A good central dashboard should give admins at-a-glance information on the security of their endpoints at that moment in time, as well as enable them to create reports to delve deeper into their state of security. These could include reports into individual security incidents, and reports that show how threat levels have changed over time at an organization-wide or individual endpoint level.
Finally, the admin console should be centralized and easily accessible, so that security staff can access threat data and take remediation steps from anywhere, at any time; hackers don’t tend to work from 9-5, after all.
Endpoint attacks are some of the most prevalent threats that organizations are currently facing. But while attack methods are becoming increasingly sophisticated, so is the technology available to help your organization prevent those attacks and minimize the damage they might cause.
To help you find the right protection for your business, we’ve put together guides to the best EDR and MDR solutions on the market, including a breakdown of each solution’s key features and which organizations they’re best suited to. You can find these guides via the links below: