Security

What is Endpoint Detection and Response?

Barbara Ericson
26 Apr
7 min read

What is Endpoint Detection and Response (EDR)?

Endpoint detection and response (EDR) is an integrated security solution that uses real-time monitoring and endpoint data analysis in order to detect malicious behaviors and formulate responses to these instances.

What all of that means is that an EDR solution is installed on designated endpoint devices and monitor behaviors to detect and prevent harmful activities.

The term was coined by Anton Chuvakin at Gartner as a way to describe systems made to detect and investigate suspicious happenings involving endpoints of a network. However before we dive into that…

What Exactly Is an Endpoint?

“Endpoint” is a networking term that describes any device that communicates data to, from, and throughout a network. Endpoints include, but are not limited to:

  • Laptops
  • Tablets
  • Smartphones
  • Desktop computers
  • Servers
  • Smartwatches
  • And a whole host of IoT (internet of things) devices

Now that you understand what an endpoint is, it’ll be easier to understand the importance of EDR solutions.

What is the Importance of Endpoint Detection and Response solutions?

Cybersecurity is making major waves in international headlines, with regular stories of major breaches and data leaks. Notable among these, Federal Reserve chairman Jerome Powell recently stated that cyber threats were the top concern of the financial sector going forward:

“The world evolves. And the risks change as well,” Powell said during an interview aired Sunday on CBS’s “60 Minutes,” noting he is far more concerned about a cyber incident than he is about encountering a collapse akin to the global financial crisis of 2008. “And I would say that the risk that we keep our eyes on the most now is cyber risk.”

That being said, these increasing threats are not just limited to the financial sector. No one is safe from the threat of breaches and leaks so long as businesses have valuable proprietary data waiting to be exposed.

In most cases, people are the weakest link when it comes to cybersecurity and we are all interacting with network endpoints on a daily basis, which is why vulnerability management is very important.

Networks are complex webs of technology that combine all hosts of endpoints through the use of layers, switches, and firewalls.

Despite this complexity, it’s up to IT security teams to maintain control and awareness of all suspicious behavior on those networks.

EDR solutions shoulder some of that burden by providing in-depth analysis of traffic going to and coming from endpoints on a network and even automate many of these security processes. Automation will allow web application security analysts to focus on identifying and responding to these threats.

5 Key Components of EDR Solutions

Now that you know what an EDR solution is and why it is so critical to your security infrastructure, we’ve put together a list of the five most important elements of an EDR solution.

You can use this list to determine if your EDR platform (or prospective vendor) is up to the task of protecting your most valuable assets and network components.

1. Activity Detection

activity detection

The base functionality of an EDR solution must include activity detection capabilities, specifically malicious activities.

Using contextual analysis of behaviors, EDR solutions must be able to parse through countless instances and interactions to determine which ones are harmless and which ones pose a threat to systems and/or data.

This functionality works hand-in-hand with the next in order to create a symbiotic relationship for endpoint security.

2. Activity Investigation

Once the EDR system detects potential malicious activity, it begins an investigation of this behavior to determine whether or not the end-user is actually acting against the security systems put in place by the administrator.

The most advanced endpoint detection and response solutions use algorithms to recognize patterns of malicious behavior in order to give EPPs (endpoint protection platforms) the ability to develop appropriate responses before an actor is able to carry out their goal.

An EDR will take note of specific behavior patterns regarding:

  • Data being copied
  • Data manipulation
  • Process launching
  • Data deletion
  • Security systems killed
  • And many others

These types of actions are major red flags in hacking operations and an EDR will take note of these patterns in order to help aid the next component of these solutions.

3. Automated Response

Some EDR solutions allow administrators to set up pre-programmed responses to specific behaviors so that the malicious process is stopped before any further damage is done.

These types of responses include all kinds of measures from logging out users, killing processes, and restricting user access to other systems and assets.

These pre-programmed responses give security analysts and administrators the time they need to perform further investigations into the behavior without relying on their potentially delayed response to the activity.

4. Activity Alerts

Once the EDR system has detected malicious behavior, analyzed it, and taken initial action against the user, it will then notify the security team of the instance and allow them to further address the issue.

While all of this sounds like a long and arduous process, an EDR solution moves through this cycle very quickly.

5. Post-Threat Analysis

analysis icon

Once the threat is dealt with, the security team has revoked access from the user, and they’ve removed whatever processes they attempted to put in place, an EDR will log the data of the attack for analysis purposes.

The best EDR platforms will later use the data to detect future attacks and learn to recognize other patterns over time.

Endpoint Detection and Response (EDR) vs. Anti-Virus vs. Endpoint Protection Platform (EPP)

While the concepts between these three types of software are similar, their purposes are distinctly different and as such, their names should not be used interchangeably.

1. Endpoint Detection and Response (EDR)

As we discussed earlier, EDR deals in detecting malicious endpoint behaviors. These solutions are installed on endpoints and are meant to recognize behavior patterns, initiate pre-programmed responses, alert security teams, and catalog the malicious instances for future detection.

2. Anti-Virus

While anti-virus can fall under the capability umbrellas of some EDR systems, traditionally an anti-virus program deals solely with detecting, preventing, and removing viruses from systems and endpoints.

Anti-virus software won’t detect certain behaviors related to phishing, manual privilege escalation, or manual data copying/deleting.

3. Endpoint Protection Platform (EPP)

security icon

We mentioned EPP earlier in this piece and it works hand-in-hand with EDR in order to prevent malicious activities from occurring. Modern EPPs use machine learning to develop sophisticated responses to the malicious behaviors detected by an EDR solution.

The best way to think about this is that an EDR is mostly built for recognition and detection, while an EPP is more about prevention and action against malicious processes.

In order to best protect your data and network infrastructures, it is recommended that you build a security structure that uses all three of these tools.

EDR Security Tips and Best Practices

When looking for an EDR solution, make sure you test out the platform and take note of the false positives and false negatives the solution throws up.

1. Accuracy is king

accuracy icon

While false negatives indicate that certain security parameters need to be tightened, false positives are exceptionally dangerous due to the implication that the system will lead to users finding ways to opt-out.

Users only care about a fluid user experience and they will do whatever it takes to get that positive experience, even find ways to deactivate your security controls. Just look at corporate VPNs and how many company breaches occur because a user deactivated their VPN on a public network.

Your EDR can’t hinder the work of your users just because it sees every action as malicious activity. Choose a system with near-zero false positives and always work on tuning your system to prevent as many as possible.

2. Don’t just rely on your EDR without human input

Just as humans are imperfect, so are the machines and software we create. Your EDR solution won’t pick up every single threat to your organization and with the accelerating pace of cyberattacks, it’s up to you to add that human element you’ll need to keep everything in line.

Invest in your security team as well as your EDR by training them on the ins and outs of the system and they’ll work on improving the detection capabilities of it all.

3. Use EDR to enhance, not replace your existing security infrastructure

In the last section, we ran through the differences between EDR, EPP, and anti-virus and that was to drive home the point that EDR is not a replacement solution for the other two. Don’t look to EDR to be your one-stop shop for endpoint-based security.

You’ll still need the action-based capabilities of an EPP to root out and stop the detected activities and there are plenty of EDR vendors that incorporate anti-virus into their platforms (or work adjacently with your existing anti-virus).

Cybersecurity is a multi-layered effort run by many different tools and EDR is just one component of that effort.

Barbara Ericson
A longtime open source contributor, with extensive experience in DevOps principles and practices. Barbara is especially interested in helping IT businesses and organizations implement DevOps, cloud-native technologies, and open source.