What Is EDR?

 

5 min read

Endpoint detection and response, or EDR, refers to a category of tools used to detect and investigate threats on endpoint devices. EDR tools typically provide detection, analysis, investigation and response capabilities.

EDR tools monitor events generated by endpoint agents to look for suspicious activity, and alerts EDR tools create help security operations analysts identify, investigate and remediate issues. EDR tools also collect telemetry data on suspicious activity and may enrich that data with other contextual information from correlated events. Through these functions, EDR is instrumental in shortening response times for incident response teams.

EDR has become a critical component of the endpoint security toolkit as endpoints have become more vulnerable targets for cyberattackers. Trends such as the internet of things and the increase in mobile and remote workers have made endpoints popular entry points for cybercriminals to launch sophisticated attacks on individuals or organizations.

The key capabilities of EDR include:

  • Aggregation of endpoint data.
  • Malware analysis.
  • Behavioral analysis – the ability to connect a chain of seemingly benign events to uncover suspicious behavior.
  • Data correlation/enrichment.
  • Correlation of related alerts into incidents.
  • Prioritization based on the confidence and severity of incidents.
  • Investigation tools that provide an alert management workflow, integrated with ticketing systems to enable incidents to be assigned, transferred, annotated and resolved.
  • Click-down attack chain visualization tools to allow investigators to pivot.
  • Querying activity across multiple cybersecurity tools, including messaging, web, endpoint and network.
  • Automated, integrated analysis with a sandbox.
  • Remediation, including network isolation, file quarantine, file removal, reimaging, process killing and behavior blocking.
  • Automated response/remediation workflows based on policies or predefined playbooks.

The Evolution of EDR Is XDR

Traditional EDR tools focus on only on endpoint data, providing limited visibility into suspected threats. This can result in missed detections, increased false positives and longer investigation times. These shortcomings compound the challenges many security teams already face, including event overload, skills shortages, narrowly focused tools, a lack of integration and too little time.

XDR is a new approach to threat detection and response. The “X” stands for any data source, such as network, cloud and endpoint sensors. XDR systems use heuristics, analytics, modeling and automation to stitch together and derive insight from these sources, increasing security visibility and productivity compared to siloed security tools.  The result is simplified investigations across security operations, reducing the time it takes to discover, hunt, investigate and respond to any form of threat.  

Click here to learn more about XDR.