Enterprise Detection and Response
|This article is part of a series on|
|Related security categories|
Gartner’s Senior analyst Anton Chuvakin defined the term in 2013 as tools that are primarily focused on detecting and investigating suspicious activities (and traces of such) on end user devices (hosts/endpoints). The origin of EDR software can be traced back to a specialisation of forensic endpoint software which has started providing response capabilities.
Because of their forensic origin, EDR software is focused on detecting and recording activities and store those activities centrally, and provide the capability of searching, correlating and finding specific events to a centralised Information security operations center or other centralised security monitoring infrastructure or department.
The purpose of this information collection is three-folded and depends on the kind of organisation using the EDR solution and their purposes.
- The first is to be able to automatically collect forensic information from the computers in which the agent is installed to focus on post-event analysis and response capabilities after a malware outbreak, malicious activity or policy violation, as part of the Incident management process.
- The second use is for answering security questions at scale and quickly, thanks to Big Data platforms storing the events and information from all the endpoints. This allows for threat hunting, that is, an active research of on-going malicious activities or policy violations before a security incident is realised and with the purpose of preventing it. In the option, the use of Artificial intelligence and/or Machine learning is becoming common by many software providers for EDR solutions.
- The third use is for mitigation of possible malware outbreak (such as ransomware spread), Advanced persistent threats or security event.
EDR software is generally deployed in an enterprise as an agent on users' client computer (endpoints) and considered as part of an Endpoint security strategy; although they can be installed on servers as well, this depends on the Operating system supported, which tends to be restricted to ones most present on endpoints. However, several traditional anti-virus producers, which introduced EDR functionalities on top of existing engines, will also make EDR functionalities available for server computers.
Endpoint Security Management
The main characteristic of EDR software is that they allow EDR managers (usually SOC operators) to perform tasks such as :
- remote forensic data collection: interact with endpoints to retrieve advanced sets of forensic data and capture information related to suspicious events or security incidents;
- endpoint information visibility and remote remediation: access Endpoint information and interact with them - for instance, locking-down (quarantine) the device to isolate it from the rest of the network and avoid malware to spread from it, as well as initiate remediation activities, execute scripts and applications, or software deployments on them;
- manage policy exceptions on clients from a central location.
The advantage of having a separate, dedicated security tool to allow Security Operations Center's operators to handle incidents, is that usually endpoint operation is performed by a separate, non-security-dedicated IT team, which operates under different service-level agreements and is not focusing on security. Using an EDR software, immediate remediation can be initiated by a security team, before e.g. a malware infection spreads in the network, without waiting days or weeks for a patch to be applied by IT. This allows for rapid, automated incident response.
EDR malware protection mechanisms
Since EDR software is well positioned on the computer to detect and identify the behaviour of malicious software, most of the EDR software is now including anti-malware capabilities; conversely, so-called "next-gen" antiviruses are starting to provide EDR functionality - which is testified by several antivirus companies purchasing forensic and EDR vendors to integrate their functionalities. For this reasons, according to Gartner, the future convergence of EDR and antivirus software can be predicted, with some vendors already doing it since 2016.
The main characteristic of EDR malware protection is the focus on prevention: EDR does not focus on the fact that a signature is known for a specific malware, but tries to detect zero-day attacks by the identification of the so-called "IOC" or "Indicators Of Compromise". Therefore, EDR does not generally employ the traditional signature-based malware detection methods typical of antivirus software, but focus on analysing processes, files, scripts, browser activity, credentials' usage, endpoint configuration/registry changes, documents, applications and command-line executable software, trying to identify if a behaviour can be identified that matches a malicious intent, or is it out of the ordinary for the business processes usually executed by the computer in which they are installed, or as programmed by the EDR operators.
EDR can also be able to detect the so-called "fileless threats" or "malware-free hacking", that is, scripts and commands which can produce malicious behaviour and policy violation without actually requiring a file to be written to the disk, and are therefore often not detected by traditional antivirus. Those attacks are also called Advanced persistent threat or APT. An EDR is also expected to be able not just to quarantine a file like a traditional antivirus, but also to kill malicious processes running to return the endpoint to a safe state.
One of the key characteristics of EDR software is that they should perform their monitoring without interfering with the users' activity; since they need to observe behaviour, correlate it with known good-bad activities and "learn" from the observation, often a "detonation first" approach is employed, that is, executables and files are opened in a controlled way while their behaviour is observed; this is the opposite of the typical antivirus which will block the file and not make it available to users until the scan is completed. The EDR approach is, therefore, less obtrusive to users. According to Gartner, one of the most important features of EDR is to work with, and not interfere, with antivirus software.
While in theory the malware detection mechanism of EDR is useful to detect zero-day attacks, and some vendor claims that this approach may replace antivirus completely, it has sometimes being observed as prone to false positives. Conversely, where false positives are not an issue, the malware detection rate may not be excellent. Finally, where functionality is impeccable, the price tends to soar compared to traditional anti-virus.
For those and other reasons, some analysts such as Gartner observe that EDR solutions "remain very complex to operate", "typical organizations that face normal budget and staffing challenges are ill prepared to leverage and maximize the benefits of EDR solutions by themselves", and "organizations with low maturity endpoint maintenance and management programs experience higher EDR workloads".
Currently, for small to medium organisations, it seems that the best benefits from EDR are reaped when they are deployed and managed by an MSSPs (Managed Security Service Providers), which are also the ones pushing their clients for adoption of the technology.
Another typical EDR critique is that automated remediation features promoted by some vendors are generally considered not reliable, and therefore paying for the price of automated remediation capabilities may not be worth the spend.
- Antivirus and rise of next-gen
- Internet security
- Quarantine (computing)
- Timeline of computer viruses and worms
- "Named: Endpoint Threat Detection & Response". Gartner Blog Network.
- "What's endpoint detection and response (EDR) and when should you care?". Expel.
- "Endpoint Detection and Response (EDR): Everything You Need to Know". Varonis.
- "What is Endpoint Detection and Response? A Definition of Endpoint Detection & Response". Digital Guardian.
- "EDR, Benefits, Concerns and Issues". Gartner Research.
- "Trend Micro Endpoint Sensor". Trend Micro.
- "Roadmap for Improving Endpoint Security". Gartner Research.
- "Report: Microsoft to buy security firm Hexadite for $100M as Cloudyn still in progress". Techcrunch.
- "Skout Forensics acquired by Cylance". Crunchbase.
- "FireEye Computer Security Firm Acquires Mandiant". The New York Times.
- "EMC acquires NetWitness, combines with RSA". ZDNet.
- "Savant Protection acquired by Digital Guardian". Crunchbase.
- "Market Guide for Endpoint Detection and Response Solutions". Gartner Research.
- "enSilo Becomes First Data Protection Platform to Combine Real-Time EPP & EDR into One Effective Security Solution". Ensilo.
- "EDR Mud Fight: Kernel or Userland?". Gartner Blog.
- "Market Guide for Endpoint Detection and Response Solutions". Gartner Research.
- "CrowdStrike Falcon Certified as Legacy AV Replacement". Crowdstrike/AV Comparatives.
- "Here's why the scanners on VirusTotal flagged Hello World as harmful". CSO online.
- "Anti-Virus Comparative - Comparison of "Next-Generation" Security Products 2016" (PDF). AV-Comparatives.
- "AV Comparatives - Consumer Test Charts Report". AV Comparatives.
- "Product Information - Carbon Black Cb Defense". SC Magazine.
- "EDR — Benefits, Concerns and Issues". Anton Chuvakin, Gartner Blog Network.
- "Managed Endpoint Detection and Response (EDR) Market: Key Trends". MSSP Alert by ESG Global.
- "MSSP is/and/or/vs MDR?". Anton Chuvakin, Gartner Blog Network.
- "Using EDR for remediation?". Anton Chuvakin, Gartner Blog Network.
This article "Enterprise Detection and Response" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Enterprise Detection and Response. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.