Endpoints – the laptops, workstations, and other devices we use on a daily basis – are a easy target for attackers. They’re everywhere, prone to security vulnerabilities, and difficult to defend. 2017’s WannaCry attack, for example, is reported to have affected more than 230,000 endpoints across the globe. Endpoint Detection and Response (EDR) is a fast-growing category of solutions that aim to provide deeper capabilities than traditional anti-virus and anti-malware solutions.
From Advanced Persistent Threats (APTs) to file less malware, organizations today face a range of cyber-threats that legacy security products simply miss. Attackers have become highly adept at outmaneuvering signature-based protections like anti-virus software and Intrusion Detection Systems (IDS). Every device that connects to a network is a potential attack vector for cyberthreats, and the rising popularity of mobile devices and remote work erodes the effectiveness of perimeter-based defenses like firewalls.
EDR security solutions couple large amounts of data captured from each endpoint with contextual analysis to detect elusive threats that may never have been seen before. Most EDR solutions use baselining and behavioral analysis to spot potentially suspicious activity, and many can even respond to events in real-time.
In contrast to other solutions, endpoint detection and response is often most valuable during and after a breach. The highly detailed information available in EDR platforms allow security teams to uncover how a threat evaded existing defenses. Realtime alerts from the EDR solution can help an organization spot the early stages of an attack, and take action to prevent a full-blown data breach. If a breach does occur, the capabilities offered by such platforms greatly aid investigation and remediation efforts.
How Does EDR Work?
Endpoint Detection and Response is often compared to the flight data recorder or “black box” found on commercial aircraft, and for good reason. Just as a black box continually collects telemetry from an airplane’s flight systems, EDR platforms are constantly ingesting data from endpoints in the form of event logs, authentication attempts, running applications, and more. The details may vary between different vendors, but in general EDR security solutions operate as follows:
- Telemetry is Ingested from Endpoint
- Data is Correlated and Analysed
- Detection of threats from multiple sources
- Suspicious Activity is Flagged and Responded
- Ability to trigger automated workflows basis on events
- Capabilities to retain data basis upon industry compliance
- Incident Response Capabilities