What is Endpoint Detection and Response (EDR)?
Endpoint detection and response, better known as EDR, is a security technology that continually monitors an "endpoint" to mitigate malicious cyber threats.
The Rise of EDR Tools
Cybersecurity is littered with initialisms, of which Endpoint Detection and Response (EDR) has become one of the most commonly cited. The popularity of the term and the technology behind it is vast – run a search on EDR and it’ll return 66 million pages on Google alone. Estimates of the annual spend on EDR systems vary, but all agree the market is growing rapidly, with Mordor Intelligence predicting it will reach $6.7 billion per annum globally by 2026, up from $1.7 billion in 2020.
Unfortunately for buyers seeking clarity, EDR is not the only term vying for their attention in this space. Endpoint Protection Platforms (EPP), Extended Detection and Response (XDR), Network Detection and Response (NDR), and Managed Detection and Response (MDR), all inhabit the same broad area of the market comprising overlapping technologies designed to monitor and protect endpoint devices.
These labels beg deeper questions: how does EDR differ from other technologies, and are all the products that have adopted the term to describe themselves equally advanced? A case in point is the use of AI and data analysis by vendors such as SenseOn, which points to a world of predictive, automated cybersecurity which is significantly more advanced than even the best EDR tools available today.
But before tackling these questions, it’s worth explaining what EDR is, the problems it is designed to solve, and finishing by discussing some of the limitations that continue to plague the current designs.
EDR’s Origins
To dig deeper into EDR it’s worth travelling back to when Gartner analyst Anton Chuvakin coined it as “endpoint threat protection and response” in 2013 to describe the capabilities of a new generation of endpoint security technology he saw emerging at that time.
Chuvakin noticed that endpoint and network security was changing rapidly from the idea of merely detecting individual pieces of malware towards a more proactive model based on hunting for and remediating threats in advance using sophisticated, centralised analysis systems.
EDR, then, was not a single technology but an updated approach to the problem of device compromise at a time when the complexity of attacks had stepped up a level.
How Do EDR Tools Work?
Very broadly, EDR is a centralised system for detecting and responding to threats in real time that uses automation to ease the extra workload this entails. The principle of EDR is to give defenders a lot of visibility into what is happening on the endpoint, turning endpoint agents into an advanced surveillance system. All EDRs will have most of the following characteristics in some combination:
- EDR agents running on endpoints (PCs, servers, mobile devices) monitor devices for anomalous events that might indicate infection or compromise.
- Devices that can’t run agents (printers, IoT, industrial control) are monitored byusing inspecting their traffic, often by way of a direct network TAP /SPAN appliance.
- Multiple events are correlated between different endpoints using machine learning, giving defenders a comprehensive picture of how suspicious events relate to one another.
- Because the number of potentially suspicious events might quickly saturate operators, EDRs filter and prioritise alerts and in so doing make it easier to respond effectively.
- Where events unfold too quickly for human intervention, some responses (for example, endpoint isolation) are scripted using automation routines known as playbooks.
- EDRs allow organisations to conduct retrospective forensic examinations that can be used to feed data back into threat intelligence systems.
- Automated EDR remediation makes it possible to quickly reinstate systems that have been infected, aiding a quick recovery from attacks.
EDRs increasingly offer machine learning analysis to cope with the increased data demands.
How Are EDR Tools Different from EPP?
Although they sometimes overlap with EDR, endpoint protection platforms often represent an older generation of technology that added new security capabilities to traditional anti-virus technology. The latter detected malware by scanning and matching files to known hashes.
To this EPP added the ability to sandbox and execute suspicious files to assess their threat, the ability to block communication with unknown IPs, and the ability to detect unusual file access (for example, by ransomware). EPP systems also have the ability to scan files against larger cloud-based databases of signatures.
In short, a mixture of anti-virus, data protection, and PC-level firewalling with centralised monitoring of some anomalous behaviours. Importantly, EDR and EPP are not mutually exclusive – organisations using EDR will still use EPP software of varying degrees of sophistication as an extra barrier, for example Microsoft’s Defender system that ships with Windows.
The main difference between EDR and EPP is one of focus. An EPP operates as the first line of detection while an EDR is oriented towards hunting for threats that have bypassed the EPP layer. To do this, it must examine a wider field of data.
What About XDR, NDR and MDR?
The newer term extended detection and response (XDR) is not always clearly defined, but the clue to its meaning is the word extended. An XDR system can be thought of as an EDR system which also processes data from systems beyond the endpoint, for example the cloud, SIEM systems, applications such as email, and from deeper traffic insights provided through Network detection and Response (NDR). As with EDR, the analytics engine correlates events but does so from a wider number of inputs.
However, XDR isn’t just about adding additional data sources. One of the problems with modern security is that each security layer, including EDR, can quickly turn into another silo with its own console.
Over time, this leads to fragmentation and the risk of blind spots between the different systems. Defenders think they are seeing everything and yet there are gaps. That requires another system to fill the visibility gap and so complexity accelerates. The claim of XDR is to break down these artificial divisions while still keeping the endpoint at the centre of the detection puzzle.
Managed Detection and Response (MDR) turns the principles of EDR and XDR into a fully managed service using a mixture of open source tools, security operations centre (SOC) experts, and a proprietary platform that knits these elements into a consistent experience. Some MDRs are fully managed while others pass alerts to customers to act on their own behalf.
Why EDR Tools Are Necessary
One of the cybersecurity lessons of the last thirty years is that endpoints remain a favoured target for cybercriminals.
There are simply too many endpoints to defend easily and as they have become more complex and diverse their vulnerability has multiplied. Meanwhile, the way endpoints are targeted continues to evolve, for example the appearance of fileless malware which significantly increases the challenge of detecting attacks because it avoids interacting with the filesystem.
It is highly unlikely this will change – monitoring and defending endpoints, including unmanaged IoT and remote devices, is a problem for the ages. Defending endpoints against sophisticated, targeted malware was always going to require better integration of detection systems. The evolution of EPP into the deeper endpoint monitoring of EDR was an acknowledgement of this reality.
The Limitations of EDR Tools
While EDR is more advanced than EPP, it is not a magic shield against cyberattacks. For example:
- The principle that underpins EDR is that more data equals better detection. But as more data is fed into analysis, the risk of data overload grows. Data processing and storage requirements expand which means that EDRs can struggle to scale. The proliferation of endpoints and cloud applications exacerbates this problem.
- EDR and even XDR have become marketing terms used in a loose way to signal a suite of capabilities which might on closer inspection differ in important ways. There are a lot of EDRs around and telling one from the other from the outside can be a challenge.
- Not all EDR systems can effectively monitor IoT equipment where an agent can’t be loaded. This can slow mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR).
- EDRs have been accused of suffering from the same issues that have plagued previous security systems – too many alerts, increased management overhead, and the difficulty detecting novel, unknown threats.
- Despite the promise to integrate detection, it’s less clear that EDR reduces ownership costs. If the system has weak automation and analysts must field a higher number of alerts to make decisions, the management overhead can quickly rise.
SenseOn – Going Beyond EDR Tools
To customers, the market can often appear to be overcrowded with tools that do the same job in slightly different ways. There is also a worry that EDR will become another layer on top of the tools already being used. This can be summed up in three words – fragmentation, complexity, and cost. In combination, these gradually erode an organisation’s security architecture from within.
Too many tools leads to fragmentation, which multiplies the number of consoles defenders must use to monitor security. Even when consoles are integrated, this can sometimes hide deeper limitations in the way they share data. These issues in turn create hidden complexity, a higher alerting burden, and the sort of management overhead that becomes a drag on staff productivity.
How does SenseOn address these problems?
SenseOn is a revolutionary new approach to endpoint security. Unlike traditional security solutions, SenseOn unifies the technologies required to successfully stop breaches and respond to cyber threats, providing you with everything you need to efficiently and effectively protect your environment – all in a single, lightweight, rapidly deployed software solution. The SenseOn platform significantly increases the accuracy of alerts and dramatically reduces false positives.
Network and endpoint coverage
As opposed to a standalone endpoint protection platform, NDR or EDR solution, SenseOn’s universal sensor provides deep correlated visibility of all endpoint traffic (including users and processes both on and off the corporate network or VPN), all network traffic and across cloud infrastructure, within a single piece of software.
SenseOn captures telemetry from across multiple layers of the security stack and surfaces all correlated data for threat investigation, enabling rapid detection of vulnerability exploitations.
With SenseOn’s Universal Sensor, IT teams can eliminate the need for complex security stacks and gain total visibility into the entirety of their digital estate.
Multiple capabilities in one
SenseOn unifies multiple capabilities (including network, endpoint and central management, threat detection and response) in a single platform.
Not only does this significantly reduce the time that cybersecurity analysts at organizations spend trying to manually correlate data sets to perform root cause analysis, it also reduces the costs of pulling network traffic flow logs and data ingestion costs of a SIEM.
Above all, the correlated end-to-end visibility provided by the SenseOn platform is used to drive detection capabilities and greatly improve threat detection accuracy and speed. SenseOn enables a single pane of glass view across the estate to provide analysts with the crucial context needed to assess the breadth and severity of threats as they come in, in a single data format.
Threat intelligence
SenseOn is the first and only cybersecurity solution to be able to perform deep packet inspection at the endpoint, all across the network through a single piece of software, enabling the detection of advanced threats across any infrastructure, including multi-public cloud, virtualized infrastructure, containers, remote workers and on premise infrastructure.
With SenseOn, security teams can now create meaningful and detailed network maps to gain visibility into their entire organization’s posture. By searching for suspicious patterns and anomalies, analysts can detect threats before they impact the business.
With SenseOn, security analysts can focus on the events that matter to them most through easy-to-use query templates, data summarisation and rich visualisations. SenseOn is an AI powered platform that scales to any size, enables security analysts to hunt for threats across multiple silos in real time, and helps teams find threats in minutes instead of weeks.
Automated response
SenseOn’s live incident response service enables analysts to quickly respond and remediate or contain threats, without any direct interference on the network infrastructure, providing an ability to stop and eliminate live attacks in real time.
SenseOn’s mission is to proactively protect, with our immediate threat response, forensic level investigations and complete incident reduction acting to reduce business risk and sustain a zero breach environment.