Endpoint Detection and Response (EDR): Everything You Need to Know

Endpoints are a favorite target of attackers – they’re everywhere, prone to security vulnerabilities, and difficult to defend. 2017’s WannaCry attack, for example, is reported to have affected more than 230,000 endpoints across the globe.

What is Endpoint Detection and Response (EDR)?

Endpoint detection and response (EDR) platforms are solutions that monitor endpoints (computers on the network, not the network itself) for suspicious activity. Coined by Gartner analyst Anton Chuvakin in 2013, EDR solutions focus on end-user devices – laptops, desktops, and mobile devices.

EDR solutions provide visibility and monitoring for suspicious activity like malware and cyberattacks on those end-user devices.

Why is EDR Important?

Every device that connects to a network is a potential attack vector for cyberthreats, and each of those connections is a potential entry point to your data. With the rise of BYOD (bring your own devices), mobile attacks and sophisticated hacking techniques have only increased your risk of data breaches.

EDR solutions help protect those points of entry into your network by monitoring your endpoints for many modern threats that anti-virus software is unable to detect.

EDR solutions can help monitor and protect against Advanced Persistent Threats (APT), which often use malware-free hacking techniques and security vulnerabilities to gain access to a network. Older anti-virus software is able to detect malware only when there is a matching signature, and is unable to determine that an attacker has access to a computer just by monitoring their activity.

Endpoint security is not just an enterprise tool: there are consumer versions of EDR out there these days as well. A few differences in how endpoint security differs for consumers and enterprises include:

• Remote management and central storage:
  • Enterprises typically provide remote management options so security administrators can configure the appropriate settings. Each endpoint sends audit data to a central repository for audit and analysis.
  • Consumers don’t need the same centralized administration.
• Auto-updates vs. distributed patches:
  • Enterprises need to adhere to change management processes, which requires the enterprise to distribute patches during those windows.
  • Consumers usually allow the EDR to auto-update per the vendor’s release schedule.

9 Elements of EDR Solutions

Endpoint detection and response solutions can have a range of features – but there are a set of core elements that are essential to EDR:

1. Console Alerting and Reporting: A role-based console that provides visibility into the organization’s endpoint security status
2. EDR Advanced Response: Advanced analysis and response capabilities of EDR solutions, including automation and detailed forensics about security incidents
3. EDR Core Functionality: The capability to detect and report on security threats and vulnerabilities on the endpoint
4. EPP Suite: Basic functionality that was available in the previous generation of endpoint security software including anti-malware, anti-phishing, and anti-exploit capabilities
5. Geographic Support: An EDR vendor’s capability to support a global enterprise – because information security is mission critical
6. Managed Services: The EDR’s ability to feed data to a Managed Security Service or Managed Detection and Response vendor to further augment the security team’s capabilities
7. OS Support: In order to be effective, an EDR needs to support all of the operating systems in use by your organization,
8. Prevention: It’s not enough to simply detect a threat – effective EDRs need to provide preventative measures as well, to help mitigate and enable teams to take action.
9. Third-Party Integration: A comprehensive data security strategy often requires integrating with multiple products: EDRs should have APIs or built-in integrations with other solutions to complement and deliver on a layered security approach.

Endpoint Security vs. Anti-Virus Software

As noted in the list above, anti-malware is still a key component of EDR solutions. Older generations of anti-virus software detect threats by a signature, needed in advance in order to be able to detect the malware. The next generation of EDR solutions includes predictive analysis and advanced threat detection to better protect users.

Additional features found in EDR solutions that are not included in traditional AV solutions include:

• Malware removal based on matching signatures and analytics
• Antispyware protection
• Local firewall
• Intrusion detection and intrusion prevention warning systems
• Application control and user management
• Data control, including portable devices
• Full Disk Encryption
• Data Leak Prevention
• Application Whitelisting

While an EDR solution protects the endpoints on your network, they’re limited in what type of activity they can monitor and limited in what type of malware or cyberattacks they can detect. Varonis is designed to protect enterprise data from zero-day attacks beyond the endpoint – putting perimeter telemetry in context with file activity and user behavior from your core data stores.

Some behaviors that might look normal on an endpoint – a user logging in with a valid user and password, for example – wouldn’t necessarily raise a red flag with an EDR alone. However, that login event might be suspicious if it logs in from multiple locations within a short time. Varonis DatAlert and Edge analyze file activity, user events, and perimeter telemetry to identify abnormal behavior with added context: so that even seemingly harmless activity is considered in context to get the bigger picture.

See how EDR and Varonis can work together – click here for a 1:1 demo and see how a layered security strategy works in your environment.