Endpoint Detection and Response (EDR): What You Need to Know
Learn more about EDR and securing your endpoints.
Join the DZone community and get the full member experience.Join For Free
A number of recent high-profile cybersecurity incidents have targeted endpoints that serve as points of communication with and access to corporate networks. Endpoints can be physical devices such as laptops or they can be URL paths from which third parties communicate with APIs. The 2018 Panera Bread data breach occurred when an unauthenticated API endpoint exposed the details of millions of customers in plain text.
In this article, you will find out about an emerging type of cybersecurity technology named endpoint detection and response (EDR) that evolved from a need to better protect against attacks on endpoints. You will find out what EDR is, why it’s important in modern cybersecurity, and how it works. You’ll also get some pointers on what to look out for in an EDR solution or service.
What Is EDR?
EDR is a type of security solution that provides real-time visibility into suspicious endpoint activities by continuously monitoring, recording, and storing endpoint data. EDR software can automatically trigger alerts for further investigation when it notices suspicious activity. Using the data, security teams can also manually detect, investigate, and proactively respond to a range of advanced cyber threats that target network endpoints.
Why Is EDR Important?
As the rewards for successful attacks become more lucrative, cybercriminals are using a range of advanced threats and custom malware to bypass standard cybersecurity toolkits. The traditional method for detecting malware uses a signature-based approach that compares the digital signature of any file with huge databases of known malware.
However, signature-based technology is insufficient to deal with advanced malware that can strike and cause damage rapidly or even alter its own signature to evade detection. EDR solutions are important because they provide behavior-based threat detection. Instead of using digital signatures to detect threats, behavior-based solutions provide proactive threat intelligence based on activities, events, and interactions on or with systems.
Improving endpoint security is imperative because endpoints are where attacks begin to infiltrate a network from. EDR technology is an integral part of improving endpoint security because it can help with detecting and stopping cyber attacks before they wreak havoc on an organization’s network through behavior analysis.
A 2019 industry survey found that 76 percent of respondents see endpoint security becoming more important in the future. This finding seems to agree with Gartner’s prediction of 45.3 percent annual growth in the EDR market from 2015 to 2020.
Furthermore, the scope for endpoint attacks is growing as the number of endpoints increases. Employees now frequently have the option to work from home or bring their own devices to work that can access internal networks. Each of these endpoints opens up more opportunities for malicious cyber attacks and data breaches.
Whatever statistic or report you look at, it’s clear EDR security solutions must become central to the cybersecurity toolkits deployed by both corporations and government organizations.
How EDR Solutions Work
EDR solutions like those provided by Cynet, FireEye and Carbon Black, work by monitoring events on network endpoints and establishing a baseline level of normal use. The EDR tool continuously monitors for anomalies in patterns of use that can indicate suspicious user or device activity. Endpoint data is stored, enriched, and consolidated in a database, ready for analysis and investigation of suspicious activity.
An EDR solution traces the potential path of potential or ongoing cyber attacks from endpoints to how they attempt to proliferate to other hosts or devices on the network. EDR can track the path of attacks by consolidating large volumes of endpoint data into narrow categories called “MalOps”. You can find out the when, how, and why of any endpoint incident.
This level of insight into the techniques, goals, and tactics of cybercriminals is invaluable in preventing future attacks of a similar nature. Organizations that use EDR can expect better protection against threats such as fileless attacks, zero-day exploits, advanced persistent threats, and stolen user credentials.
What to Look for in an EDR Solution
EDR solutions typically differ in some respects across vendors. However, there are some main features you should look out for when shopping around, including:
- Integration — a good EDR solution should be able to integrate with other tools in your cybersecurity suite.
- Expertise required—make sure you know exactly what level of expertise is needed for your security team to get the most value out of an EDR solution. Some EDR vendors provide fully managed solutions while others need endpoint data analytics knowledge to identify threats.
- Level of visibility — the point of using an EDR solution is to get comprehensive visibility into endpoint activity. Look out for details such as the types of activities recorded and how the solution performs when endpoints disconnect from the corporate network.
- OS support — can the EDR solution support all operating systems and their variants used on endpoints across your organization?
- Infrastructure costs — what will it cost to get up and running with an EDR solution? Are upgrades needed to your network, software, or hardware to support the use of this type of solution? Do you need to manage hardware? What are the bandwidth requirements for the tool?
- Endpoint impact — look out for the performance impact of running an EDR solution on your endpoint hardware or operating systems. Ask for statistics on CPU and memory usage.
EDR uses a proactive approach to improve cybersecurity at organizations. EDR solutions provide valuable visibility and threat intelligence to endpoint data that can improve future incident detection and response. With its advanced data consolidation capabilities, EDR can save time when investigating incidents for your IT security teams.
Opinions expressed by DZone contributors are their own.