What is EDR?
Endpoint Detection and Response (EDR) is cybersecurity protection software that detects threats on end-user devices (endpoints) in an organization. Across a large, clamorous, worldwide arena of cybersecurity solutions, EDR stands out as a distinct category of telemetry tools that provide continuous monitoring of endpoints to identify and manage adversarial cyber threats such as malware and ransomware.
EDR technology is also sometimes referred to as endpoint detection and threat response (EDTR).
As a cyber telemetry tool, EDR solutions collect data from endpoints as part of threat monitoring and can correlate that data from across an entire infrastructure’s, including its endpoints tools and applications. So EDR tools can be very powerful as threat protection and attack context technologies, and as formidable endpoint security measures.
EDR Security: Definition, History, and Fundamental Purpose
EDR Tools were first named in 2013 by Gartner’s Anton Chavukin, and defined specifically as endpoint protection deployed to:
- Record and store endpoint system-level behaviors
- Use various data analytics techniques to detect suspicious system behavior
- Provide contextual information
- Block malicious activity
- Provide remediation options in response to threats to restore affected systems
EDR technology is a class of endpoint monitoring software that is uniquely trained to detect suspicious and/or anomalous activity on endpoints. Early on, this type of detection immediately separated EDR from antivirus (AV) tools and EPP (Endpoint Protection Platforms) – AV/EPP tend primarily to identify and act on specific signatures and hashes of malware (known-good and known-bad signature instances).
AV and EPP solutions block or quarantine known-bad objects and files. But EDR monitors and correlates anomalies and suspicious activity on endpoints, then raises a detection alert with context and severity details that the security teams, cyber threat intelligence teams, and threat hunting teams can use for investigation and remediation/response.
In 2014, the New York Times reported that AV tools were “49% ineffective.” Attackers were starting to use “fileless” in-memory tactics that could not be identified by signature or hash, and bad actors were stealthily exploiting vulnerabilities in applications and processes to ransom or steal IP or data.
The threat landscape was rapidly evolving (it still is) and while antivirus solutions (AV and Next-Gen Antivirus (NGAV) and EPPs (endpoint protection platforms) were focused on prevention, EDR emerged as a compelling provider of comprehensive visibility and attack context that also brought human analytical skills into the cybersecurity mix of essential capabilities. Human expert analysts led naturally to Managed EDR where security operations teams (SOCs) handle all end-to-end cybersecurity management for their customers.
The 5 Primary Functions of EDR
Today, the main capabilities and functions of exceptional, high-performance EDR tools and EDR endpoint protection platforms include:
- Advanced threat detection and malicious activity detection
- Containment of the cyber security threat at the compromised endpoint
- Incident data search and investigation – alert triage with high fidelity alerting
- Suspicious activity validation and remediation guidance
- Threat hunting to protect the endpoint against future attacks
EDR technology has been steadily progressing to include advanced prevention features, as well as continuous monitoring, real-time detection, and full-spectrum visibility, triage, and response capabilities.
Key Components of EDR Software
Most state-of-the-art EDR Tools now perform root cause analysis of all suspicious, anomalous, or actively blocked threats by default. In every case, EDR technology identifies suspicious events, then generates alerts that help security teams stop threats and minimize damage from cyber security attacks.
The key components of EDR capabilities include:
- Behavioral Analytics
- Actionable Threat Intelligence
- Managed Threat Hunting
- Real-Time Visibility
- Alerts and Alert Triage
- Decisive Remediation and Incident Response
Let’s take a quick look at each of the 6 essential EDR security components in turn.
1. EDR and Behavioral Analytics
The best EDR technology solutions combine and correlate full-spectrum endpoint visibility data across all devices (including IoT and remote endpoints) to analyze activity and provide details about Indicators of Compromise (IoC) as well as Indicators of Attack (IOA).
These indicators are often evidence at the scene of a crime. This real-world data is applied to behavioral analytics (algorithms and machine learning) to detect anomalous and suspicious behaviors.
Tracing individual actions and events enables an EDR tool to integrate security logic from its global threat intelligence database to determine in real time whether a series of anomalies or events match any known IoA or IoC. This advanced threat detection component can identify an activity as malicious or anomalous, and automatically generate a detection alert.
2. EDR’s Actionable Threat Intelligence
EDR security typically integrates with a global cyber threat intelligence database as a critical tool for contextualizing threats and for guiding actionable responses. Integration and correlative querying of global threat data allows for rapid detection of malicious tactics, techniques and procedures (TTPs) applied to endpoint protection.
This is a key compilation capability of EDR technology that results in kill chain progression reports and MITRE ATT&CK mappings or visualizations. This threat intelligence data is also applied to behavioral and contextualized information about the attacker and attack from the endpoints that is used during alert triage and response.
3. EDR and Managed Threat Hunting
Continuous monitoring and proactive searching of endpoints for indicators of threat, attack, or compromise is known as threat hunting. Threat hunting often uses rules-based automation for analysis and reporting capabilities, and events are continuously analyzed and correlated from endpoints such as laptops, PCs, mobile and IoT devices, and in some cases, cloud workloads (EDR in the cloud).
Threat hunting alerts are generated for SOC teams and analysts to investigate. Some EDR platforms require human threat hunting teams to verify and advise on additional infrastructure-wide remediations and hardenings needed to defend against future attacks depending on the nature of the threat encountered, and depending on the accumulated and correlated context-based data analytics.
4. EDR Real-Time Visibility
The telemetry capabilities of EDR provide comprehensive visibility of all security events and activities that take place on every endpoint.
All security events are recorded to trace and map many hundreds of relevant reconnaissance and compromise activities specific to hard drive access and process creation on the endpoint, registry and/or memory changes, driver uploads, network connection requests or unusual internet connections, and the like.
This information can reveal the IP addresses of external command and control centers, all local host IP addresses to which the attacker connected or attempted connection, any process executions and file creations enacted, all administrative tool and executables used, all removable USB media utilized, and any process-level DNS requests, connections, and ports used. In many instances, a security team gains visibility of the entire progression of steps and actions taken by the attacker, and all the commands and techniques used to breach or move laterally across an organization.
5. EDR’s Alerting and Alert Triage
When threat hunting or other indicators do detect a threat, all EDR Tools generate alerts that notify SOC and security experts to investigate and triage the event(s) and their correlated relationships rapidly and at scale for all endpoints in the organization.
Details about real time and historical activities combined with contextualized intelligence helps the investigators understand the attack and act on implementing precise and immediate remediation.
It is true that EDR technology can generate a lot of false positives, and a burdensome measure of alert fatigue among analysts as they triage alerted events, but EDR security vendors are beginning to address this side effect of endpoint cyber security as well.
6. Decisive Remediations and Rapid Incident Response
Taking resolute and purposeful remediation actions, rapidly, when a security incident is detected is the hallmark of an advanced EDR tool (or detection and threat response (EDTR) tool).
Remediation and rapid response is the goal of endpoint protection and it is possible because of the full-spectrum visibility and context mapping provided by EDR technology. Visibility enables remediation and precision-based incident response because security teams clearly see and understand the attack they are remediating as they restore compromised systems.
Identifying Endpoint Detection Architecture and Layers
Damaging breaches persist and are projected by industry analysts to worsen for years to come. Many organizations are considering EDR technologies to help them navigate and defend against the current and future threat landscape. Although EDR tools and endpoint protection platforms vary in implementation, performance, and scope, all share essentially the same detection layers and architecture.
Every EDR security solution includes the following layers:
- An EDR agent or sensor deployed on all endpoint clients for continuous monitoring of all security-relevant behavior patterns
- Ability to collect all log data from multiple other sources if required such as SIEM, Firewall, Server(s), etc. for correlation and context-based data analytics mapping
- One main EDR server that collects, records, and correlates all the data from all endpoints and other sources
- Threat Intelligence database integration that feeds IoCs and other known-malware information and the like to the main EDR server.
- Web Console for reporting, alerting, and generating context-based visualization and detection details from real-time data analytics and remediation actions.
The endpoint agent or sensor provides continuous monitoring and endpoint data collection in real time. It sends observed behaviors to the main server. The endpoint agent is providing signature-less detection. There is no pushing of signatures to the endpoint like an antivirus tool. The agent also typically includes automated rules-based responses to threats that can block an execution, and act on suspicious or detected threats in real time. EDR client endpoints sensors continuously detect behaviors and report them to the main server.
Processing of reported behaviors takes place on the main EDR server. The data analytics tracks how the attacker likely entered an endpoint device by tracing network connections and process. The EDR tool is also recording process history, such as the actions and steps taken by the attacker, whether it moved laterally, and to where the attacker navigated during reconnaissance (process details). Additionally, the EDR technology is reporting how to respond to the threat, such as isolate, prevent access, or add to a watchlist.
By focusing on behavior monitoring, indicator of attack (IoAs), and anomalous activities, EDR solutions alert on suspicious activities before they become damaging breaches.
Endpoint technology can be summarized as the following set of essential EDR layers:
- Real-time visibility of behavioral endpoint detection, tracking, alerting, and reporting
- Integration with a global threat database and cyber threat intelligence
- Rapid remediation and incident response
How to Choose a EDR Security Solution? | Checklist
The following requirements are essential when choosing an Endpoint Security solution with advanced threat detection:
- Real-Time Visibility of Endpoint Monitoring. Organizations must be able to monitor all endpoints in concert and in real time. The result of all tracking and data analytics must be made visible with full detection details and context, and all threat progressions, mappings, and alerts must be immediately accessible for actionable remediation.Without real-time visibility, security experts cannot fully and rapidly understand the scope of a threat, or what occurred as a result of the attack, or how to best repair the damage.
- EDR Tool Integration with a Global Threat Databases and Cyber Threat Intelligence. Access to actionable intelligence is imperative for remediating and responding to security events with a fully informed response.A combining of the latest threat intelligence, global threat database queries, and data analytics from monitored endpoints means all your bases are covered and your EDR Tool is poised for action and prepared to respond to incoming threats.
- Rapid Remediation and Incident Response. Speed is of the essence for EDR Tools and endpoint protection. Rapid remediation and incident response are critical elements of EDR technology offerings because when adversarial tradecraft is undetectable, which happens frequently, then attackers can “dwell” in environments for days, weeks, and sometimes years, moving laterally to compromise additional hosts, stealing credentials, and performing stealthy data exfiltration, or worse.
Without these essential EDR (EDTR) capabilities, organizations and businesses are forced to respond to a breach with serious financial and reputational loss.