Back in 2013, Gartner’s Anton Chuvakin set out to name a new set of security solutions that sniff out suspicious activity on endpoints.
After what he called “a long agonizing process that involved plenty of conversations with vendors, enterprises, and other analysts,” Chuvakin came up with this phrase: endpoint threat detection and response.
Since then, this moniker has been shortened to “endpoint detection and response” or EDR. But as the name got smaller, the market got bigger. In fact, Gartner now predicts the global EDR space will grow at a compound annual rate of 45.3 percent through 2020, by which time it will be worth a whopping $1.5 billion.
With that in mind, let’s take a step back and assess EDR’s place in your overall cybersecurity strategy, as well as the gaps it simply can’t fill.
The Role of EDR in Cybersecurity
While other security solutions are used to prevent threats, EDR is all about visibility. An effective EDR tool allows you to focus on detecting and investigating suspicious activities on endpoints so you can respond to attacks faster.
EDR works by installing a lightweight agent on each endpoint. The agent then monitors events to look for any activity that is potentially malicious or matches a known attack indicator. EDR sends telemetry to a central management system, which automatically performs analysis and correlation before sending an alert.
From there, an analyst must investigate the alert to determine details about the attack, or alternatively determine if the attack is a false alarm. Based on this information, the analyst develops an appropriate response.
Unlike endpoint protection (EPP) tools that focus on stopping attacks, EDR should be seen as a solution that helps you more effectively manage your post-breach response. The fact is that no security method is 100% effective; it’s not a matter of if your defenses will get breached, but when. EDR helps you detect times when you’ve been breached sooner so that you can mitigate any possible damage.
The benefits of EDR include:
- Visibility: EDR provides real-time visibility into your endpoints to help you quickly identify malicious activity.
- Behavioral protection: Unlike tools that only monitor for known threats, EDR can help you detect suspicious activities that may indicate an unknown threat type.
- Insight: EDR can help provide more context behind an attack so you can tailor your response.
- Remediation speed: EDR can help you accelerate your investigation so that you can limit the damage a breach does to your business.
EDR Is Not as Simple as You Think
While EPP tools can only identify and block known threats, EDR detects abnormal activity on endpoints—assuming those devices are running EDR agents—which gives you a better chance of detecting unknown malware strains in zero-day attacks.
But Gartner analyst Avivah Litan sees one setback to its adoption: its complexity.
“EDR functionality will have to become more mainstream, proactive, and simple to use and operate before product adoption reaches its full potential,” Litan wrote.
This is particularly problematic for small and medium-sized enterprises (SMEs) ,which often lack the in-house security expertise to manage EDR. Before SMEs can correctly wield EDR, they need security engineers who know how to tap into its full potential.
Not the Only Player on Your Team
EDR is a team player with a key role in detecting anomalous activity on an endpoint. However, it is completely blind to certain indicators of a network compromise. For example, let’s say a password to a database has been stolen, allowing a hacker to log in and start exfiltrating personal information remotely. At this point, there is nothing EDR can do.
This is worrisome considering the application layer accounts for an increasing number of attacks, with hackers getting in through SQL injections, zero-day vulnerabilities, and other forms of web-based attack. These are beyond the scope of EDR.
Finding the Right EDR Solution
There are many EDR solutions on the market, each with its own strengths and weaknesses.
When exploring options, it’s important to understand EDR’s limitations.
EDR only works for endpoints that have an EDR agent running, which means you will need other tools to monitor your network and cloud services. That also means many of your endpoints won’t be covered, such as printers, appliances, network gear, and unsupported endpoints like mobile phones, vendor systems, IoT devices, or rogue virtual machines.
That makes a stand-alone EDR service most appropriate for organizations that already have strong cloud and network security, but who need enhanced endpoint protection.
However, the complexity of EDR means it might not be a suitable solution for a business that doesn’t have dedicated security experts on staff who can quickly review alerts and respond to threats.
Consider Managed Detection and Response Solutions
A managed detection and response (MDR) solution goes beyond endpoints to offer multi-dimensional monitoring of endpoint, network, and cloud workloads. With this holistic oversight, you’re better able to effectively identify and respond to threats no matter where they originate.
A security operations center (SOC) as-a-service like Arctic Wolf ‘s provides 24×7 monitoring of all your resources. It features expert security teams that know your business and can provide custom alerting and reporting. On the other hand, an EDR solution by itself can’t monitor everything you need and can’t provide the expertise required to direct a response once a breach has been detected.
It’s also important to consider your regulatory and data governance needs. If your enterprise needs log retention, EDR is unlikely to fulfill your requirements. MDR, however, can retain all your log data from existing networks, systems, and applications so you can demonstrate compliance with regulatory requirements like PCI-DSS, HIPAA, and FFIEC.
In other words, EDR can’t do it alone.
What you need is 360-degree visibility across endpoints, as well as across your network and cloud environment —along with the necessary security expertise to help direct your response.
Originally published on the Arctic Wolf blog, December 17, 2019.
