Endpoint Detection and Response
Endpoint Detection and Response (EDR) is approached as an essential part of EPP. Central to EDR is the detection of attackers that evaded the prevention layer of an EPP solution and are active in the target environment. In this article, we’ll provide an overview of the endpoint security market and offer insight into EDR security capabilities. We’ll also address 6 top EDR tools, covering their solution scope, delivery, and EDR features.
What Is Endpoint Detection and Response (EDR)?
Anton Chuvakin of Gartner coined the term EDR to refer to a solution that records behavior on endpoints, detects suspicious behavioral patterns using data analytics and context-based information, blocks threats, and helps security analysts remediate and restore compromised systems.
EDR encompasses several tools that can detect endpoint threats and help analysts investigate them. An EDR solution typically provides threat hunting, detection, analysis, and response functions.
Endpoint detection and response tools are a central component of a modern endpoint security strategy because they are the most effective means of detecting intrusions. They monitor the target environment to identify attacks and collect telemetry data to support rapid triage and investigative processes.
How EDR Works
EDR solutions continuously ingest data from endpoints, including event logs, running applications, and authentication attempts. Here is how the process usually works:
Ingesting telemetry from endpoints
The solution collects telemetry data from endpoints by installing software agents on each endpoint through other, indirect means.
Sending the ingested telemetry to the EDR platform
The solution sends data from all endpoint agents to a central location, usually a cloud-based EDR platform. It can also work on-premises or as a hybrid cloud to help meet compliance requirements.
Correlating and analyzing data
The solution employs machine learning to correlate and analyze the data. Typically, the solution uses this technology to establish a baseline of normal endpoint operations and user behavior and then looks for anomalies.
Some EDR solutions include threat intelligence feeds to introduce context in the form of real-world examples of cyberattacks. The technology compares network and endpoint activity with these examples to detect attacks.
Flagging and responding to suspicious activity
The solution flags suspicious activity and pushes alerts to notify security analysts and relevant personnel. It also initiates automated responses according to predetermined triggers. For example, temporarily isolating an endpoint to block malware from spreading across the network.
Retaining data for future use
EDR solutions retain data to enable future investigations and proactive threat hunting. Analysts and tools can use this data to consolidate events into one incident to investigate existing prolonged attacks or previously undetected attacks. It can also provide the context for threat hunting, helping security experts and tools actively look for malicious activity.
What are EDR Tools?
EDR tools are technology platforms that can alert security teams of malicious activity, and enable fast investigation and containment of attacks on endpoints. An endpoint can be an employee workstation or laptop, a server, a cloud system, a mobile or IoT device.
EDR Security Capabilities
EDR capabilities often vary between vendors. However, the following features are typically provided by most vendors:
- Integration – EDR solutions extend visibility into endpoints by collecting and aggregating data. Since endpoint security does not cover all possible threats, it should be integrated with additional security tools. Organizations should ensure that the EDR tool they choose can smoothly integrate with their existing stack.
- Insights – basic EDR tools provide only data collection and aggregation. Analysts can use the tool to view the aggregated data, locate trends, and manually derive insights. Advanced EDR solutions employ artificial intelligence (AI) algorithms and machine learning to automate threat identification and alerting processes. Some tools can detect patterns by mapping suspicious behavior to the MITRE ATT&CK framework.
- Response – EDR tools provide response features to help operators remediate and investigate issues. Advanced tools can also help investigate live system memory, gather artifacts from suspected endpoints, and combine historical and current situational data to create a comprehensive picture during an incident.
- Forensics – EDR tools offer forensics capabilities to help track threats and surface similar activities that may otherwise be missed. It can help establish timelines and identify affected systems before a breach occurs.
- Automation – advanced EDR solutions can automatically remediate activities. For example, automatically stop or disconnect compromised processes and alert relevant parties, and isolate or disable suspected endpoints and accounts.
Symantec Endpoint Protection
Symantec’s endpoint solution includes legacy antivirus, NGAV with emulator for detecting hidden packages, memory exploit prevention, deception technology, device network firewall and intrusion prevention, and EDR.
Virtual or physical appliance