Endpoint detection and response (EDR) is a form of endpoint protection that uses data collected from endpoint devices to understand how cyberthreats behave and the ways that organizations respond to cyberthreats. While some forms of endpoint protection are focused purely on blocking threats, endpoint detection and response attempts a more holistic approach. Through continuous endpoint monitoring and rigorous data analysis businesses can gain a better understanding of how one threat or another infects an endpoint and the mechanisms by which it spreads across a network. Instead of remediating threats offhand, organizations can use the insights gained via EDR tools to harden security against future attacks and reduce dwell time for a potential infection.
Think of EDR security as a flight data recorder for your endpoints. During a flight, the so-called “black box” records dozens of data points; e.g., altitude, air speed, and fuel consumption. In the aftermath of a plane crash, investigators use the data from the black box to determine what factors may have contributed to the plane crash. In turn, these contributing factors are used to prevent similar crashes in the future. Likewise, endpoint telemetry taken during and after a cyberattack (e.g., processes running, programs installed, and network connections) can be used to prevent similar attacks.
The term “endpoint threat detection and response” was coined by noted author and cybersecurity expert Anton Chavukin as a way of calling out “tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.”
Nowadays, the term has been shortened to just “endpoint detection and response.” When people talk about EDR cyber security, they’re probably referring to a type of endpoint protection that includes EDR capabilities. Just keep in mind the two terms are not one in the same. A flight data recorder can’t take control of the airplane and avert disaster during a crash scenario. Likewise, EDR alone isn’t enough to stop a cyberattack without integrated antivirus, anti-malware, anti-exploit, and other threat mitigation capabilities. Outsourced cybersecurity services like Managed Detection and Response (MDR) security, can help your IT security team keep up with high volumes of alerts generated by EDR.
Endpoint detection and response is broadly defined by three types of behavior.
This refers to EDR’s ability to be deployed on an endpoint, record endpoint data, then store that data in a separate location for analysis now or in the future. EDR can be deployed as a standalone program or included as part of a comprehensive endpoint security solution. The latter has the added benefit of combining multiple capabilities into a single endpoint agent and offering a single pane of glass through which admins can manage the endpoint.
EDR technology can interpret raw telemetry from endpoints and produce endpoint metadata (or cyber threat intelligence) human users can use to determine how a previous attack went down, how future attacks might go down, and actions that can be taken to prevent those attacks.
EDR scans for programs, processes, and files matching known parameters for malware. Threat hunting also includes the ability to search all open network connections for potential unauthorized access.
Incident response refers to EDR’s ability to capture images of an endpoint at various times and re-image or rollback to a previous good state in the event of an attack. EDR also gives administrators the option to isolate endpoints and prevent further spread across the network. Remediation and rollback can be automated, manual, or a combination of the two.
“Think of EDR as a flight data recorder for your endpoints. During a flight, the so-called “black box” records dozens of data points; e.g., altitude, air speed, and fuel consumption. In the aftermath of a plane crash, investigators use the data from the black box to determine what factors may have contributed to the plane crash ... Likewise, endpoint telemetry taken during and after a cyberattack (e.g. processes running, programs installed, and network connections) can be used to prevent similar attacks.”
Before going into the difference between EDR and antivirus, let’s get our definitions straight. We know EDR is a kind of endpoint protection that leverages endpoint data and the things we learn from that data as a bulwark against future infection—so what is antivirus?
Malwarebytes Labs defines antivirus as “an antiquated term used to describe security software that detects, protects against, and removes malware.” In that sense, “antivirus” is a bit of a misnomer. Antivirus stops computer viruses, but it can also stop modern threats like ransomware, adware, and Trojans as well. The more modern term “anti-malware” attempts to bring the terminology up to date with what the technology actually does; i.e., stop malware. People tend to use the two terms interchangeably. For the purposes of this article, we’ll use the more modern term and just call it “anti-malware.”
Now, to understand the difference between EDR and anti-malware we have to look at the use cases. On one hand you have off the shelf anti-malware designed for the consumer looking to protect a few personal devices (like a smartphone, laptop, and tablet) on their home network.
On the other hand you have EDR for the business user, protecting hundreds, potentially thousands of endpoint devices. Devices can be a mixture of work-owned and employee-owned (BYOD). And employees may be connecting to the company network from any number of potentially unsecure public WiFi hotspots.
When it comes to threat analysis, the typical consumer only wants to know that their devices are protected. Reporting doesn’t extend much beyond how many threats and what kinds of threats were blocked in a given span of time. That’s not enough for a business user.
Security admins need to know “What happened on my endpoints previously and what’s happening on my endpoints right now?” Anti-malware isn’t great at answering these questions, but this is where EDR excels.
But what about EDR vs XDR vs MDR? Get to know their differences in our Malwarebytes Labs post. Understanding the challenges each threat detection and response tool can address helps your security team choose the cybersecurity technology best fit for your company.
At any given moment EDR is a window into the day-to-day functions of an endpoint. When something happens outside the norm, admins are alerted, presented with the data and given a number of options; e.g., isolate the endpoint, quarantine the threat, or remediate.
According to Malwarebytes Lab’s 2021 State of Malware Report, malware detections on Windows business computers decreased by 24% overall. Cybercriminals are moving away from piecemeal attacks on consumers, instead focusing their efforts on not just businesses, but educational institutions and government entities as well.
The biggest threat at the moment is ransomware. Ransomware detections on business networks are at an all-time high, due largely to the Ryuk, Phobos, GandCrab, and Sodinokibi ransomware strains. Not to mention Trojans like Emotet, which carry secondary ransomware payloads. And it’s not just the big name, Fortune 500 companies getting hit. Organizations of all sizes are being targeted by cybercriminal gangs, lone wolf threat actors, hacktivists, and state-sponsored hackers looking for big scores from companies with caches of valuable data on their networks. Again, it’s the value of the data, not the size of the company. Local governments, schools, hospitals, and managed service providers (MSPs) are just as likely to be the victim of a data breach or ransomware infection.
Consider the average cost of a data breach. The 2021 IBM “Cost of a Data Breach Report” puts the number at $4.24 million. In the US the number was $1.97 million higher where remote work played a role in prompting a breach.
With this sobering data in mind, endpoint protection like Malwarebytes Endpoint Protection and Response, is crucial to protecting your endpoints, your employees, your data, the customers you serve, and your business from a dangerous array of cyberthreats and the damage they can cause.
Endpoint Detection and Response (EDR) or Endpoint Threat Detection and Response (ETDR), continuously monitors devices to readily detect, evaluate, and respond to cyberthreats. EDR supports your business’ cybersecurity posture as an integrated endpoint security solution.
EDR security solutions work by monitoring suspicious threat actor activity across all endpoints and workloads, providing bolstered network visibility into the attack surface to help security teams detect and respond to incidents that would otherwise be unforeseen. With an EDR solution, organizations can continuously monitor endpoints in real-time through the combined capabilities of endpoint management, data analysis, threat hunting, and incident response.
Antivirus solutions traditionally use signature-based detection to identify threats on a device. By comparing file signatures against a list of known computer viruses, AV software can recognize and block the virus from attacking.
Unlike antivirus software, EDR solutions use behavioral analysis and threat intelligence to gain visibility into endpoint activity.
Select your language