What is EDR?
Endpoint detection and response (EDR) is a form of endpoint protection that uses data collected from endpoint devices to understand how cyberthreats behave and the ways that organizations respond to cyberthreats. While some forms of endpoint protection are focused purely on blocking threats, endpoint detection and response attempts a more holistic approach. Through continuous endpoint monitoring and rigorous data analysis businesses can gain a better understanding of how one threat or another infects an endpoint and the mechanisms by which it spreads across a network. Instead of remediating threats offhand, organizations can use the insights gained via EDR to harden security against future attacks and reduce dwell time for a potential infection.
Think of EDR as a flight data recorder for your endpoints. During a flight, the so-called “black box” records dozens of data points; e.g., altitude, air speed, and fuel consumption. In the aftermath of a plane crash, investigators use the data from the black box to determine what factors may have contributed to the plane crash. In turn, these contributing factors are used to prevent similar crashes in the future. Likewise, endpoint telemetry taken during and after a cyberattack (e.g., processes running, programs installed, and network connections) can be used to prevent similar attacks.
The term “endpoint threat detection and response” was coined by noted author and cybersecurity expert Anton Chavukin in 2013 as a way of calling out “tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.”
Nowadays, the term has been shortened to just “endpoint detection and response.” When people talk about EDR, they’re probably referring to a type of endpoint protection that includes EDR capabilities. Just keep in mind the two terms are not one in the same. A flight data recorder can’t take control of the airplane and avert disaster during a crash scenario. Likewise, EDR alone isn’t enough to stop a cyberattack without integrated antivirus, anti-malware, anti-exploit, and other threat mitigation capabilities.
News on EDR
- The best test for an EDR solution is one that works for you
- Why MITRE ATT&CK matters—Choosing alert quality over quantity
- Security pros agree about threats—convincing everyone else is the problem
- A zero-day guide for 2020: Recent attacks and advanced preventive techniques
- Explained: cloud-delivered security
- When endpoint detection and response (EDR) is not enough
How does EDR work?
Endpoint detection and response is broadly defined by three types of behavior.
Endpoint management. This refers to EDR’s ability to be deployed on an endpoint, record endpoint data, then store that data in a separate location for analysis now or in the future. EDR can be deployed as a standalone program or included as part of a comprehensive endpoint protection solution. The latter has the added benefit of combining multiple capabilities into a single endpoint agent and offering a single pane of glass through which admins can manage the endpoint.
Data analysis. EDR is able to interpret raw telemetry from endpoints and produce endpoint metadata human users can use to determine how a previous attack went down, how future attacks might go down, and actions that can be taken to prevent those attacks.
Threat hunting. EDR scans for programs, processes, and files matching known parameters for malware. Threat hunting also includes the ability to search all open network connections for potential unauthorized access.
Incident response. This refers to EDR’s ability to capture images of an endpoint at various times and re-image or rollback to a previous good state in the event of an attack. EDR also gives administrators the option to isolate endpoints and prevent further spread across the network. Remediation and rollback can be automated, manual, or a combination of the two.
“Think of EDR as a flight data recorder for your endpoints. During a flight, the so-called “black box” records dozens of data points; e.g., altitude, air speed, and fuel consumption. In the aftermath of a plane crash, investigators use the data from the black box to determine what factors may have contributed to the plane crash ... Likewise, endpoint telemetry taken during and after a cyberattack (e.g.,processes running, programs installed, and network connections) can be used to prevent similar attacks.”
What is the difference between EDR and antivirus?
Before going into the difference between EDR and antivirus, let’s get our definitions straight. We know EDR is a kind of endpoint protection that leverages endpoint data and the things we learn from that data as a bulwark against future infection—so what is antivirus?
Malwarebytes Labs defines antivirus as “an antiquated term used to describe security software that detects, protects against, and removes malware.” In that sense, “antivirus” is a bit of a misnomer. Yes, antivirus stops computer viruses, but it can also stop modern threats like ransomware, adware, and Trojans as well. The more modern term “anti-malware” attempts to bring the terminology up to date with what the technology actually does; i.e., stop malware. People tend to use the two terms interchangeably. For the purposes of this article, we’ll use the more modern term and just call it “anti-malware.”
Now, to understand the difference between EDR and anti-malware we have to look at the use cases. On one hand you have off the shelf anti-malware designed for the consumer looking to protect a few personal devices (like a smartphone, laptop, and tablet) on their home network.
On the other hand you have EDR for the business user, protecting hundreds, potentially thousands of endpoint devices. Devices can be a mixture of work-owned and employee-owned (BYOD). And employees may be connecting to the company network from any number of potentially unsecure public WiFi hotspots.
When it comes to threat analysis, the typical consumer only wants to know that their devices are protected. Reporting doesn’t extend much beyond how many threats and what kinds of threats were blocked in a given span of time. That’s not enough for a business user.
Security admins need to know “What happened on my endpoints previously and what’s happening on my endpoints right now?” Anti-malware isn’t great at answering these questions, but this is where EDR excels.
At any given moment EDR is a window into the day-to-day functions of an endpoint. When something happens outside the norm, admins are alerted, presented with the data and given a number of options; e.g., isolate the endpoint, quarantine the threat, or remediate.
Why do companies need EDR?
According to Malwarebytes Lab’s 2020 State of Malware Report, attacks on businesses went up 13 percent from 2018 to 2019. During that same time consumer attacks actually went down two percent. Cybercriminals are moving away from piecemeal attacks on consumers, instead focusing their efforts on not just businesses, but educational institutions and government entities as well.
The biggest threat at the moment is ransomware. Ransomware detections on business networks are at an all-time high, due largely to the Ryuk, Phobos, GandCrab, and Sodinokibi ransomware strains. Not to mention Trojans like Emotet, which carry secondary ransomware payloads. And it’s not just the big name, Fortune 500 companies getting hit. Organizations of all sizes are being targeted by cybercriminal gangs, lone wolf threat actors, hacktivists, and state-sponsored hackers looking for big scores from companies with caches of valuable data on their networks. Again, it’s the value of the data, not the size of the company. Local governments, schools, hospitals, and managed service providers (MSPs) are just as likely to be the victim of a data breach or ransomware infection.
Consider the average cost of a data breach. The 2019 IBM “Cost of a Data Breach Report” puts the number at $3.92 million. In the US the number is even higher at $8.19 million.
With this sobering data in mind, endpoint protection like Malwarebytes Endpoint Protection and Response, is crucial to protecting your endpoints, your employees, your data, the customers you serve, and your business from a dangerous array of cyberthreats and the damage they can cause.