What is Endpoint Detection and Response (EDR)?
Stop malware, ransomware, and other cyberattacks targeting your business. Discover easy-to-use Malwarebytes Endpoint Detection and Response (EDR) Security.
What is endpoint detection and response (EDR)?
Endpoint detection and response (EDR) is a form of endpoint protection that uses data collected from endpoint devices to understand how cyberthreats behave and the ways that organizations respond to cyberthreats. While some forms of endpoint protection are focused purely on blocking threats, endpoint detection and response attempts a more holistic approach. Through continuous endpoint monitoring and rigorous data analysis businesses can gain a better understanding of how one threat or another infects an endpoint and the mechanisms by which it spreads across a network. Instead of remediating threats offhand, organizations can use the insights gained via EDR tools to harden security against future attacks and reduce dwell time for a potential infection.
Think of EDR security as a flight data recorder for your endpoints. During a flight, the so-called “black box” records dozens of data points; e.g., altitude, air speed, and fuel consumption. In the aftermath of a plane crash, investigators use the data from the black box to determine what factors may have contributed to the plane crash. In turn, these contributing factors are used to prevent similar crashes in the future. Likewise, endpoint telemetry taken during and after a cyberattack (e.g., processes running, programs installed, and network connections) can be used to prevent similar attacks.
The term “endpoint threat detection and response” was coined by noted author and cybersecurity expert Anton Chavukin as a way of calling out “tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.”
Nowadays, the term has been shortened to just “endpoint detection and response.” When people talk about EDR cyber security, they’re probably referring to a type of endpoint protection that includes EDR capabilities. Just keep in mind the two terms are not one in the same. A flight data recorder can’t take control of the airplane and avert disaster during a crash scenario. Likewise, EDR alone isn’t enough to stop a cyberattack without integrated antivirus, anti-malware, anti-exploit, and other threat mitigation capabilities. Outsourced cybersecurity services like Managed Detection and Response (MDR) security, can help your IT security team keep up with high volumes of alerts generated by EDR.
Visit Malwarebytes Labs Blog for Business to learn more about the differences between MDR vs EDR and tips for choosing the right detection and response tool for your business.
How does EDR work?
Endpoint detection and response is broadly defined by three types of behavior.
Endpoint management
This refers to EDR’s ability to be deployed on an endpoint, record endpoint data, then store that data in a separate location for analysis now or in the future. EDR can be deployed as a standalone program or included as part of a comprehensive endpoint security solution. The latter has the added benefit of combining multiple capabilities into a single endpoint agent and offering a single pane of glass through which admins can manage the endpoint.
Data analysis
EDR technology can interpret raw telemetry from endpoints and produce endpoint metadata (or cyber threat intelligence) human users can use to determine how a previous attack went down, how future attacks might go down, and actions that can be taken to prevent those attacks.
Threat hunting
EDR scans for programs, processes, and files matching known parameters for malware. Threat hunting also includes the ability to search all open network connections for potential unauthorized access.
Incident response
Incident response refers to EDR’s ability to capture images of an endpoint at various times and re-image or rollback to a previous good state in the event of an attack. EDR also gives administrators the option to isolate endpoints and prevent further spread across the network. Remediation and rollback can be automated, manual, or a combination of the two.
“Think of EDR as a flight data recorder for your endpoints. During a flight, the so-called “black box” records dozens of data points; e.g., altitude, air speed, and fuel consumption. In the aftermath of a plane crash, investigators use the data from the black box to determine what factors may have contributed to the plane crash … Likewise, endpoint telemetry taken during and after a cyberattack (e.g. processes running, programs installed, and network connections) can be used to prevent similar attacks.”
DEMO
Malwarebytes Endpoint Detection and Response (EDR)
Expand visibility across your business attack surfaces with Malwarebytes EDR backed by proven detection results in the 2022 MITRE ATT&CK ENGENUITY Evaluation. Keep your organization’s endpoints secure from modern threats and prevent unwanted attacks.
What is the difference between EDR and antivirus?
Before going into the difference between EDR and antivirus, let’s get our definitions straight. We know EDR is a kind of endpoint protection that leverages endpoint data and the things we learn from that data as a bulwark against future infection—so what is antivirus?
Antivirus vs anti-malware
Malwarebytes Labs defines antivirus as “an antiquated term used to describe security software that detects, protects against, and removes malware.” In that sense, “antivirus” is a bit of a misnomer. Antivirus stops computer viruses, but it can also stop modern threats like ransomware, adware, and Trojans as well. The more modern term “anti-malware” attempts to bring the terminology up to date with what the technology actually does; i.e., stop malware. People tend to use the two terms interchangeably. For the purposes of this article, we’ll use the more modern term and just call it “anti-malware.”
EDR vs anti-malware
Now, to understand the difference between EDR and anti-malware we have to look at the use cases. On one hand you have off the shelf anti-malware designed for the consumer looking to protect a few personal devices (like a smartphone, laptop, and tablet) on their home network.
On the other hand you have EDR for the business user, protecting hundreds, potentially thousands of endpoint devices. Devices can be a mixture of work-owned and employee-owned (BYOD). And employees may be connecting to the company network from any number of potentially unsecure public WiFi hotspots.
When it comes to threat analysis, the typical consumer only wants to know that their devices are protected. Reporting doesn’t extend much beyond how many threats and what kinds of threats were blocked in a given span of time. That’s not enough for a business user.
Security admins need to know “What happened on my endpoints previously and what’s happening on my endpoints right now?” Anti-malware isn’t great at answering these questions, but this is where EDR excels.
But what about EDR vs XDR vs MDR? Get to know their differences in our Malwarebytes Labs post. Understanding the challenges each threat detection and response tool can address helps your security team choose the cybersecurity technology best fit for your company.
Benefits of endpoint detection and response
At any given moment EDR is a window into the day-to-day functions of an endpoint. When something happens outside the norm, admins are alerted, presented with the data and given a number of options; e.g., isolate the endpoint, quarantine the threat, or remediate.
Malwarebytes Endpoint Detection and Response is a proven leader in the MITRE ATT&CK ENGENUITY 2022 Evaluations.
Your business relies on EDR products to detect threats that circumvent your security architecture’s outer layers. Our EDR security deploys within minutes to enhance your visibility across the attack surface, detect malicious threats, and provide enriched telemetry for incident response activities.
Why do companies need endpoint detection and response?
According to Malwarebytes Lab’s 2021 State of Malware Report, malware detections on Windows business computers decreased by 24% overall. Cybercriminals are moving away from piecemeal attacks on consumers, instead focusing their efforts on not just businesses, but educational institutions and government entities as well.
The biggest threat at the moment is ransomware. Ransomware detections on business networks are at an all-time high, due largely to the Ryuk, Phobos, GandCrab, and Sodinokibi ransomware strains. Not to mention Trojans like Emotet, which carry secondary ransomware payloads. And it’s not just the big name, Fortune 500 companies getting hit. Organizations of all sizes are being targeted by cybercriminal gangs, lone wolf threat actors, hacktivists, and state-sponsored hackers looking for big scores from companies with caches of valuable data on their networks. Again, it’s the value of the data, not the size of the company. Local governments, schools, hospitals, and managed service providers (MSPs) are just as likely to be the victim of a data breach or ransomware infection.
Consider the average cost of a data breach. The 2021 IBM “Cost of a Data Breach Report” puts the number at $4.24 million. In the US the number was $1.97 million higher where remote work played a role in prompting a breach.
With this sobering data in mind, endpoint protection like ThreatDown Endpoint Protection and Response, is crucial to protecting your endpoints, your employees, your data, the customers you serve, and your business from a dangerous array of cyberthreats and the damage they can cause.
Related articles
- Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations
- What is the MITRE ATT&CK Framework?
- Why MITRE ATT&CK matters—Choosing alert quality over quantity
- The best test for an EDR solution is one that works for you
- Security pros agree about threats—convincing everyone else is the problem
- A zero-day guide for 2020: Recent attacks and advanced preventive techniques
- Explained: cloud-delivered security
- When endpoint detection and response (EDR) is not enough