Antivirus or antimalware protection is one of the essential elements of cybersecurity. The need to have something in place to detect and block or avoid malicious exploits is almost as old as the internet itself. Attackers develop innovative new tactics, techniques, and procedures designed to circumvent antimalware protection, which has led to the rise of endpoint detection and response—or EDR. So, what is endpoint detection and response and how does it differ from traditional antimalware?
The Need for EDR
The endpoints that connect to your networks and data are the front line in the ongoing battle against malicious exploits and compromise. The volume of endpoints—combined with the fact that humans tend to be involved and endpoints are more likely to interact directly with the internet and the outside world—make them a prime target for attackers. Antimalware protection evolved and improved to a point where it can catch the vast majority of malicious executables—but there are still some threats that slip through. Attackers have also developed fileless or “living off the land” attacks that don’t have a malicious executable.
Antimalware software may work against 99 percent of the attacks, but don’t provide anything to help with the one percent that might slip through. Organizations need to have visibility into system activities and events that take place on the endpoints. There has to be a way to monitor for suspicious or malicious activity on the endpoint and take appropriate action quickly.
Endpoint Threat Detection and Response
Former Gartner analyst (and my co-author on the book PCI Compliance) Anton Chuvakin struggled to classify the evolving endpoint protection tools and methods. In 2013, he coined a generic term for tools focused on detecting and investigating suspicious activities and other malicious issues on endpoints: Endpoint Threat Detection and Response (ETDR). In 2015, Gartner officially changed the reference to simply Endpoint Detection and Response, or EDR.
According to Gartner, there are four required elements that must exist for something to be considered an EDR solution:
- Detect security incidents
- Contain the incident at the endpoint
- Investigate security incidents
- Provide remediation guidance
EDR is a natural extension or evolution of traditional antimalware solutions—it’s just a more intelligent antimalware. If you think of your home as the endpoint, antimalware is the equivalent of having a lock on the door. It keeps out virtually anyone who isn’t authorized to enter your home—but it doesn’t keep out everyone. Someone might pick the lock or find a different way to slip inside your house—thereby circumventing the protection of your lock.
If you also have motion detectors and/or security cameras, though, that is similar to EDR for an endpoint. With motion detectors and cameras, you have the means to detect and identify when someone is in your home who shouldn’t be there, and you typically have the ability to go back and review earlier footage to determine exactly how the individual got in, and what they did or what they took while in your home.
EDR gives you similar capabilities for your endpoint devices. The vast majority of malicious threats will be detected and blocked from getting into the endpoint at all. For the attacks that manage to slip through, though, EDR monitors and logs all activity so you have total visibility and a complete record of what has occurred on the endpoint—which enables you to quickly identify security incidents and determine the remediation steps necessary to contain or remove the threat.