A Guide to Endpoint Detection Response (EDR)

What is Endpoint Detection and Response (EDR)?

Endpoint Detection and Response (EDR) is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.

Primary Functions of an EDR Security System:

• Monitor and collect user and system activity data from endpoints

• Analyze this data across the enterprise environment to identify threat patterns

• Automatically respond to identified threats to remove or contain them, and notify security personnel

• Forensics and analysis tools to research identified threats and search for suspicious activities

When evaluating an EDR solution, be mindful of the features listed above as there is a lot of noise in the market.  Antivirus software may appear to have many bells and whistles, but ultimately lacks some of the key functions above.  And some of the EDR software vendors out there have multiple levels of products, the basic version of which may not have EDR features and is just antivirus software.  

A Breakdown of Different Endpoint Technologies:

As we continue to see attacks get more sophisticated, we need our endpoint detection technology to do the same. Below, we’ll cover the differences in various endpoint technologies and why simple antivirus (AV) can’t really stack up with EDR when it comes to protecting your organization.

Antivirus (AV)

AV technology is most commonly used for personal computers, where it can be a useful tool for scanning systems and identifying malware. While some organizations still rely on it as their primary defense against malware, it typically can’t do enough to protect against the malware that businesses face today since it’s most effective with commodity and generic malware. It blocks the execution of files, and quarantines or deletes detected malicious files, but it really only meets a simple baseline of protection. 

Key takeaway: AV will protect an organization from the low-hanging (malware) fruit.

Next-Gen AV

Next-Gen AV carries over all the components available in standard AV, plus more enhanced capabilities to detect suspicious behaviors within the system. It can learn the common behavior of the endpoint to better detect when there’s anomalous activity in the system, due to Advanced Machine Learning and Artificial Intelligence. With these enhanced protections, you’re likely to see better detection of more advanced malware and better containment of the system if something is detected. A limitation, however, is that it exclusively focuses on the system it’s installed on and can’t see the larger picture of what is happening in the environment as a whole. 

Key takeaway: NGAV can protect the system it’s installed on against more advanced malware, but the focus stays on the system itself instead of what is happening in the enterprise.

Endpoint Detection Response (EDR)

Everything that we’ve touched on with AV and Next-Gen AV applies to EDR, with even more capabilities to protect your endpoints. Although, we believe it’s important to highlight that EDR is best used in conjunction with either a trained internal security team or a Managed Security Service Provider (MSSP) or Managed Detection and Response (MDR) to maximize the potential usage. 

Something that EDR can provide (that AV/Next-Gen AV cannot) is “Flight Recorder” technology that tracks activity on the system before and after an alert to clearly identify what malicious activity occurred on the system. In a circumstance where you’ll have a forensic team involved, this information can be incredibly valuable for the investigation. Also, as opposed to the one-system nature of Next-Gen AV, EDR can provide insight into data from all of your systems, which creates a central viewpoint to provide better visibility and correlation across your entire environment. 

Another bonus of EDR: If there’s a threat detected, it can isolate the potentially impacted system from the rest of the network until an investigator can review the system. Ultimately, EDR carries a lot of unmatched capabilities to protect your network’s endpoints — which is why we highlight it as such a key tool to mitigate risk at your organization.

Key takeaway: EDR is the most effective at protecting the environment as a whole, and can show how threat actors navigate throughout various systems (and gives you the tools to isolate impacted areas).

Extended Detection and Response (XDR)

While EDR is focused on protecting the endpoint, XDR takes a wider and holistic approach to protect an environment. The key differentiator of XDR is that it integrates security across the environments endpoints, cloud resources, email, and other solutions.

An XDR platform collects and correlates data from across an organization's infrastructure so it can improve threat visibility across the enterprise. This allows for efficient security operations to reduce risk. XDR analyzes, prioritizes and streamlines data from various sources so it can be delivered to security teams in a normalized format through a single, consolidated console.

Key Takeaway: XDR extends EDR capabilities to protect more than endpoints, aims to simplify an organization’s entire security stack and is designed to provide integrated visibility and threat management within a single solution.

What resources are available to help policyholders implement EDR?

SentinelOne

Contact SentinelOne through Corvus’ Partner Link and receive a 30% discount with a 60-day free trial.  SentinelOne works across Windows, Mac, and Linux OS and is very easy to implement.

CrowdStrike

Contact CrowdStrike through Corvus' Partner Link to receive a free trial and a substantial discount following the trial.