Endpoint detection and response, usually abbreviated as EDR, has dominated cybersecurity news feeds over the past few weeks. Palo Alto, ESET, CrowdStrike, and Cylance have all announced new endpoint detection and response solutions, made major purchases with such solutions in mind, or have upgraded their current EDR offerings.
The flurry of headlines concerning EDR may have something to do with the RSA Conference—one of the largest cybersecurity conferences in the world—taking place this week. But that so many endpoint protection platform providers are innovating or making market decisions in a similar direction raises new questions. Why the sudden emphasis on endpoint detection and response from endpoint security vendors? Is this the start of an EDR revolution? And how will this change the endpoint protection platform market?
What is Endpoint Detection and Response?
Endpoint detection and response, first coined by Anton Chuvakin, is actually still a new technology that hasn’t quite reached maturity yet. However, it can be best described as the endpoint security counterpart to SIEM: a solution that focuses on threat detection, investigation, and mitigation on enterprise endpoints and networks.
Endpoint detection and response’s main focus is improving IT security teams’ visibility into relevant endpoints and providing continuous monitoring. But that really is the tip of the iceberg of what EDR includes. Many solutions provide:
- Endpoint data aggregation
- Endpoint data correlation
- Centralized reporting and alerting
- Behavioral analysis similar to UEBA
- Centralized data search
- Forensic investigations
- Whitelisting and blacklisting for users and entities
Why the Sudden EDR Explosion?
Why now are endpoint detection and response solutions the fashion among endpoint security vendors? The answer may lie somewhere between utility and brand identity concerns.
Endpoint protection platforms have many components and tools integrated into each individual solution. However, the public perception and the most technical innovations emphasize the preventative aspect of endpoint security. There is a historical precedent for this focus: in the earliest days of cybersecurity, preventing viruses, worms, and trojans from entering your network was all there was to staying safe. CEOs today, possibly remembering those simpler times, still look to endpoint security as the end-all and be-all of their enterprise’s digital security.
But those days are over. While prevention is still a vital component of any cybersecurity strategy, experts note that digital threats such as fileless malware, advanced persistent threats, or targeted malware attacks have evolved to bypass or subvert traditional endpoint security protocols. In other words, there just isn’t a way to outright prevent 100% of threats trying to infiltrate your enterprise’s endpoints even with an advanced endpoint security solution.
Endpoint detection and response is designed specifically to stop advanced persistent threats and fileless malware and to provide visibility into potentially infected endpoints to detect threats and limit the damage. It can be considered a failsafe for traditional endpoint security, investigating where the normal gatekeepers may have slipped up.
That covers utility, but what about brand identity? Technology research firm Gartner, in their 2018 Endpoint Protection Platform (EPP) Magic Quadrant report, stated that maturity of the EPP market has contributed to an identity problem among vendors; they all offer such similar capabilities in their solutions that it can be hard for any of them to stand out in the market. The mass adoption of endpoint detection and response may represent attempts by solution providers to carve out a distinct market niche for themselves and boost their brand.
Why Not Next Generation Anti-Virus?
Next Generation Antivirus (NGAV) is often hailed as the logical next step up from antivirus, but it doesn’t have a set definition or inherent tools like EDR so it can be hard for enterprises’ to determine its effectiveness or its relevance to their digital security needs. NGAV also tends to lack the correlation and behavioral analysis capabilities of endpoint detection and response as it still prioritizes prevention rather than detection.
NGAV may be a powerful and necessary tool for many enterprises, but it doesn’t solve the core issues motivating mass EDR adoption: holes in preventative security and visibility on corporate endpoints.
Drawbacks to Endpoint Detection and Response
EDR is not an end-all and be-all cybersecurity solution (as is the case with all cybersecurity solutions). It functions best as a supplement to traditional endpoint security, SIEM, and Data Loss Prevention solutions.
Further, many enterprises have found that EDR resembles SIEM in a less flattering manner: it also tends to create false positives and be generally noisy which can constitute a major time investment from your IT security team. It can be outright difficult to deploy and manage properly, so it is certainly a weighty investment that can stretch your IT resources thin.
But with so many solution providers investing in endpoint detection and response, it might be time to start considering it for your enterprise.