What is EDR? Should it Be Part of Your Security Program?

Home / Best Practices / What is EDR? Should it Be Part of Your Security Program?

Over the past few years, how many times have you been told you need another security solution (i.e. “EDR” or another endpoint protection product)?

There seems to be a new product released every month and it’s almost impossible to keep on top of how these new solutions can help your organization. One of the latest products that is getting a lot of attention is “EDR” or Endpoint Detection and Response. You’re probably asking yourself, what is this and why do I need yet another endpoint thing to protect me? Why can’t it all be done in one product?

Bottom line – Endpoint Detection and Response is important and you should seriously consider implementing one of these platforms for a few different reasons.

So what is Endpoint Detection and Response (EDR)?

The premise behind most EDR systems is as follows:

  1. Track all actions taken on the endpoint. This includes: All files opened, all executables run, all ports opened, all network traffic flows and a host of additional data points on how programs interact with the endpoint and the local infrastructure.
  2. Evaluate all the data points and use AI and behavioural analysis technologies and known signatures to find bad behaviour
  3. Provide a means of quickly finding malicious activity across multiple hosts to stop propagation
  4. Add additional threat hunting tools to the environment for use by forensic, security and audit teams

How Do EDR Solutions Benefit your Organization?

The aspects of EDR outlined above will increase awareness, and provide more information to the security pros monitoring the environment. It will also reduce the time to remediate by adding tools to perform manual interactions and automate remediations across the entire endpoint pool simultaneously.

The reality is, that even when there are many protections in place on an endpoint, attackers are still constantly trying to circumvent these protections. So even with advanced technologies in place, a machine can still get compromised.

How Does it Differ from Typical Anti Virus Solutions?

EDR tools add an additional layer that allows increased visibility. There are tools which will identify compromised systems faster than traditional endpoint protections. In many cases in real-time.

EDR solutions will reduce totally incident response times and allow inoculation of uncompromised systems real-time as events are unfolding. EDR is also important as many network-based tools do not always have visibility to east-west traffic on the network, without a large investment in hardware.

In the long run, these tools will help protect your users and corporate assets from attacks.

These solutions add a very important layer to the existing security on your endpoints. Having a managed EDR solution will also effectively remove the need for additional expertise required to manage the EDR solution. It will also provide additional Threat Hunting capabilities that would normally require a huge investment in security personnel.

Leveraging a security company to manage the EDR solution will increase the efficacy of the investment. Your organization can take advantage of not only additional expertise, but the combined observations of multiple installed EDR solutions, allowing you to benefit from an attack that is happening to someone else. This provides inoculation for your endpoints before someone makes a mistake and clicks that really bad link.

Author Spotlight: Huw Evans, Security Manager

Huw Evans has led IT Weapons Security initiatives for over ten years, and is an expert in cutting-edge information security services, including penetration testing and vulnerability assessments. Huw created ITW’s Security Consulting practice, and currently heads internal security standards, including policies, procedures, technologies and change management procedures.
Related Posts