Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

What Is Endpoint Detection and Response (EDR)?

An endpoint detection and response (EDR) security operations solution detects threats across your environment. It investigates the entire lifecycle of the threat, providing insights into what happened, how it got in, where it has been, what it's doing now, and what to do about it. By containing the threat at the endpoint, the EDR helps eliminate the threat before it can spread. 

What is the difference between an endpoint protection platform (EPP) and endpoint detection and response (EDR)?

EDR focuses primarily on detecting advanced threats, those designed to evade front-line defenses and have successfully entered the environment. An EPP focuses solely on prevention at the perimeter. It is difficult, if not impossible, for an EPP to block 100 percent of threats. A holistic endpoint security solution deploys both EPP and EDR capabilities.

How can EDR help me?

More sophisticated threats that evade perimeter defenses can wreak havoc across your network. Ransomware encrypts sensitive data and holds it hostage from the organization until the financial ransom is collected. Meanwhile, malicious cryptomining sits stealthily on the network and exhausts your computing resources. An EDR capability can help you find, contain, and remove the threats fast so you can ensure the security of data on endpoints across your environment.

Why should I deploy an EDR solution?

Most EPP (or traditional anti-virus) solutions claim to block the majority of threats. But what about the stealthier threats that they miss? Having an EDR capability allows you to detect, investigate, and remediate modern threats that are advanced and persistent enough to evade traditional perimeter defenses.

What types of deployment and management are available to me?  

There are generally two types of EDR deployment and management: 

  • EDR deployed and managed directly by your security team
  • EDR deployed by your security team, security vendor, or security partner but managed by your security vendor or partner (also known as managed EDR). There are a number of advantages to having your security vendor or partner manage your EDR solution.
    See overview

What is managed endpoint detection and response (MEDR)?

MEDR solutions enable your security vendor or partner to manage and deliver EDR to your organization. These solutions are offered as a managed service, which means that your security vendor or partner deploys, operates, and supports your EDR. This often includes teams of cybersecurity experts who hunt down, investigate, and even remediate threats seen in your environment on your behalf. MEDR solutions can reduce detection and response times while allowing you to focus on the most important threats to your organization.

Key capabilities of endpoint detection and response

Detection

Threat detection is a foundational capability of an EDR capability. It is not a matter of whether an advanced threat will strike, rather it is a matter of when it will evade your front-line defenses. Upon entering your environment, you must be able to accurately detect the threat so you can contain, evaluate, and neutralize it. This is not an easy task when you're dealing with sophisticated malware that can be extremely stealthy and capable of morphing from a benign to a malicious state after crossing the point of entry.

With continuous file analysis, EDR will be able to flag offending files at the first sign of malicious behavior. If a file is deemed safe, but after a few weeks begins to exhibit cryptomining or ransomware activity, EDR will detect the file and the process of evaluation, analysis, with alert your organization for action.  

In addition to continuous file analysis, it is important to note that an EDR is only as good at detecting files as the cyberthreat intelligence that powers it. Cyberthreat intelligence leverages large-scale data, machine learning capabilities, and advanced file analysis to help detect threats. The greater the cyberthreat intelligence, the more likely it is your EDR solution will identify the threat. Without any cyberthreat intelligence, an EDR solution is ineffective.


Containment

After detecting a malicious file, EDR must be able to contain the threat. Malicious files aim to infect as many processes, applications, and users as possible. Segmentation can be a great defense within your data center to avoid lateral movement of advanced threats. Segmentation is helpful, but a robust EDR can help contain a malicious file before testing the edges of segmented areas of the network. Ransomware is a tremendous example of why you need to contain threats. Ransomware can be tricky to remove. Once it has encrypted information, your EDR needs to be able to fully contain ransomware to mitigate the damages. As an additional control, EDR provides the capability to network-isolate, preventing further encryption over the network.


Investigation

Once the malicious file has been detected and contained,  EDR should investigate. If the file snuck through the perimeter the first time, there is clearly a vulnerability. Maybe the threat intelligence team has never seen this kind of advanced threat before. Maybe a device or application is outdated and needs to be updated. Without proper investigative capabilities, your network will not gain insight into why a threat got through. As a result, your network is likely to experience these same threats and issues again.  EDR provides the type of per-incident review required to reveal these issues and prevent future exploitation via the same threat vector whenever possible.

In the investigative process, sandboxing is a critical capability. Sandboxing can be used at the perimeter, to help grant or deny access, but it can also be used effectively after the point of entry. Sandboxing is when the file is isolated into a simulated environment and tested and monitored.  EDR can provide sandboxing via integrated Cisco Secure Malware Analytics.

Within this simulated, isolated environment, EDR will try to determine the nature of the file without potentially risking the safety of the larger environment. In this process, EDR can understand the attributes and nature of this malicious file and learn from it. By fully assessing the file, EDR can communicate with the cyberthreat intelligence team that runs the EDR and adapt for future threats.


Elimination

The most obvious component of an EDR needs to be its ability to eliminate the threat. If you detect, contain, and investigate a threat, that is great. But if you cannot eliminate it, then basically you just continue on, knowing that your system is compromised. That is not acceptable. To properly eliminate threats, EDR needs exceptional visibility to answer such questions as:

  • Where did the file originate?
  • What different data and applications did this file interact with?
  • Has the file replicated?
  • Visibility is crucial for elimination. Being able to see the entire timeline of a file is crucial. It is not as easy as simply removing the file you have observed. When you eliminate the file, you likely may need to automatically remediate multiple parts of the network. For this reason, EDR should provide actionable data on the lifespan of the file. If the EDR has retrospective capabilities, this actionable data should be used to automatically remediate systems to their state prior to infection.

    Lastly, it is very important to understand that the best EDR solution combines both EPP and EDR capabilities. A true next-generation endpoint security solution protects at the perimeter (EPP) and continuously monitors within the environment (EDR) to provide and manage security throughout the entire lifespan of files.