What Is Endpoint Detection and Response (EDR)?

Endpoint detection and response (EDR) solutions detect threats across your environment, investigating the entire lifecycle of the threat, and providing insights into what happened, how it got in, where it has been, what it's doing now, and what to do about it. By containing the threat at the endpoint, EDR helps eliminate the threat before it can spread.

Contact Cisco

  • Get a call from Sales
  • Call Sales:
  • 1-800-553-6387
  • US/CAN | 5am-5pm PT
  • Product / Technical Support
  • Training & Certification

What is the difference between an endpoint protection platform (EPP) and endpoint detection and response (EDR)?

EDR focuses primarily on detecting advanced threats, those designed to evade front-line defenses and have successfully entered the environment. An EPP focuses solely on prevention at the perimeter. It is difficult, if not impossible, for an EPP to block 100 percent of threats. A holistic endpoint security solution deploys both EPP and EDR capabilities.

How can EDR security help me?

More sophisticated threats that evade perimeter defenses can wreak havoc across your network. Ransomware encrypts sensitive data and holds it hostage from the organization until the financial ransom is collected. An EDR solution can help you find, contain, and remove the threats quickly so you can ensure the security of data on endpoints across your environment.

Why should I deploy an EDR solution?

Most EPP (or traditional antivirus) solutions claim to block the majority of threats. But what about the stealthier threats that they miss? Having an EDR capability allows you to detect, investigate, and remediate advanced threats that are sophisticated and persistent enough to evade traditional perimeter defenses.

What types of deployment and management are available to me?

There are generally two types of EDR deployment and management:

  • EDR is deployed and managed directly by your security team
  • EDR is deployed and managed by your security team, security vendor, or security partner (also known as managed EDR). There are several advantages to having your security vendor or partner manage your EDR solution.
    See overview

What is managed endpoint detection and response (mEDR)?

mEDR solutions enable your security vendor or partner to manage and deliver EDR to your organization. These solutions are offered as a managed service, which means that your security vendor or partner deploys, operates, and supports your EDR solution. This often includes teams of cybersecurity experts who hunt down, investigate, and even remediate threats seen in your environment on your behalf. mEDR solutions can reduce detection and response times while allowing you to focus on the most important threats to your organization.

Key capabilities of endpoint detection and response

Detection

Threat detection is a foundational capability of an EDR solution. It is not a matter of if an advanced threat will strike, it is a matter of when. Upon entering your environment, you must be able to accurately detect the threat so you can contain, evaluate, and neutralize it. This is not an easy task when you're dealing with sophisticated malware that can be extremely stealthy and capable of morphing from a benign to a malicious state after crossing the point of entry.

With continuous file analysis, EDR will be able to flag offending files at the first sign of malicious behavior. If a file is initially deemed safe, but after a few weeks begins to exhibit ransomware activity, EDR will detect the file and start the process of evaluation and analysis, while alerting your organization to act.

In addition to continuous file analysis, it is important to note that EDR is only as good at detecting files as the threat intelligence that powers it. This intelligence leverages large-scale data, machine learning capabilities, and advanced file analysis to help detect threats. The more powerful your intelligence is, the more likely it is your EDR solution will identify the threat. Simply put, an EDR solution without threat intelligence would not provide adequate protection.

Containment

After detecting a malicious file, EDR must be able to contain the threat. Malicious files aim to infect as many processes, applications, and users as possible. Segmentation can be a great defense within your data center to avoid lateral movement of advanced threats. While segmentation is helpful, a robust EDR solution can help contain a malicious file before testing the edges of segmented areas of the network. Ransomware is a tremendous example of why you need to contain threats. Ransomware can be tricky to remove and once it has encrypted information, your EDR tool needs to be able to fully contain ransomware to mitigate the damages. As an additional control, EDR security provides the capability to isolate compromised endpoints, preventing further encryption over the network.

Investigation

Once the malicious file has been detected and contained, EDR should investigate the incident. If the file snuck through the perimeter on the first try, there is a vulnerability. It's possible the threat intelligence team has never seen this kind of advanced threat before. Maybe a device or application is outdated and needs to be updated. Without proper investigative capabilities, your network will not gain insight into how a threat got through. As a result, your network is likely to experience these same threats and issues again. EDR security provides the type of per-incident review required to reveal these issues and prevent future exploitation via the same threat vector.

In the investigative process, sandboxing is another critical capability. Sandboxing can be used at the perimeter, to help grant or deny access, but it can also be used effectively after the point of entry. Sandboxing is when the file is isolated into a simulated environment and tested and monitored. EDR can provide sandboxing through integrated Cisco Secure Malware Analytics.

Within this simulated, isolated environment, EDR will try to determine the nature of the file without potentially risking the safety of the larger environment. In this process, EDR can understand the attributes and nature of this malicious file, then learn from it and adapt to better defend against future threats.

Elimination

The most obvious component of an EDR needs to be its ability to eliminate the threat. Detecting, containing, and investigating a threat is a good start, but if you cannot eliminate it, then you just continue knowing your system is compromised. To properly eliminate threats, EDR needs exceptional visibility to answer such questions as:

  • Where did the file originate?
  • What different data and applications did this file interact with?
  • Has the file replicated?

    • Visibility is crucial for elimination. Being able to see the entire timeline of a file is key. It is not as easy as simply removing the file you have observed. When you eliminate the file, you likely may need to automatically remediate multiple parts of the network. For this reason, an EDR solution should provide actionable data on the lifespan of the file. If an EDR tool has retrospective capabilities, this actionable data should be used to automatically remediate systems to their state prior to infection.

    Lastly, it is very important to understand that the best EDR solution combines both EPP and EDR capabilities. A true next-generation endpoint security solution protects at the perimeter (EPP) and continuously monitors within the environment (EDR) to provide and manage security throughout the entire lifespan of files.

Get started

Cisco product trials

Cisco blogs

Related security topics

Cisco videos