An endpoint detection and response (EDR) solution detects threats across your environment. It investigates the entire lifecycle of the threat, providing insights into what happened, how it got in, where it has been, what it's doing now, and how to stop it. By containing the threat at the endpoint, the EDR solution helps eliminate the threat and prevent it from spreading.
EDR focuses primarily on advanced threats that are designed to evade front-line defenses and have successfully entered into the environment. An EPP focuses solely on prevention at the perimeter. It is difficult, if not impossible, for an EPP to block 100 percent of threats. So in the ideal case, an endpoint security solution deploys both EPP and EDR capabilities.
Most EPP (or traditional anti-virus) solutions claim to block the majority of threats. But what about the stealthiest threats that they miss? Having an EDR solution allows you to detect, investigate, and remediate modern threats that are advanced and persistent enough to evade traditional perimeter defenses.
More sophisticated threats that evade perimeter defenses can wreak havoc across your network. Ransomware encrypts sensitive data and holds it hostage from the business until the financial ransom is collected. Meanwhile, malicious cryptomining sits stealthily on the network and exhausts your computing resources. An EDR solution can help you find, contain, and remove the threats fast so you can ensure the security of data on endpoints across your environment.
Threat detection is a foundational capability of an EDR solution. It is not a matter of whether an advanced threat will strike, rather it is a matter of when it will evade your front-line defenses. Upon entering your environment, you must be able to accurately detect the threat so you can contain and remove it. This is not an easy task when you're dealing with sophisticated malware that can be extremely stealthy and capable of morphing from a benign to a malicious state after crossing the point of entry.
With continuous file analysis, an EDR solution will be able to flag offending files at the first sign of malicious behavior. If a file is deemed safe, but after a few weeks begins to exhibit cryptomining or ransomware activity, the EDR solution will detect the file and alert your business for action.
In addition to continuous file analysis, it is important to note that an EDR is only as good at detecting files as the cyber threat intelligence that powers it. Cyber threat intelligence leverages large-scale data, machine learning capabilities, and advanced file analysis to help detect threats. The greater the cyber threat intelligence, the more likely it is your EDR solution will identify the threat. Without any cyber threat intelligence, an EDR solution is ineffective.
After detecting a malicious file, an EDR solution must be able to contain the threat. Malicious files aim to infect as many processes, applications, and users as possible. Segmentation can be a great defense within your data center to avoid lateral movement of advanced threats. Segmentation is helpful, but a proper EDR solution can help contain a malicious file before testing the edges of segmented areas of the network. Ransomware is a tremendous example of why you need to contain threats. Ransomware can be tricky to remove. Once it has encrypted information, your EDR needs to be able to fully contain ransomware to mitigate the damages.
Once the malicious file has been detected and contained, an EDR solution should investigate. If the file snuck through the perimeter the first time, there is clearly a vulnerability. Maybe the threat intelligence has never seen this kind of advanced threat before. Maybe a device or application is outdated and needs to be updated. Without proper investigative capabilities, your network will not gain insight into why a threat got through. As a result, your network is likely to experience these same threats and issues again.
In the investigative process, sandboxing is a critical capability. Sandboxing can be used at the perimeter, to help grant or deny access, but it can also be used effectively after the point of entry. Sandboxing is when the file is isolated into a simulated environment and tested and monitored.
Within this simulated, isolated environment, an EDR solution will try to determine the nature of the file without potentially risking the safety of the larger environment. In this process, an EDR solution can understand the attributes and nature of this malicious file and learn from it. By fully assessing the file, the EDR solution can communicate with the cyber threat intelligence that runs the EDR and adapt for future threats.
The most obvious component of an EDR solution needs to be its ability to eliminate the threat. If you detect, contain, and investigate a threat, that is great. But if you cannot eliminate it, then basically you just continue on, knowing that your system is compromised. That is not acceptable. To properly eliminate threats, an EDR solution needs exceptional visibility to answer such questions as:
Visibility is crucial for elimination. Being able to see the entire timeline of a file is crucial. It is not as simple as simply removing the file you have observed. When you eliminate the file, you likely may need to automatically remediate multiple parts of the network. For this reason, an EDR solution should provide actionable data on the lifespan of the file. If the EDR solution has retrospective capabilities, this actionable data should be used to automatically remediate systems to their state prior to infection.
Lastly, it is very important to understand that the best EDR solution combines both EPP and EDR capabilities. A true next-generation endpoint security solution protects at the perimeter (EPP) and continuously monitors within the environment (EDR) to provide security throughout the entire lifespan of files.