Understanding Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) is the post-security answer to traditional antivirus and response tools. EDR is the evolution and successor to traditional antivirus, anti-malware, anti-ransomware and similar solutions. It helps make the move from worrying about the origin or type of threat and worrying about what it can do to you economically. Hacking isn’t motivated by damage or exploration as much, it’s motivated by capitalistic gains.

EDR doesn’t care about what or why something is attacking you, just how to reduce, restrict, and remediate whatever it is. Malware, viruses, and similar all become simple threats. The measurement between how many PCs a worm infects, and how many files a ransomware compromise just become threats.

While a modern security stack is going to have many tools in it ranging from endpoint level to network level to business level. EDR shores up the individual endpoint in a modern security stack while other solutions will cover the network, disaster recovery, etc. This isn’t to say EDR won’t help with some threats via other vectors, just that it is primarily concerned with the endpoint level.

Defining EDR

EDR is a bit hard to measure due to the sheer number of possibilities. You aren’t dealing with a defined technology, but one which covers a security philosophy. Antivirus stops viruses and similar, a firewall stops malicious network traffic, but EDR is expected to stop threats across the board on an endpoint. How exactly it does this is what makes a given EDR solution better or worse than others.

Technology permeates every surface of modern living. The attack surface has gotten wider and deeper with each security leap. As a new hole is patched, a thousand more appear to take their places. Any rigidly defined technology which doesn’t evolve with the arms race is doomed to failure.

EDR aims to use post-security principles to stop a threat from spreading and succeeding in economic damage. It’s one thing to have a machine down for an afternoon, it’s another to lose data (exfiltration or destruction). EDR solutions accomplish this by having a continuous security solution monitoring the status of an agent, analyzing events which happen on it, and (usually) communicating with either a central console or other agents to coordinate and act on changes.

This system process often serves as a traditional prevention tool (like AV), but also responds to compromises on an end-user device (i.e. a security response). While a secretary’s computer being compromised might not hurt your business directly, more and more attacks are coordinated. The goal isn’t the computer, it’s what the computer may or may not have privileged access to. The secretary’s computer may not have anything of value on it, but the value is where it can jump on the network. By shutting down a seemingly innocuous system, the EDR solution can prevent a site from being compromised.

XDR

XDR stands for Extended Detection and Response and is the evolution of EDR principles with AI based automation. While this article is specifically about EDR, XDR is an extension of EDR which is important to understand when shopping for a solution. XDR takes everything EDR does and builds on it. All XDR systems will leverage an EDR system, but not all EDR solutions leverage XDR. It simplifies viewing threats and simplifies responses by augmenting what makes EDR work.

As threats get more and more complicated and nation-state level attacks get more and more common, the automation which makes a human able to sort the signal from the noise becomes more and more of a game changer. Even low-level attacks (outside of low effort drive-by hacking attempts) have gotten increasingly complex. A hacker doesn’t just sit and try to map your network, they have a device in a botnet per port scan your network. The chain of events to get in gets more and more convoluted as exploit after exploit is chained to elude detection and compromise a network.

XDR is the natural evolution to leverage machine learning to sort when something is innocuous or part of a more insidious pattern. Due to this, XDR is even more abstract than EDR for exactly how a system works.

EDR is a general concept, XDR is an abstraction on top of that general concept. Each XDR offering is going to work even more differently than an EDR so keep that in mind when looking for a solution.

Example EDR Offerings

There are a lot of EDR solutions which cover different segments of the market due to different threats and different use cases. There isn’t necessarily a “right answer” to the best EDR either – it all depends on what you do and how you do it. The following are not in any specific order and I’m only going to bother putting a few (of the many) good solutions here.

Sophos

Sophos Intercept X has a multitude of features as an EDR and beyond. They include an XDR offering as well. Sophos gives a single pane of glass which is easier for most people (security and beyond) to work with. It’s also supposedly pretty cheap for cost.

Microsoft

While Microsoft’s security solutions were at one point considered an unfunny joke, they’ve come a long way and Windows Defender is actually good now. Microsoft’s EDR, Microsoft Defender for Endpoint, is a compelling offering. The price is decent as well.

Malwarebytes

Malwarebytes’ solution is a little more expensive than some EDR solutions, but is well reviewed. We’ve traditionally had issues with Malwarebytes products and other security solutions without the right tuning. That said, they’re still one of the top solutions for effectiveness and ease of deployment.

Cynet

Cynet has an EDR and an XDR solution (among others). A lot of advanced EDR solutions offer (or require) an MSSP (Managed Security Service Provider) relationship to use their solution. While there may be tiers which don’t require this, Cynet appears to be a more robust solution which requires a more formal service provider relationship to use. Not every company will want this, but it can offload a lot of the more time consuming and specialized work.

Others

There are plenty of other great solutions like Falcon Crowdstrike, Trend Micro XDR, SentinelOne’s ActiveEDR, and similar. There are also solutions which build and iterate on these with their own special techniques or combined data sources or response methods. Some range from EDR to XDR to a more robust, full security stack which touches on every attack surface a company has.

Key Components of an EDR System

Almost all EDR systems are broken down with an endpoint data collection process or system, a method for threat response, and tools and metrics for forensics and analysis of events and threats.

Endpoint Data Collection

While traditional antivirus solutions have an engine scanning files or similar, an EDR employs some form of endpoint data collection. These solutions will watch traditional targets of traditional AV solutions such as files and folders, but they may also monitor who and what are running, what types of files are being populated, etc. You get a lot of extra data on top of whether something appears malicious or not.

Some tools will record the IP or websites you visit in aggregate, or other behaviors, but the goal isn’t to monitor traffic, it’s to stop threats. This is often a point of resistance for clients to move from a traditional AV to an EDR. A properly setup EDR will limit what is reported to security professionals (unless it directly impacts compromises). You can’t see their web history unless they’re looking for “viruses to break my machine” and similar before a successful breach.

A good EDR endpoint data collection system should seem transparent to the user. It isn’t watching what they’re doing as a spy, but the system should see what an individual does that is actionable for security. Your users need to trust the system watching them for the right reasons or you might get guest devices sneaking in.

An EDR solution might feed into a SIEM or similar solution to further get insight into what’s going on. The EDR may do one thing, but a SIEM will help detect more patterns across everything at the site rather than just endpoints. This can also be an upsell with an XDR solution or an MSSP.

For context, see here, or here about what real EDR solutions collect.

Threat Response

An EDR can’t just detect threats, it needs to act when an infection just starts. The threat response will vary from a known attack to a potential ransomware situation. A simple encryption system may result in a complete shutdown, a single computer getting locked down, or a simple security alert depending on how the threat response works and how accurate it is. Too many threats work by exploiting the gray area between legitimate and illegitimate actions (after an initial compromise).

You don’t want a system taking out your entire network over a vague suspicion, but you also don’t want a ransomware variant hitting either. There are levels to expect depending on what’s happening, what machines it’s impacting, and how known a threat is. We live in a post-security world, you may never know what exactly got you, only that it did and how it spread.

Forensics and Analysis

A good EDR includes a forensics and/or analysis system. You may not know what got you, but you can know that it did and where it got in. There are plenty of threats I’ve personally dealt with that cleared themselves out to where all I can see is a pattern. That said, the same attack vector was never feasible again (if the client listened).

Where are hackers hitting and what’s working? You need to know the trends and have the capacity to take apart an attack. The payload and the exact mechanics might be a black-box by the time you get there, but you should know how you got got. What processes were running? What did they impact? Do you know what the user did or was doing? All of these are essential questions for determining forensics and analytics.

This rounds out a holistic defense. You watch and determine threats as they happen with the hope of stopping them. Then, you have a response to said threat or action. Finally, you have a way to reflect on what you’ve seen and experienced even if the system can’t help. This creates a timeline which can help lock-down future threats by iteratively improving your attack surface.

Other Common Components of an EDR System

We listed the core features you’ll see in any true EDR solution, but there are other features which may help an EDR put itself ahead of competition. The most common are going to be prevention methods, automation, and response tools. There are plenty of other selling points with technologies employed, such as machine learning, artificial intelligence, smart communications between devices, etc.

Prevention and Protection

EDR’s endpoint data collection almost always pours into some kind of prevention mechanism. Even with the move to post-security, an ounce of prevention is still worth a pound of cure. Preventing a threat is still worth more than even a perfect response since there’s still some level of waste in the response process even if it’s automated.

Almost every EDR solution is going to have something doing prevention, even if it isn’t necessarily the actual EDR solution. Some solutions will leverage a modern AV solution, spin off their own smart protection service, or similar. Any decent EDR will have some prevention mechanism, but whether the prevention is baked into the EDR proper can vary. This can sound like splitting hairs, but it’s important to know exactly what goes into your security solutions and what makes them work.

This is quite often one of the biggest selling points of most modern EDR solutions, but it isn’t something that is always part of the core EDR offering. A lot of endpoint defense systems started as smart processing on top of advanced AV and other tools rather than as all-in-one offerings. There are vendors like Huntress which sell an EDR built on Microsoft Defender. While that distinction has largely rolled off, there are still EDR solutions which have mix and match prevention tools or options.

Automation

EDR tools tend to have a lot of overlap with traditional Remote Monitoring and Management (RMM) solutions. Some AV solutions had baked in automation solutions or remote management capacity. For instance, Webroot at one point could run remote commands for basic automation. Modern EDR tends to have built-in alerting and remediation processes to automate responses to potential breaches or even just to push out potential fixes.

The automation aspects also tie into the threat response capabilities for most EDR solutions. Sometimes you have control over the process, other times you don’t. Whether the console or product allows users or technicians access or not is a selling point for flexibility or security respectively. Either way, virtually every modern EDR is going to have some level of basic automation, but how capable or flexible it is will vary from EDR to EDR.

Response Tools

You’re going to get hacked eventually. Post-security acknowledges that fact and builds off of that as a given. A good security product needs some kind of response and vanilla EDR is no solution.

Threat response is going to include some level of response (as could automation and many of the fuzzy layers that make up EDR). Some solutions will include advanced response tools to roll back ransomware, others will have rootkit removal and protection tools. There are all sorts of potential response tools which may range from sandbox execution, cloud file restores, system rollbacks, etc. Response tools have shifted from stopping a threat itself to undoing the damage which has been done however is most effective.

What EDR Works Against

Endpoint Detection and Response solutions focus on stymieing the most common threats but remaining flexible enough to target even the most advanced, modern threats. EDR solutions will easily deal with the most common drive-by and known threats.

Even advanced malware is easily stopped with the right EDR setup. Advanced zero-days and fileless malware are stopped by most advanced AI and ML-based EDR prevention solutions. Even nation-state attacks can be contained with the right setups and the right security checks and balances.

What an EDR can’t stop, it tends to reverse, or make easier to reverse. An EDR solution may not have a BDR (Backup and Disaster Recovery) solution, but they tend to push one in their recommendatons. A good EDR and a good backup solution reduces your downtime from days to hours, your financial impact from bankruptcy to a bad day or two.

An EDR isn’t a standalone solution in the sense of doing every single thing on its own, but the right EDR will fit into any clean stack as part of a greater security stack. While an EDR may stand on its own, the core EDR solution is part of a robust security stack. EDR isn’t going to mitigate network threats, but it may help react to them. An EDR solution won’t perform backup and disaster recovery, but it will aid in it. EDR is like a lock on the door, it doesn’t do much if the windows or open or the door is weak.

Image by Nenad Maric from Pixabay