Meaning of EDR and Its Importance to the Security Stack in 2022

by Gilad David Maayan

What is the Meaning of EDR?

The term Endpoint Detection and Response (EDR), coined by Anton Chuvakin of Gartner, refers to a security system that uses advanced analytics and automation to: 

• Detect suspicious activity on hosts and endpoints like employee workstations, servers, and mobile devices
• Perform automated rule-based threat response directly on the endpoint
• Enable security teams to quickly investigate and respond to threats

Today EDR is a mature solution provided by most security vendors, as an integrated agent deployed on endpoints. Modern EDR solutions can monitor endpoints, collect activity data that may indicate threats, and analyze this data to identify threat patterns. 

When a threat is detected, in many cases EDR can automatically respond, isolate the endpoint, contain the identified threats, and notify security personnel. In addition, EDR provides forensic and analytical tools that allow security analysts to understand what is happening on endpoints across the organization and take action to eradicate the threat.

Why is EDR Important to the Security Stack?

Every business needs a strong security stack—a set of technologies that secures all aspects of business operations. The advent of remote work and the growing use of the cloud has made organizations more complex and fragmented. Employees now commonly use personal devices to access internal systems across public networks, and many assets run in public cloud systems outside the organization’s control, making cloud security a critical concern.

Across all these environments—the traditional data center, the cloud, and remote locations in the hybrid workplace—there is a growing number of endpoints. Laptops, smartphones, tablets, desktops, servers, and virtual machines can all be considered as endpoints, and it is critical to monitor them and protect them from external threats. 

Most organizations have a robust network security toolset, including tools like firewalls and intrusion prevention systems (IPS). However, until recently many companies relied on legacy antivirus to protect endpoints, without deploying more sophisticated tools.

Endpoint detection and response can complement network security and traditional security solutions like security information and event management (SIEM), protecting against critical threats like device theft, account compromise, malware and ransomware, web-based attacks, and social engineering.

Common Capabilities of EDR Solutions

Threat Detection

EDR software regularly scans endpoints for malware—including zero day and fileless malware that cannot be detected by traditional antivirus. For example, EDR can flag suspicious files an employee unknowingly downloads, quarantining them until they are inspected by security teams. Some EDR solutions even include sandboxing solutions that can automatically “detonate” a suspicious file to see if it contains a threat. Early detection of these threats can help stop attackers at early stages of the kill chain.

Behavioral Blocking and Containment

Today's threat landscape is driven by fileless malware and highly polymorphic threats, which traditional antivirus cannot identify. In other cases, attackers compromise accounts and devices via social engineering, without the use of malware, making them undetectable by traditional tools. 

EDR introduces artificial intelligence and machine learning (AI/ML) capabilities that enable behavioral analysis of software running on an endpoint. EDR can perform advanced analysis of process trees, and as soon as a process exhibits suspicious behavior—even if it does not match any known attack pattern—block it and notify security teams.

Monitoring

In addition to device scanning, EDR solutions enable real-time monitoring of endpoints. Whenever suspicious activity occurs, security teams are alerted, and the EDR solution can block access to sensitive data, or even completely isolate the endpoint, until the problem is resolved. 

For example, if an employee tries to access sensitive data in a way that doesn’t match their regular work patterns (e.g. at an unusual time or from an unusual location), EDR can lock down the endpoint until security teams investigate the event.

Application Control

EDR tools are sensitive and can sometimes wrongly detect suspicious activity from certain software applications. Application control allows IT teams to define an allowlist that specifies which applications are legitimate for use on the endpoint, and conversely—which applications are not allowed and should be prohibited on the endpoint. 

Automated Threat Response

Since threats do not always occur during business hours, the EDR platform must be able to initiate a response playbook without human intervention. Automated threat response blocks suspicious activity and quarantines potential threats until they can be investigated by a human analyst. 

EDR auto-response capabilities are made even more powerful when they are integrated with other cybersecurity systems such as SIEM, zero trust systems, and next-generation firewalls.

EDR Best Practices

Consider User Experience

When deploying EDR, pay special attention to the user experience. Security solutions can hurt user productivity, and this can cause users to disable defenses or use unauthorized endpoints. 

The best solution for this problem is open discussion and collaboration with users, and you should be open to making changes to a security program and even switching EDR solution to accommodate user requests. Ideally, evaluate solutions together with end-users and run pilots to determine if the solution causes any problem for your users.

A good EDR platform should be as transparent as possible to the end user. When interaction is required, communication should be clear and direct. In any event, the system must not provide unnecessary system information such as IP schema or personal data.

Integrate With Other Tools

EDR solutions are designed to protect endpoints, not the entire IT environment. Thus it is important to select a tool that integrates with other solutions for maximum protection. Combine this solution with next-generation antivirus (NGAV), DNS protection, firewalls, and encryption protocols.

Some EDR solutions can be integrated with SIEM solutions, which monitor and alert on network-wide problems. This allows you to centralize management of all security tools, including EDR. A centralized event log allows teams to quickly analyze and respond to events and correlate endpoint activity with other signals from the environment.

Use Network Segmentation

Some EDR solutions can respond to incidents by isolating endpoints, but ideally, your network should be segmented to begin with. Network microsegmentation allows you to ensure endpoints can only access the services and data stores they actually need. It reduces the risk of malware infection and data loss in the event of a successful breach.

Modern network segmentation solutions based on a zero trust approach give you the ability to hide network structures from endpoints, making it more difficult for attackers to move laterally from one network segment to another.

Take Preventive Measures

Don't rely solely on EDR to proactive respond to threats. It is important to combine EDR with preventive measures that can prevent threats from reaching the endpoint. Make sure systems are fully updated and patched, preferably using an automated process. Deploy other endpoint protection solutions on the device, in particular NGAV.

Regular system audits should be performed to ensure that tools and protocols are configured and applied correctly. Continuously run threat modeling and penetration testing to test the functionality of systems and tools. Consider using deception techniques to slow down attackers and identify evasive threats. 

Another critical preventive action is to create a comprehensive incident response plan that specifies roles and responsibilities in the incident response team, response playbooks, and recovery procedures. Such a plan can help reduce incident response time and provide a structure for analyzing post-attack forensic data.

Conclusion

In this article I explained the basics of EDR, showed why it is a critical complement to traditional network security solutions, and covered several best practices that can help you effectively implement EDR in your organization:

• Consider the user experience to avoid user resistance to EDR agents.
• Integrate with other tools to ensure EDR is part of your holistic security strategy.
• Use network segmentation in combination with EDR to reduce the “blast radius” of successful breaches.
• Take preventive measures to ensure that threats do not reach endpoint in the first place.

I hope this is useful as you consider EDR as part of your modern security stack.

Image Source: https://www.vecteezy.com/photo/2632230-eye-closed-padlock-on-digital-background-cyber-security

Author

Bruno Zwierz

Latest Articles

• Official2023.02.22Windows Privilege Escalation: The Concepts of Hijacking Execution Flow
• Official2023.02.22Building Intuition into Monitoring for OT/ICS Security
• Official2023.02.22WiFi Pentesting with Airodump-ng
• Official2023.02.21ETW vs Sysmon Against C2 Servers