Endpoint detection and response (EDR) security software has grown in popularity and effectiveness as it allows security teams to quickly detect and respond to threats. EDR software offers visibility into endpoint activity in real time, continuously detecting and responding to attacker activity on endpoint devices including mobile phones, workstations, laptops, and servers.
“The big difference between endpoint detection and response and previous generations of what we used to call antivirus software is that it focuses on the behavior of the attacker not the code or static elements, like the IP address they’re coming from or the code they deliver,” says Peter Firstbrook, vice president and distinguished analyst at Gartner Inc.
The software collects and analyzes data from a variety of sources, including network traffic, sensors installed on endpoints, and system logs. EDR tools use machine learning and algorithms to detect threats and alert about suspicious activity that may signal an attack. Once the EDR software detects a threat, it can take action to contain, minimize, or remediate that threat, for example, by isolating any devices that are infected, ensuring the attacker can’t get further into the network, says Allie Mellen, principal analyst at Forrester Inc.
Forrester defines EDR technology as: “Detection, investigation, and response technology that collects security-relevant telemetry from endpoints, performs anomaly detection, enables analysts to investigate from collected telemetry, and facilitates response by analysts on affected endpoints.”
Key features to look for in EDR software
Organizations should look for endpoint detection and response software that includes the following features:
Detection capabilities: EDR software should include advanced threat detection capabilities as well as the ability to detect and respond to threats before, during, and after those threats are executed.
Investigative capabilities: EDR software automates data collection and processing as well as certain response activities so security teams can understand potential security threats and quickly take steps to remediate them. “So, what case management capabilities [necessary for investigating and resolving security incidents] are available in the tool?” Mellen says. “And once you understand the case management capabilities, how easy is it to navigate the interface to do a deeper investigation to figure out what might be going on … to get as much context about an incident as possible.”
Integration: The software should integrate with other security tools, such as antivirus software, incident response platforms, and firewalls. This allows companies to share threat intelligence between different systems. EDR tools should also support application programming interfaces (APIs) so they can easily integrate with other software.
Ease of use: EDR tools should be easy to implement and use. They should have a user-friendly interface as well as clear alerts that security teams can act upon. The tools’ centralized management consoles should let EDR admins view the security status of every endpoint, configure policies and investigate and respond to security incidents.
Support operating systems in use: Companies need to ensure the EDR tools they select are compatible with the operating systems they’re using, e.g., macOS, Windows, Linux, Android, and iOS.
“What operating systems these tools cover is important,” says Firstbrook. “If you have a lot of legacy software, such as an old OS like Windows 7, Windows 8, Windows NT, or Windows XP, only a few vendors support those. Even Microsoft won’t support those older operating systems. That’s why this is a critical consideration.”
Scalability: EDR software should scale to meet the needs of the business in terms of how many endpoints it can protect and how many security events it can manage.
Privacy and compliance: EDR tools should meet the regulatory and compliance requirements that apply to the organizations’ industries, such as the US Health Insurance Portability and Accountability Act (HIPAA) or SOC 2. Software providers should have clear data protection policies in place, and their tools must have the ability to encrypt data and transmit it securely.
Benefits of EDR software
There are numerous benefits associated with EDR services, including:
Increased visibility: EDR tools give organizations enhanced visibility into their systems by continuously monitoring every event on every endpoint as well as identifying and responding to threats in real time. Additionally, this enhanced visibility enables organizations to stay a step ahead of potential threats and ensure their networks remain secure.
Enhanced compliance: Many companies are required to comply with certain industry standards and regulations concerning how data is stored and accessed, such as HIPPA or GDPR. Organizations can use EDR tools to monitor for any suspicious behavior and investigate the source of potential threats, helping ensure they remain in compliance with these regulations and standards. In addition, EDR software also provides detailed reports that organizations can use to show auditors that they are in compliance.
Decreased risk: Since EDR tools continuously monitor systems and endpoints, companies are able to quickly detect and respond to threats in real time and reduce the risk of attacks.
Fewer false positives: EDR tools investigate suspicious activity before they alert security analysts. If the software determines a suspicious event is not malicious, the alert is closed, reducing the number of false-positive alerts security teams must analyze.
Rapid incident response: Typically, security analysts spend four to five hours investigating attacks. EDR tools, however, automate several processes that analysts would usually perform manually, significantly accelerating response times.
Pitfalls to avoid
One of the biggest pitfalls is thinking that EDR is a “set it and forget it” type of solution, says Michael Suby, research vice president, security, and trust at IDC. “You can’t assume you just drop the software in and it does everything for you, because it doesn’t,” he says. “You have to have sufficient in-house talent that have to learn and operate the software effectively.”
Mellen agrees with this assessment. “This technology requires having someone in the platform every single day,” she says. “It’s very important to note that this is not something that you’re just going to set up and then leave to its own devices. You need people addressing these alerts.”
EDR software can also be more expensive than traditional antivirus software in terms of the initial investment and the costs of ongoing maintenance, making purchasing, implementing, and maintaining these tools too costly for small and midsize businesses.
Another pitfall is not having sophisticated operators to use the software, according to Firstbrook. “EDR software requires relatively sophisticated operators to use it because it will detect things that are suspicious but not necessarily malicious,” he says. “And the operator has to trace the path of the event and determine whether it’s malicious or not based on the behavior. So, it will require more sophisticated operators or it may require you to outsource that operation to somebody else, which increases the cost.”
Additionally, some EDR tools may have limited scalability, making it hard for companies to improve their security postures as they grow. And during peak-usage times limited scalability can cause delays or downtime, affecting organizations’ abilities to quickly detect and respond to security incidents.
5 leading endpoint detection and response tools
There are a number of endpoint detection and response tools on the market, so to help you begin your research, we’ve highlighted the following products based on discussions with analysts and independent research.
Cisco Secure Endpoint: Integrates prevention, detection, threat hunting, and response capabilities. Protects Mac, Windows, Linux, iOS, and Android devices through public or private cloud deployments. Includes definition-based antivirus engines that are constantly updated for Windows, Mac, and Linux endpoints. Stops malware in real-time. Protects endpoints against current and emerging cyberthreats. Monitors endpoints continuously to enable companies to detect new and unknown threats. In addition, provides companies with detailed endpoint visibility and response tools so they can quickly and efficiently deal with security breaches. Automatically hunts threats to help companies easily identify the 1% of threats that may have flown under the radar.
CrowdStrike Falcon Insight: Enables companies to automatically detect and prioritize advanced threats on Windows, Mac, Linux, ChromeOS, iOS, and Android. Offers real-time response capabilities to provide direct access to endpoints being investigated. Uses AI-powered indicators of attack to automatically identify attacker activity. Prioritizes alerts, which eliminates manual searches and time-consuming research. Integrated threat intelligence provides the total context of an attack, including attribution. CrowdStrike’s metric enables organizations to understand their threat levels in real time so security teams can more quickly determine if they are under attack. This also allows security leaders to assess how severe the threats are so they can coordinate the appropriate responses.
Microsoft Defender for Endpoint: Helps protect against file-less malware, ransomware, and other sophisticated attacks on Windows, macOS, Linux, iOS, and Android. Enables security teams to hunt for threats over six months of historical data across the business. Provides threat analytics reports so companies can quickly get a handle on new global threats, figure out if they are affected by these threats, evaluate their exposure, and determine the appropriate mitigation actions to take to boost their resistance to these threats. Monitors for Microsoft as well as third-party security configuration issues and software vulnerabilities then takes action automatically to mitigate risk and reduce exposure.
SentinelOne Singularity: A comprehensive endpoint, cloud, and identity security solution powered by artificial intelligence. Combines endpoint protection, EDR, a cloud workload protection platform as well as identity threat detection and response into one platform. Protects multiple operating systems, including Windows, macOS, Linux, Kubernetes instances, and mobile. Offers enhanced threat detection, improved incident response time, and effective risk mitigation. Gives security teams visibility across the business, powerful analytics, and automated responses. A cloud-based platform, Singularity is easy to deploy, highly scalable, and offers a user-friendly interface.
Trend Micro Apex One: Offers threat detection, investigation, and response within a single agent. Integrates with Trend Micro’s Vision One platform to provide EDR and extended detection capabilities. Supports for all current operating systems, i.e., Windows, macOS, Android, and iOS, and a number of legacy operating systems. Stop attackers sooner with protection against zero-day threats, using a combination of next-generation anti-malware techniques and virtual patching. Protect endpoints against threats, such as ransomware, malware, and malicious scripts. Offers advanced protection capabilities to protect endpoints against unknown and new threats. Offers a wide range of APIs for integration with third-party security tools.