Skip to main content

DATA SECURITY KNOWLEDGE BASE

What is Endpoint Detection and Response?

A Definition of Endpoint Detection and Response

Gartner’s Anton Chuvakin first coined the term Endpoint Threat Detection and Response (ETDR) in July 2013 to define “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” While it’s a relatively new category of solutions, you’ll also see this grouping referred to simply as Endpoint Detection and Response (EDR), which is sometimes compared to Advanced Threat Protection (ATP) in terms of overall security capabilities.

Endpoint detection and response is an emerging technology addressing the need for continuous monitoring and response to advanced threats. One could even make the argument that endpoint detection and response is a form of advanced threat protection.

How Endpoint Detection and Response Works

Endpoint detection and response tools work by monitoring endpoint and network events and recording the information in a central database where further analysis, detection, investigation, reporting, and alerting take place. A software agent installed on host systems provides the foundation for event monitoring and reporting.

Ongoing monitoring and detection is facilitated through the use of analytics tools, which identify tasks that can improve the overall state of security by deflecting common attacks and facilitating early identification of ongoing attacks – including insider threats and external attacks, as well as enabling rapid response to detected attacks.

Not all endpoint detection and response tools work in precisely the same manner or offer the same spectrum of capabilities as others in the space. For instance, some endpoint detection and response tools perform more analysis on the agent, whereas others perform most data analysis on the backend via a management console. Others vary in collection timing and scope or in their ability to integrate with threat intelligence providers, but all endpoint detection and response tools perform the same essential functions with the same purpose: to provide a means for continuous monitoring and analysis to more readily identify, detect, and prevent advanced threats.

Endpoint Detection and Response: Not Just Tools, But Capabilities

While Anton Chuvakin coined the term endpoint detection and response in order to classify and describe an emerging set of tools, the term may also be used to describe the capabilities of a tool with a much broader set of security functions rather than to describe the tool itself. For instance, a tool may offer endpoint detection and response in addition to application control, data encryption, device control and encryption, privileged user control, network access control, and a variety of other capabilities.

Tools, both those classified as endpoint detection and response tools and those offering EDR as part of a broader set of capabilities, are suitable for a multitude of endpoint visibility use cases. Anton Chuvakin names a variety of endpoint visibility use cases falling within three broader categories (and this does not even account for the “response” portion of EDR):

  • Data search and investigations
  • Suspicious activity detection
  • Data exploration

Most endpoint detection and response tools address the response portion of these capabilities through sophisticated analytics that identify patterns and detect anomalies, such as rare processes, strange or unrecognized connections, or other risky activities flagged based on baseline comparisons. This process can be automated, with anomalies triggering alerts for immediate action or further investigation, but many endpoint detection and response tools allow for manual or user-led analysis of data as well.

Endpoint detection and response is still an emerging field, but EDR capabilities are quickly becoming an essential element of any enterprise security solution. For enterprises requiring advanced threat protection, endpoint detection and response is an in-demand capability. The benefits brought by continuous visibility into all data activity make endpoint detection and response a valuable component of any security regime.