What is EDR?

Endpoint Detection and Response (EDR), also referred to as endpoint detection and threat response (EDTR), is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.

Coined by Gartner’s Anton Chuvakin, EDR is defined as a solution that “records and stores endpoint-system-level behaviors, uses various data analytics techniques to detect suspicious system behavior, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems.”

How does EDR Work?

EDR security solutions record the activities and events taking place on endpoints and all workloads, providing security teams with the visibility they need to uncover incidents that would otherwise remain invisible. An EDR solution needs to provide continuous and comprehensive visibility into what is happening on endpoints in real time.

An EDR tool should offer advanced threat detection, investigation, and response capabilities – including incident data search and investigation alert triage, suspicious activity validation, threat hunting, malicious activity detection, and containment.

Key EDR Functions

Automatically Uncovers Stealthy Attackers

EDR technology pairs comprehensive visibility across all endpoints with IOAs and applies behavioral analytics that analyzes billions of events in real-time to automatically detect traces of suspicious behavior.

Understanding individual events as a part of a broader sequence allows Crowd Strike’s EDR tool to apply security logic derived from Crowd Strike intelligence. If a sequence of events matches a known IOA, the EDR tool will identify the activity as malicious and automatically send a detection alert. Users can also write their own custom searches, going back up to 90 days, with Falcon Insight’s cloud architecture returning query results in five seconds or less.

Integrates With Threat Intelligence

Integration with Crowd Strike’s cyber threat intelligence provides faster detection of the activities and tactics, techniques, and procedures (TTP) identified as malicious. This delivers contextualized information that includes attribution where relevant, providing details on the adversary and any other information known about the attack.

Managed Threat Hunting for Proactive Defence

Using EDR, the threat hunters work proactively to hunt, investigate, and advise on threat activity in your environment. When they find a threat, they work alongside your team to triage, investigate and remediate the incident, before it has the chance to become a full-blown breach.

Provides Real-Time and Historical Visibility

EDR acts like a DVR on the endpoint, recording relevant activity to catch incidents that evaded prevention.

Customers are given comprehensive visibility into everything that is happening on their endpoints from a security perspective as Crowd Strike tracks hundreds of different security-related events, such as process creation, driver loading, registry modifications, disk access, memory access, or network connections.

This gives security teams the useful information they need including:

  • Local and external addresses to which the host is connected.
  • All the user accounts that have logged in, both directly and remotely.
  • A summary of changes to ASP keys, executables, and administrative tool usage.
  • Process executions.
  • Both summary and detailed process-level network activity, including DNS requests, connections, and open ports.
  • Removable media usage

This complete oversight of security-related endpoint activity allows security teams to “shoulder surf” an adversary’s activities in real-time, observing which commands they are running and what techniques they are using, even as they try to breach or move around an environment.

What Should you look for in an EDR Solution?

Understanding the key aspects of EDR security and why they are important will help you better discern what to look for in a solution. It’s important to find an EDR security solution that can provide the highest level of protection while requiring the least amount of effort and investment – adding value to your security team without draining resources. Here are the six key aspects of EDR you should look for:

  • Endpoint Visibility                

Real-time visibility across all your endpoint allows you to view adversary activities, even as they attempt to breach your environment-, and stop them immediately.

  • Threat Database

Effective EDR requires massive amounts of telemetry collected from endpoints and enriched with context so it can be mined for signs of attack with a variety of analytics techniques.

  • Behavioral Protection

Relying solely on signature-based methods or indicators of compromise (IOCs) leads to the “silent failure” that allows data breaches to occur. Effective endpoint detection and response require behavioral approaches that search for indicators of attack (IOAs), so you are alerted of suspicious activities before a compromise can occur.

  • Insight and intelligence

An endpoint detection and response solution that integrates threat intelligence can provide context, including details on the attributed adversary that is attacking you or other information about the attack.

  • Fast Response

EDR that enables fast and accurate responses to incidents can stop an attack before it becomes a breach and allow your organization to get back to business quickly.

  • Cloud-Based Solution

Having a cloud-based endpoint detection and response solution is the only way to ensure zero impact on endpoints while making sure capabilities such as search, analysis, and investigation can be done accurately and in real time.