What is EDR
EDR stands for Endpoint Detection and Response. Sometimes you’ll also hear Endpoint Threat Detection and Response (ETDR). EDR is an integrated endpoint security solution that combines real-time monitoring and the collection of endpoint data with rule-based automated response and analysis capabilities.
It identifies suspicious behaviour and threats on endpoints in an environment and alerts administrators accordingly. By examining the entire lifecycle of a threat, you will understand what happened, how it got in, where it went, what it’s doing and how to stop it. By containing the threat at the endpoint, EDR solutions help to eliminate the threat and prevent it from spreading.
Key functions of an EDR solutions
What you need in an EDR solution depends on your organisation’s needs. But it should always add value to your security team without draining resources. Important functions of endpoint detection and response are:
- Threat intelligence and insights
- Detection accuracy and speed to uncover attackers
- Fast and decisive remediation
- Real-time and historical visibility
- AI/ML-powered detection and correlation of malicious behaviours
What are the benefits of an EDR solution?
Visibility is one of the main keywords in EDR solutions. These tools provide both deep and wide visibility into threats and they use machine learning tools to detect attacks.
Because of the rich level of details collected by an EDR solution, the response and remediation activities following a breach can be simplified. In the past, it would take the incident responder a lot of time collecting data from various endpoints. But with EDR the data is automatically collected and stored. This will give the responder a more complete picture of a security incident than would otherwise be available.
EDR doesn’t work based on a list of known viruses. They actively search for suspicious behaviour in your network. The tool doesn’t react to the normal behaviour of a user, but does undertake action when suspicious behaviour is spotted. When an attack is discovered and prevented an EDR will share details of this attack with other endpoints in your network. These endpoints will become immune to this attack.