Endpoint Detection and Response (EDR)

What is EDR?

EDR is a cybersecurity solution that monitors and protects endpoints — think desktops, laptops or servers. It is designed to detect suspicious activity and helps security operations center (SOC) personnel investigate incidents at the operating system and network level.

How does EDR work?

EDR works by monitoring endpoints for suspicious activity and then investigating and responding to that activity. It typically involves the following steps:

1. Data collection: EDR solutions collect data from endpoints, such as system logs, event logs and network traffic. This data is then analyzed for suspicious activity.
2. Detection: EDR solutions use a variety of techniques to detect suspicious activity, such as anomaly detection, signature-based detection and behavioral analysis.
3. Investigation: When suspicious activity is detected, EDR solutions provide security analysts with the tools to investigate the activity and determine if it is malicious.
4. Response: EDR solutions provide security analysts with the tools to respond to malicious activity, such as isolating endpoints, blocking malicious traffic and remediating vulnerabilities.

EDR sits at the operating system or kernel level of an endpoint device and monitors system events like:

• File interactions: new files created, files read, files changed, files encrypted
• Process behavior: new processes spawned, new child process spawned
• Network communication: abnormal network requests to unusual places

EDR then applies threat intelligence information in combination with machine learning and behavioral analysis to identify attacks and malicious behavior and respond effectively to block or stop attacks. 

Why is EDR security important?

EDR security is important because it helps organizations to protect their endpoints from security threats that target applications. These threats can be difficult to detect and can cause significant damage to an organization's data and systems. 

EDR helps SOCs to do the following:

• Detect and respond to threats quickly: EDR security solutions can detect and respond to threats in real time, which can help to prevent them from causing damage.
• Reduce the risk of data breaches: EDR security solutions can help to reduce the risk of data breaches by detecting and blocking malicious activity.
• Improve compliance: EDR security solutions can help organizations to comply with data protection regulations by providing visibility into endpoint activity.
• Enhance security operations: EDR security solutions can help security operations teams to be more efficient and effective by providing them with the tools they need to investigate and respond to threats.

In particular, EDR is ideal for detecting and often blocking the following threats:

• Malware and viruses: EDR can identify and block known malware and viruses, even if they are not previously known to the security team.
• Ransomware: EDR can detect ransomware attacks and prevent them from encrypting files or exfiltrating data.
• Phishing attacks: EDR can detect phishing emails and websites and can prevent users from clicking on malicious links or downloading malware.
• Brute-force attacks: EDR can detect brute-force attacks on user accounts and servers and can prevent unauthorized access.
• Lateral movement: EDR can detect attackers moving laterally across a network and can identify compromised systems.
• Command and control (C&C) communications: EDR can detect communications between infected endpoints and C&C servers and can disrupt attacker communications.

Advanced persistent threats (APTs): EDR can detect and respond to APTs, which are sophisticated attacks that can evade traditional security measures.

What are the key components of an EDR solution?

According to Gartner, EDR solutions “record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.”

Further, Gartner notes that EDR solutions ideally contain these four elements:

• Security incident detection
• Incident containment (at the endpoint)
• Security incident investigation
• Remediation guidance

Beyond this high-level list, EDR solutions ideally should provide the following:

• Prevention: EDR tools should go beyond identifying known malware and protect against both known and unknown threats. Many leading EDR solutions now use machine learning (ML) and behavioral analytics to prevent a wide variety of attacks.

• Detection and response: True to its name, EDR needs to detect and respond to threats targeting endpoints. EDR should provide a second line of defense when prevention fails, with comprehensive visibility into endpoint activity. Additionally, many EDR tools leverage data correlation and analytics to uncover threat activity.

• Identity threat detection and response (ITDR): EDR needs to secure identity infrastructures and detect compromised credentials, over-privileged accounts and potential attack paths. Ideally, an EDR solution provides real-time detection and response to identity-based threats.
• Threat intelligence: EDR provides SOC analysts with context and insights into the threat landscape, gathered from various sources and analyzed using data analytics and ML. EDR empowers security teams to understand the motives, techniques and objectives of threat actors.
• Managed threat hunting (MDR): Many leading EDR solutions are not just reacting to issues with proactively hunting for and neutralizing threats; they also use security expertise and advanced technologies such as artificial intelligence and threat intelligence.

What are the benefits and limitations of EDR?

Perhaps the main benefit of EDR is that it detects and responds to threats quickly, particularly the myriad issues that impact endpoints. As a result, EDR helps to reduce the risk of data breaches, to improve compliance posture and to enhance security operations.

Advantages of EDR include:

• Improved visibility into endpoint activity
• Rapid detection and containment of threats
• Minimized impact of security breaches
• Enhanced threat hunting and investigation capabilities
• Automated response to security incidents

The main limitation of EDR, however, is that it only sees what happens in and on an endpoint. Many attack vectors — particularly attacks conveyed via web applications — evade EDR. 

EDR has no way to know if code inside the application is manipulated, which means it can miss attacks that occur entirely within the application layer. As a result, the SOC may have to wait until an application is compromised before EDR detects the threat.

EDR’s main weakness is that it has absolutely no visibility into application-specific attacks or, for that matter, into the application layer, which also includes application programming interfaces (APIs)

• EDR focuses on system-level events, making it difficult to investigate application breaches
• EDR provides limited to no protection against zero-day attacks
• EDR has a larger performance impact on server endpoints
• EDR is still prone to false positives and excessive noise

Another limitation of EDR is that it relies on endpoint-centric data, which can be limited in scope. This can make it challenging to detect Application Security (AppSec) issues that require data analysis across multiple endpoints or that involve interactions with external systems.

How Contrast ADR complements EDR

Contrast Application Detection and Response (ADR) empowers defenders with the observability and control they need in the application layer in order to detect, respond and block threats that target custom applications and APIs, delivering it in a manner that’s tightly integrated with existing security operations tools and workflows. Contrast ADR helps detect an attack earlier in the attack chain, giving organizations more time to react to a breach.

ADR and EDR detection capabilities don’t overlap. ADR adds detection of application-level vulnerabilities that can’t be detected by EDR. Additionally, ADR can detect application attacks much earlier in the killchain, detecting and highlighting the indicator of compromise  (IoC), not the effect. Further, ADR adds application-level context to the security information and event management (SIEM) platform: context that’s currently  a blindspot with EDR.

Contrast ADR is built on the Contrast Runtime Security Platform, which enables developers, AppSec teams and SecOps teams to better protect and defend their applications against the ever-evolving threat landscape. Contrast’s patented security instrumentation delivers integrated and comprehensive security observability that brings accurate assessment and continuous protection of an entire application portfolio.