Endpoint Detection and Response solutions provide more comprehensive defenses than conventional antivirus software and can detect fileless attacks launched through legitimate Windows programs. Learn here what exactly an EDR system is, what features it should have, and what role the solution plays in your SIEM.
What is an EDR system?
An endpoint detection and response (EDR) platform is a technical, software-based solution designed primarily to detect the artifacts of a cyberattack. The term EDR was introduced in 2013 by Gartner analyst Anton Chuvakin and used to describe platforms that enable deeper investigation of suspicious activity on endpoints such as PCs, laptops and servers. EDR platforms continuously record endpoint behavior, analyze the data and respond to suspicious behavior with automated defensive measures, such as isolating the affected devices. This can prevent further outbreaks of compromise – such as lateral movement. However, the core focus of EDR solutions is to increase the visibility of anomalies on the endpoint. This is how EDR systems differ from other technical security solutions such as firewalls: protection takes place directly on the end devices and not at the network boundary.
What are the main functions of an EDR solution?
Any EDR system enables real-time monitoring of activities and events on endpoints. This enables reliable identification of suspicious behavior and detection of cyber threats taking place. Also included as a basic feature of an EDR solution are automated responses to defend against the threats.
In addition, it is imperative that a high-performance EDR system should have the following features:
Cross-platform: The solution should be able to be installed on all common operating systems – Windows, Linux, macOS – without additional effort. Depending on the customer’s individual needs, installation on mobile platforms should also be possible.
Central management: The solution should offer central data management with granular group and policy control.
Manual access: In addition to automatic mechanisms, the solution must always offer the option of isolating computers manually from the network.
Incident management: An incident management tool to manage and keep track of incoming alarms and IOCs further enhances the capabilities of an EDR solution.
Mapping: A mapping to the MITRE ATT&CK framework enables precise mapping and analysis of existing cyber attacks.
Flexible: The management system of the EDR solution should be able to be fully integrated into the company’s architecture as an on-premises installation, if the company’s requirements demand it, and should also offer the option of being operated in air-gapped mode.
Extensible: An API (Application Programming Interface) allows information to be added and exchanged between the EDR and other systems.
Custom IOCs: By creating or importing custom Indicators of Compromise into an EDR solution, connected systems can be examined for artifacts of an attack in cases of suspicion or IR.
Live forensics: Powerful EDR systems offer the possibility of live forensics, for example via osquery or comparable third-party providers.
Storage: storing events and the process summary of each connected system for 30 days or more is strongly recommended.
External sources: If possible, the EDR system should allow enrichment of events via external sources, such as STIX and TAXII.
What do I achieve with an EDR system and what are the limitations?
A properly implemented and used EDR system can significantly improve IT security within an organization. In addition to detecting even advanced threats, simplifying and accelerating incident response, and providing a high level of visibility, EDR solutions mostly offer strong automation capabilities that enable incident investigations and responses, even on a large scale.
Perhaps the most important benefit that can be achieved with an EDR system is the ability to detect threats that are difficult or impossible to detect with conventional systems. These threats include professional hacker attacks or zero-day attacks. Additionally, the time it takes to respond to a security incident is significantly reduced. EDR systems capture, collect and store many details and artifacts from various endpoints in real time and make the acquired data immediately available for analysis. This provides a comprehensive picture of an IT security incident without requiring incident response teams to invest time in collecting artifacts from endpoints.
Additionally, the ability to provide artifacts in a centralized manner provides analysts with a comprehensive view of the overall security posture of the organization. This allows patterns to be identified, attributed and appropriate responses to an incident to be triggered. These responses are also significantly accelerated by EDR systems. The ability to respond quickly to security incidents is supported by extensive automation capabilities and the use of an API.
However, even an EDR system has limitations. Even though the solution is a good addition to a company’s security measures, there are a few points to consider before implementation to ensure that maximum benefit can be derived from EDR solutions. It is important to note that EDR systems absolutely require the use of highly specialized professionals. Depending on the size of the enterprise, EDR systems generate a high number of alarms on a daily basis. Automated solutions are not sufficient to distinguish “real” alerts from false alerts. Experienced cyber security analysts or threat hunters bring the necessary expertise to proactively detect attacks or attack artifacts.
An EDR system is not a preventative system, such as traditional signature-based antivirus systems. An EDR system is not used to prevent attacks, but to reliably detect specific attack techniques associated with one or more attack tactics. For this purpose, the percentage rate of false positives or negatives in the generated messages plays a key role – which are verified during an evaluation by appropriate tests during a POC.
How does EDR differ from XDR?
While an EDR solution specializes in detecting and defending against IT threats on endpoints, XDR systems master threat prevention and detection across an organization’s entire IT infrastructure. In addition to endpoints, XDR systems also include network, e-mail and cloud services in the investigations. This creates a holistic picture of the threat situation – unlike EDR systems, which look at IT security from an endpoint perspective.
An EDR system can be a good place to start – depending on the IT security requirement within the organization – to increase visibility on the endpoints. With XDR, this approach is extended to the network, email, cloud, container and user levels. Thus, via correlation and machine learning, attacks can be traced back to patient zero. For a reliable deployment of XDR solutions, an ecosystem from the portfolio of components of a manufacturer is usually required.
What role does EDR play for my SIEM?
An effective security infrastructure is characterized by multi-level processes that complement each other’s specific advantages in optimized interaction. For decision makers, the overlap of functionalities can be confusing in places – this is especially true for an EDR that is intended to extend an existing SIEM in the company in the future.
As a centralized risk management tool, a SIEM solution specializes in detecting, investigating and responding to cyber threats. By providing a centralized location for storing and analyzing data, a SIEM links disparate silos of information together, providing the ability to keep multiple data sources under continuous observation. SIEM systems detect security breaches, generate reports and provide IT security professionals with in-depth insights into potential or actual attacks. As a result, responses and countermeasures can be derived and executed quickly and reliably.
An EDR system adds endpoint security capabilities to the SIEM – that is, for any device that physically represents an endpoint within a network. This could be employees’ PCs, field workers’ laptops, or the server in the data center. EDR systems can detect if unusual activity has been detected on a device and automatically provide recommended response actions.
SIEM and EDR complement each other. While a SIEM collects data from a wide variety of data sources, enabling extensive log management or data forensics in addition to advanced correlation, EDR focuses strictly on endpoint data. This significantly simplifies the detection and remediation of complex attacks.
In general, we recommend always considering EDR as a complementary component to a SIEM. By focusing on individual endpoints, EDR provides additional, valuable log data – which can be used by the SIEM to evaluate and combat cyberattacks.
Laptops, PCs and servers are the endpoints on a network – and an exceedingly popular target for cyberattacks. These devices are often not optimally secured or fully monitored by corporate IT, making them a dangerous vulnerability within an IT security architecture. EDR – Endpoint Detection and Response – is a platform solution that specifically targets increased security when dealing with endpoints. EDR security solutions enable rapid detection of suspicious activity and typically automated response to threats in real time. The highly detailed information provided by EDR systems helps to detect an attack at an early stage and take action to prevent consequential damage caused by lateral movements or similar. EDR solutions are particularly efficient when combined with a SIEM. By combining the advantages of both IT security solutions, companies gain a holistic view of the existing security infrastructure, can detect attacks even faster and more reliably, and have a broadly based data pool for forensic tasks after a security incident.