Endpoint Detection Response (EDR)

Best practices and resources to help your organization implement Endpoint Detection Response.

What is EDR?

Endpoint detection and response (EDR) is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.

 

 

The primary functions of an EDR security system are to:

  • Monitor and collect user and system activity data from endpoints
  • Analyze this data across the enterprise environment to identify threat patterns
  • Automatically respond to identified threats to remove or contain them, and notify security personnel
  • Forensics and analysis tools to research identified threats and search for suspicious activities

When evaluating an EDR solution, be mindful of the features listed above as there is a lot of noise in the market.  Antivirus software may appear to have many bells and whistles, but ultimately lacks some of the key functions above.  And some of the EDR software vendors out there have multiple levels of products, the basic version of which may not have EDR features and is just antivirus software.  

As we continue to see attacks get more sophisticated, we need our endpoint detection technology to do the same. Below, we’ll cover the differences in various endpoint technologies and why simple antivirus (AV) can’t really stack up with EDR when it comes to protecting your organization. 

Antivirus AV: Entry-level, minimal protection.

Next-Gen AV: The baseline level of protection we need to see at your organization. 

EDR: The ideal technology for protecting your environment as a whole; what Corvus likes to see policyholders utilize.

Antivirus (AV)

AV technology is most commonly used for personal computers, where it can be a useful tool for scanning systems and identifying malware. While some organizations still rely on it as their primary defense against malware, it typically can’t do enough to protect against the malware that businesses face today since it’s most effective with commodity and generic malware. It blocks the execution of files, and quarantines or deletes detected malicious files, but it really only meets a simple baseline of protection. 

Key takeaway: AV will protect an organization from the low-hanging (malware) fruit. 

Next-Gen AV

Next-Gen AV carries over all the components available in standard AV, plus more enhanced capabilities to detect suspicious behaviors within the system. It can learn the common behavior of the endpoint to better detect when there’s anomalous activity in the system, due to Advanced Machine Learning and Artificial Intelligence. With these enhanced protections, you’re likely to see better detection of more advanced malware and better containment of the system if something is detected. A limitation, however, is that it exclusively focuses on the system it’s installed on and can’t see the larger picture of what is happening in the environment as a whole. 

Key takeaway: NGAV can protect the system it’s installed on against more advanced malware, but the focus stays on the system itself instead of what is happening in the enterprise. 

Endpoint Detection Response (EDR)

Everything that we’ve touched on with AV and Next-Gen AV applies to EDR, with even more capabilities to protect your endpoints. Although, we believe it’s important to highlight that EDR is best used in conjunction with either a trained internal security team or a Managed Security Service Provider (MSSP) or Managed Detection and Response (MDR) to maximize the potential usage. 

Something that EDR can provide (that AV/Next-Gen AV cannot) is “Flight Recorder” technology that tracks activity on the system before and after an alert to clearly identify what malicious activity occurred on the system. In a circumstance where you’ll have a forensic team involved, this information can be incredibly valuable for the investigation. Also, as opposed to the one-system nature of Next-Gen AV, EDR can provide insight into data from all of your systems, which creates a central viewpoint to provide better visibility and correlation across your entire environment. 

Another bonus of EDR: If there’s a threat detected, it can isolate the potentially impacted system from the rest of the network until an investigator can review the system. Ultimately, EDR carries a lot of unmatched capabilities to protect your network’s endpoints — which is why we highlight it as such a key tool to mitigate risk at your organization.

Key takeaway: EDR is the most effective at protecting the environment as a whole, and can show how threat actors navigate throughout various systems (and gives you the tools to isolate impacted areas).

What resources are available to help policyholders implement EDR?

  • SentinelOne: Contact SentinelOne through Corvus’ Partner Link and receive a 30% discount with a 60 day free trial.  SentinelOne works across Windows, Mac and Linux OS and is very easy to implement.
  • CrowdStrike: Contact CrowdStrike through Corvus' Partner Link to receive a free trial and substantial discount following the trial. 
  • Corvus EDR Consult: For policyholders looking to hire experts to help them identify the right EDR tool for their environment and implement it, Corvus has an EDR consult that they can request by filling out the form on our vCISO Services signup page.  We will then connect them to vendors to assist at reduced, cost-effective rates.