What is EDR?

Why Is EDR Critical?

Nowadays, endpoint security faces great risks and challenges. Deploying an effective EDR solution is critical to protect enterprise endpoints from network threats regardless of their locations (within or outside the enterprise networks).

1. Increasingly rampant hacker intrusion

   Network attacks on endpoints, such as ransomware, mining, and advanced persistent threat (APT), are emerging one after another. In 2020, ransomware cases increased by 150%. In 2021, 300 million new malware programs were generated and 30,000 websites were hacked every day.

2. No viable method to manage enterprise security risks

   Large enterprises usually have a large number of hosts. If their O&M personnel have inadequate experience in managing these security assets, key configurations, and system vulnerabilities on the hosts, the hosts will be exposed to great security risks. These security risks can be easily exploited by hackers or malicious competitors to launch attacks, resulting in service interruption or data breach.

3. Increasing remote office demands

   Employees working at home may not be well protected by enterprise security devices as on-site employees, and may use devices that lack the latest updates and security patches.

How Does EDR Work?

Although EDR solutions vary from vendor to vendor, a typical one involves the following five steps:

1. Continuously collects endpoint data.

   Most EDR solutions collect data by installing lightweight data collection tools or agents on each endpoint. The data collected includes login, process running/creation, directory/file access logs, and DNS request information, and they are stored in a central database or data lake, typically hosted on the cloud.

2. Analyzes and detects threats in real time.

   The cloud associates and matches the data collected by data collection tools or agents with the data in the massive threat database in real time to identify known threats. Technologies such as intelligent detection algorithms, User and Entity Behavior Analytics (UEBA), and event correlation analysis are used to identify suspicious activities and unknown or variant threats.

3. Automatically responds to threats.
   Based on rules predefined by the security team or continuous learning with machine learning algorithms, the EDR solution can automatically implement the following:

   • Remind security teams of specific threats or suspicious activities.
   • Categorize or prioritize events based on severity.
   • Disconnect endpoints or deregister end users from the network.
   • Terminate a system or endpoint process.
   • Prevent endpoints from executing suspicious files or email attachments.
   • Trigger antivirus or anti-malware to scan other endpoints on the network for the same threat.

   All of these automatic responses help security teams respond more quickly to events and threats, minimizing network damages incurred by threats.

4. Performs source tracing and in-depth handling.

   Source tracing and forensics help security teams identify the root causes of threats, identify various files affected by the threats, trace how attackers exploit vulnerabilities to access the network and obtain identity authentication credentials, and identify other malicious activities.

   With such information, security teams can perform in-depth handling to eliminate threats:

   • Destroy malicious files and remove them from endpoints.
   • Restore damaged configurations, registry settings, data, and application files.
   • Apply updates or patches to eliminate vulnerabilities.
   • Update detection rules to prevent threats from recurring.

5. Supports threat hunting and security hardening.

   Threat hunting and security hardening are proactive security activities. Threat hunting is a process in which a security team in an organization searches the network for unknown threats or known threats that have not been detected or fixed by the organization's automated cyber security tools. Threat hunting is necessary because advanced threats may have been lurking and collecting system information and user credentials for large-scale intrusions several months before they are detected. Security hardening includes disabling the Remote Desktop Protocol (RDP) service, changing passwords, providing enterprise security training, disabling the sharing service, and configuring firewall policies. Effective and timely threat hunting and security hardening can reduce the time required to detect and remedy these threats and limit or avoid damage caused by attacks.

What Are the Differences Between EDR and EPP?

Endpoint Protection Platform (EPP) provides traditional endpoint security solutions or security tools, such as antivirus, anti-malware, firewall, and online behavior management.

Both EDR and EPP address endpoint security issues, but they have different focuses. Effective endpoint defense requires a solution that integrates EDR and EPP functions.

• EPP focuses primarily on defending against known threats or threats operating in known ways on endpoints. EPP cannot detect or eliminate advanced threats that secretly avoid them. As a result, these threats can lurk and wander around the network for months, collecting data and identifying vulnerabilities to prepare for ransomware attacks, zero-day attacks, or other large-scale cyber attacks.
• EDR makes up for the shortcomings of traditional endpoint security solutions such as EPP. Threat detection, analysis, and automatic response functions provided by EDR can identify and contain potential threats that penetrate into network borders without manual intervention to avoid serious damage.

What Are the Differences Between EDR and XDR?

Extended Detection and Response (XDR) is a rapidly developing emerging technology for endpoint threat detection and response.

EDR focuses on endpoint data, while XDR covers any data source besides endpoints, including networks, emails, applications, and cloud workloads.

To overcome the limits of traditional siloed threat investigation, XDR integrates security tools into the organization's entire hybrid infrastructure to add visibility into data across networks, clouds, endpoints, and applications. With a better understanding of the context, previously undetectable events will surface. Security teams then can quickly respond and eliminate any further impact, reducing the severity and scope of attacks.

How Can We Select a Suitable EDR Solution?

Understanding the key capabilities of EDR will help you choose the EDR solution that best suits you. Here are five factors to consider:

1. Terminal information visualization

   Automatically identifies terminal information, detects asset status in real time, evaluates asset risks on the entire network, and traces historical dynamic IP addresses.

2. Comprehensive threat awareness

   Covers all collection points and provides comprehensive detection methods to detect abnormal behaviors in real time and implement attack visualization and traceability.

3. Accurate threat identification

   Based on its massive threat database, updates threat information in real time, and uses multiple technologies, such as intelligent detection algorithms, UEBA, and event correlation analysis, to achieve high threat identification accuracy.

4. Quick response to threats

   After determining a threat, quickly contains attacks, for example, automatically stopping or disconnecting the threatened host from other hosts, and reminding users to handle the threat in a timely manner for quick service restoration.

5. Implementation costs

   Consider the costs of deploying and operating EDR in your enterprise system and select a proper on-cloud or off-cloud solution.