The term “EDR” (Endpoint Detection and Response) only entered the vocabulary of computer security a few years ago and still causes some confusion among MSPs entering the crowded field of enterprise security solutions. What, exactly, is EDR? How is it different from legacy antivirus (AV) and endpoint protection platforms (EPP)? Has EDR really solved the problems it was designed to address? In this post, we explain the past, present, and future of EDR.

Where did the term “EDR” come from?

The term EDR was coined by Anton Chuvakin of the Gartner Blog Network in 2013 as a means of classifying a new group of tools or capabilities that focused on the detection of suspicious activities on endpoints. These tools were different from earlier security solutions in that they didn’t necessarily focus on identifying specific malware. Instead, they looked for anomalous activities. EDR solutions were unique—instead of simply identifying and quarantining a file suspected of being malware, they were designed to provide alerts to security terms that could trigger further investigation.

Why were EDR solutions created?

Prior to the advent of EDR solutions, most businesses relied on traditional AV protection. However, the problem with AV solutions is they weren’t always effective in combatting the wide range of threats that could occur at the endpoint level. Older legacy AV solutions were based on detecting malware files through signatures—typically a hash of the file, but later through identifying tell-tale strings contained in the binary through search methodologies like YARA rules.

This approach proved to have several weaknesses. First, malware authors began to sidestep signature-based detection simply by padding files with extra bytes to change the malware’s hash or using different ways to encrypt strings that binary scanning couldn’t easily read. Second, adversaries intent on stealing company data or intellectual property began using other means, besides detectable malicious files, to achieve their goals. Bad actors’ tactics evolved to include in-memory “fileless” attacks, exploiting built-in applications and processes (called “living off the land”), and compromising networks by phishing users for credentials or stealing resources with cryptomining. Legacy AV solutions simply didn’t have the resources to deal with the new wave of tactics, techniques, and procedures.

Legacy AV tries to evolve with EPP

Given this threat to their existence, legacy AV solutions started offering further services such as firewall control, data encryption, data loss prevention through device blocking, and a suite of other tools attractive to IT management in general, but not necessarily centered on security itself. These advanced AV solutions fell under the endpoint protection platform (EPP) umbrella. Regardless, EPP was still fundamentally signature-based and did not truly solve the inherent problems with legacy AV.

This isn’t to say that antivirus solutions don’t have a place. For many businesses facing lower levels of risk or for budget-conscious MSP customers, AV solutions are still better than nothing. And they can prevent several threats when working in concert with other security layers. Yet, the sheer number of wide-scale breaches show businesses really are better off upgrading to a more versatile solution like EDR.

Enter EDR—peering into the dark

Aside from being signature-based, what primarily distinguishes EPP and legacy AV from more modern EDR is they are based around prevention. In contrast, EDR is all about providing you with visibility into what is occurring on the endpoint and network.

There were earlier “homegrown” attempts to do this before security vendors stepped up to the plate. For instance, there were hundreds of GitHub repositories offering open source tools for visibility, some even cross-platform, like Facebook’s OSQUERY. But using such solutions required skilled personnel who could code, integrate, do some DevOps, and come up with a feasible process to make the enterprise aware of the active breaches as soon as possible.

At the same time, innovation finally made it to the AV industry and a new line of products began to appear focusing on detecting unusual activity and issuing a response—alerts for a security analyst to investigate.

Essentially, these EDR solutions attempt to provide you with visibility into what is occurring on the endpoint and network. Some claim this is an easier nut to crack than protection, as it shifts the work onto a human agent and only requires alert generation from the software. For EDR solutions relying on weak heuristics and insufficient data modeling, the upshot for the security team can be either a never-ending stream of alerts or a high number of false positives (or both). The EDR market lacked a means of contextualizing the complex amount of data streaming from the endpoints that this visibility provided.

Problems with EDR as we know it

Increased visibility means an increased amount of data, and consequently an increased amount of analysis. Because of this, most EDR solutions available today aren’t scalable. They require too many resources that are in short supply, namely time, money, bandwidth, and a skilled workforce.

In addition, EDR, in many cases, requires cloud connectivity, and as such will be late with protecting endpoints. If the solution is not on the device, there will inevitably be some dwell time. A successful attack can compromise a machine, exfiltrate or encrypt data, and remove traces of itself in fractions of a second. Waiting for a response from the cloud or for an analyst to take action in a timely manner is simply not feasible in the modern threat scape.

The Future: SolarWinds Endpoint Detection and Response

SolarWinds^® Endpoint Detection and Response (EDR), powered by SentinelOne, was built to correlate the story on the device itself.

SolarWinds EDR offers an automated response that relies on artificial intelligence to take the burden off the MSP team. It allows teams to quickly understand the story and root cause behind a threat. The technology can autonomously attribute each event on the endpoint to its root cause without any reliance on cloud resources.

This can revolutionize security. It can be used by MSPs almost regardless of resources—from those who are advanced in security to more novice security professionals—providing them with the ability to automatically remediate threats and defend against advanced attacks.

Conclusion

Cybersecurity is a never-ending game of cat-and-mouse. As attackers up the ante, developing new skills and deploying new tactics and techniques, defenders respond by trying to play catch up. Endpoint security solutions have been lagging behind bad actors for a while now, but with the advent of SolarWinds EDR, powered by SentinelOne—a technology that can prevent, detect, and respond to advanced attacks regardless of delivery vectors, whether the endpoint is connected to the cloud or not—defenders may at last have a winning edge.