What is endpoint detection and response?

EDR vs. managed antivirus

EDR centers on protecting endpoints. Given the number of threats that spawn daily, antivirus and other point solutions can make managing large numbers of endpoints difficult. When we talk about traditional managed antivirus (MAV), it’s typically from a passive standpoint. MAV can only detect, and quarantine known threats—those that have been previously identified. Therein lies the rub—MAV requires regular signature updates. This means there is often a gap in coverage between when a virus is discovered and when your customers become protected. Plus, threats that haven’t yet been discovered can operate in the wild before you can even get an update. It’s a reactive approach with proactive intent.

In contrast, EDR is proactive. Comprised of monitoring software and endpoint agents, EDR solutions use integrated machine learning and advanced artificial intelligence (AI) to identify suspicious behaviors and address them regardless of whether or not there’s a signature. For example, if several files change at the same time, chances are it’s more likely a result of an endpoint assault rather than user error.

Be sure to read our guide on EDR vs. MAV to explore this topic further.

The only constant is change

Think about it—the world is in a constant state of flux, and technology is no different. The cloud has changed everything—from the rise of ecommerce to enterprise-based solutions that billions of individuals rely on daily. But with progress comes inevitable roadblocks, and for the cloud, we must focus on intent—specifically those who look to profit from it in harmful ways. Data is arguably your customers’ greatest asset—so how do you help safeguard that asset?

AI to the rescue

For the moment, let’s focus on the positives that have come about with the rise of machine learning. If we look at the benefits of AI for EDR, the core benefit is advanced technology, which allows it to recognize and deal with advanced threats. This is where EDR excels—asking questions like:

• Has this endpoint performed this activity before?
• Does this file or behavior exhibit unusual patterns?
• Why are secured files being looked at or hit?

Advanced polymorphic viruses (those that can generate modified versions of themselves to counter detection) and zero-day threats (which target and exploit a previously unknown vulnerability) fall into the above line of questioning. EDR not only asks these questions, but also provides the answers we need to address the threats—with options to kill, quarantine, remediate, and rollback.

It can be possible to bypass DNS filtering controls. In some cases, this means admins can temporarily remove the block. However, it’s also possible a highly motivated employee could set up a proxy server or even change DNS settings at a local level to achieve access. That’s why it’s important to set up the service correctly and use tools designed for these contingencies.

Ransomware realities

No doubt you’ve heard of ransomware. Someone opens an attachment or email, or visits a webpage with malicious script, and they’re greeted with a notification that all their files are encrypted. The cybercriminal will only return their files after they pay a princely sum in Bitcoin—except there is no guarantee they will get their data back. Many corporations are unwilling to risk paying a ransom because of this lack of a guarantee.

It can happen to anyone, and the facts are staggering:

• Businesses experienced an average of 16.2 days of downtime at the end of 2019 due to ransomware
• One business will be hit every 11 seconds by a ransomware attack by 2021, according to some predictions
• The predicted cost of damages due to ransomware in 2021 is $20 billion

The solution we need, before we know we need it

When an endpoint agent discovers a threat, EDR springs into action via the central monitoring system. The central monitoring system analyzes and correlates threats. Depending on which EDR solution you use, you can even visually trace the genesis of the threat and its path to the endpoint as N‑able™ EDR does. While MAV and disk encryption are valid ways to secure your endpoints, EDR offers capabilities that help futureproof your users’ machines. These include near real-time file analysis and alerts, detailed forensics, offline protection, the ability to disconnect from the network to help prevent further spread, and the killer feature—infected file rollback.

Like it never happened

Rollback is where an MSP can offer the greatest value to their clients. This feature uses advanced technology to take snapshots of the endpoint at regular intervals (set at the administrator’s discretion). If ransomware hits, it only takes a few clicks to roll back the endpoint disk image to a previous point in time, saving the company significant time and money Can you really put a price on that kind of peace of mind?

Deployment considerations

Before you deploy EDR, you should consider your own capabilities. This enhanced functionality brings a bit more complexity, so SMBs and IT pros should consider their resources before deploying.

As we’ve mentioned before, EDR is not the only way to secure an endpoint. Look at your data and the use case for each employee. While EDR is perfect for someone who manages sensitive human resource data, such as payroll and PII, it may not be necessary for someone who simply stores personal files in the cloud or has a solid backup client combined with disk encryption and MAV. One size does not fit all.

The final word

You have options—not just to deploy EDR or stick with more traditional systems, but among potential vendors. You should thoroughly consider the strengths and weaknesses of every angle.

At the end of the day, EDR requires an agent to run on each endpoint. N‑able offers options for Windows, Mac, and Linux, as well as integration with our N‑central® monitoring platform. Don’t forget, a solid layered approach to network security is recommended, so make sure to patch and back up regularly.