Security

What is EDR (Endpoint Detection and Response)?

22 April, 2020

Ransomware, malware, phishing, and spear phishing—all clear and present dangers to your customers’ networks, businesses, and personally identifiable information (PII). And now, these attacks are preying on people’s fear, uncertainty, and doubt surrounding the rise of COVID-19.

How do you secure those networks in the face of an ever-changing environment? Perhaps your best defense is one you may not be overly familiar with: Endpoint Detection and Response (EDR). Anton Chauvin of Gartner originated the term, using it to describe “this family of new tools focused on visibility, and from prevention to detection for the endpoint.”

So, what is EDR? It’s a multifaceted solution that does everything modern managed antivirus (AV) can do, but takes things a step further—providing greater security and (most importantly) peace of mind. These include, but are not limited to:

Monitoring
Threat detection
Whitelisting/blacklisting
Threat response
Integration with other cybersecurity solutions

Let’s take a closer look at this new weapon made for your cybersecurity arsenal.

EDR’s place in the cybersecurity universe

EDR centers on protecting endpoints. Given the number of threats that spawn daily, antivirus and other point solutions can make managing large numbers of endpoints difficult. When we talk about traditional managed antivirus (MAV), it's typically from a passive standpoint. MAV can only detect and quarantine known threats—those that have been previously identified. Therein lies the rub—MAV requires regular signature updates. This means there is often a gap in coverage between when a virus is discovered and when your customers become protected. Plus, threats that haven’t yet been discovered can operate in the wild before you can even get an update. It’s a reactive approach with proactive intent.

In contrast, EDR is proactive. Comprised of monitoring software and endpoint agents, EDR solutions use integrated machine learning and advanced artificial intelligence (AI) to identify suspicious behaviors and address them regardless of whether or not there’s a signature. For example, if several files change at the same time, chances are it’s more likely a result of an endpoint assault rather than user error.

The only constant is change

Think about it—the world is in a constant state of flux, and technology is no different. The cloud has changed everything, from the rise of ecommerce to enterprise-based solutions that billions of individuals rely on daily. But with progress comes inevitable roadblocks, and for the cloud, we must focus on intent—specifically those who look to profit from it in harmful ways. Data is arguably your customers’ greatest asset—so how do you help safeguard that asset?

AI to the rescue

For the moment, let’s focus on the positives that have come about with the rise of machine learning. If we look at the benefits of AI for EDR, the core benefit is advanced technology, which allows it to recognize and deal with advanced threats. This is where EDR excels—asking questions like:

Has this endpoint performed this activity before?
Does this file or behavior exhibit unusual patterns?
Why are secured files being looked at or hit?

Advanced polymorphic viruses (those that can generate modified versions of themselves to counter detection) and zero-day threats (which target and exploit a previously unknown vulnerability) fall into the above line of questioning. EDR not only asks these questions, it also provides the answers we need to address the threats—with options to kill, quarantine, remediate, and rollback.

Ransomware realities

No doubt you’ve heard of ransomware. Someone opens an attachment or email, or visits a webpage with malicious script, and they’re greeted with a notification that all their files are encrypted. The cybercriminal will only return their files after they pay a princely sum in Bitcoin –except there is no guarantee they will get their data back. Many corporations are unwilling to risk paying a ransom because of this lack of a guarantee.

It can happen to anyone, and the facts are staggering:

Businesses experienced an average of 16.2 days of downtime at the end of 2019 due to ransomware
One business will be hit every 11 seconds by a ransomware attack by 2021, according to some predictions
The predicted cost of damages due to ransomware in 2021 is $20 billion

The solution we need, before we know we need it

When an endpoint agent discovers a threat, EDR springs into action via the central monitoring system. The central monitoring system analyzes and correlates threats. Depending on which EDR solution you use, you can even visually trace the genesis of the threat and its path to the endpoint as SolarWinds^® EDR does. While MAV and disk encryption are valid ways to secure your endpoints, EDR offers capabilities that help futureproof your users’ machines. These include near real-time file analysis and alerts, detailed forensics, offline protection, the ability to disconnect from the network to help prevent further spread, and the killer feature—infected file rollback.

Like it never happened

Rollback is where an MSP can offer the greatest value to their clients. This feature uses advanced technology to take “snapshots” of the endpoint at regular intervals (set at the administrator’s discretion). If ransomware hits, it only takes a few clicks to roll back the endpoint disk image to a previous point in time, saving the company significant time and money Can you really put a price on that kind of peace of mind?

Deployment considerations

Before you deploy EDR, you should consider your own capabilities. This enhanced functionality brings a bit more complexity, so SMBs and IT pros should consider their resources before deploying.

As we’ve mentioned before, EDR is not the only way to secure an endpoint. Look at your data and the use case for each employee. While EDR is perfect for someone who manages sensitive human resource data (such as payroll and PII), it may not be necessary for someone who simply stores personal files in the cloud or has a solid backup client combined with disk encryption and MAV. One size does not fit all.

The final word

You have options—not just to deploy EDR or stick with more traditional systems, but among potential vendors. You should thoroughly consider the strengths and weaknesses of every angle.

At the end of the day, EDR requires an agent to run on each endpoint. SolarWinds MSP offers options for Windows, Mac, and Linux, as well as integration with our existing SolarWindsN-central^® monitoring platform. Don’t forget, a solid layered approach to network security is recommended so make sure to patch and back up regularly.

I hope you’ve enjoyed this introduction to EDR. Join me next month for a deeper dive into the differences between MAV and EDR.

Michael Tschirret is Sr. Product Marketing Manager, EDR, at SolarWinds MSP