Endpoint Detection and Response (EDR): Defined

What do zero-day detection, alert prioritization, and patching support have in common? They are among the key “must-haves” of Endpoint Detection and Response (EDR) solutions.

EDR in a Nutshell

EDR is a real-time threat detection and monitoring solution focused on IT, IoT, and OT endpoints. Comprehensive EDR solutions combine traditional Endpoint Protection Platforms (EPP) capabilities with additional investigative mechanisms. EDR identifies indicators of compromise (IoCs) on hosts with additional automation to enable a higher degree of rapid response and remediation to threats.

As enterprise networks grow more complex and distributed with both on-premises and cloud-based environments, EDR adoption is on the rise with a 26% annual growth rate and sales projected to reach $7.23 billion by 2026, according to MRC’s Endpoint Detection and Response – Global Market Outlook (2017-2026).

EDR Essential Capabilities

With both demand and adoption on the rise, selecting the right EDR solution for your environment is important. Regardless of vendor, EDR solutions should be assessed using five basic criteria.

  1. Zero-Day Detection: Legacy endpoint protection platforms (EPP), while outdated, are still the chosen endpoint security solution for many IT security teams. Reasons for this choice are often due to budget limitations, apathy, or a combination of both. The main issue is that EPP solutions do not protect companies from unknown zero-day threats — a must in today’s threat landscape.
  2. Integration with Asset Management and Inventory Platforms: You cannot secure what you cannot see. Mapping malware to devices that could be exploited is the best way of hardening a hybrid network environment composed of both on-premises and remote endpoints. As mentioned, EDR is a critical component of an advanced security stack, but it is merely one component. Thus, EDR solutions must not be evaluated as stand-alone solutions, but as part of an orchestrated system that includes asset management, vulnerability management, and policy compliance as well.
  3. Vulnerability and Patching Support: Prevention is an overlooked capability not associated with traditional EDR solutions. However, unpatched vulnerabilities leave the door open for malware to successfully infect an endpoint and carry out its malicious objectives. Do not compromise when evaluating endpoint security solutions and make sure they support your patching and prevention needs.
  4. Alert Prioritization: As tools expand and alert volumes grow, more alerts do not always equate to superior detection and response. Prioritizing your response according to an incident’s urgency and potential business impact is paramount for security teams looking to reduce false positives and optimize remediation efforts.
  5. Return on Investment: EDR is part of a comprehensive security stack. Make sure that the vendor you select is invested in ongoing research and development of their EDR solution. It should leverage adjacent tools within your security portfolio. Most EDR solutions claim to have a light footprint, have an open API, or support seamless integration with other tools. However, this is not always the case. Furthermore, these integrations and upgrades always result in upcharges and more agents. Put EDR vendors to the test! Make sure that your chosen solution is one that scales with your organization at a competitive cost.

Did you know that Qualys offers an EDR solution?

To learn more about Qualys Multi-Vector EDR and how we are helping customers reduce the risk of compromise by integrating vulnerability management with endpoint threat detection and remediation, go to www.qualys.com/apps/endpoint-detection-response/