Endpoint Detection and Response (EDR) refers to a class of solutions for the detection and analysis of malicious activity on endpoints: workstations, servers, IoT devices, and so forth. Unlike antivirus software, which is designed for fighting typical and mass threats, EDR solutions are geared toward the detection of targeted attacks and complex threats. That said, EDR solutions cannot fully replace antivirus programs (EPPs); the two technologies deal with different challenges.
EDR solution architecture
An EDR-class system generally consists of a server component as well as agents installed on endpoints. The agents monitor running processes, user actions, and network communications and relay the information to the local server or cloud.
The server component uses machine learning to analyze the data and matches it against indicator of compromise (IoC) databases and other information available on complex threats. If the system detects a cyberincident, it alerts employees at the information security division of the organization.
EDR product capabilities
Most modern EDR solutions can:
- Gather data from endpoints in real time;
- Record and store information on user actions, network activity, and running programs for subsequent analysis and investigation;
- Identify and classify suspicious activity and alert the security team;
- Take steps to block an attack by isolating suspicious files, stopping malicious processes, and breaking network connections;
- Integrate with endpoint security solutions, SIEM systems, and other security tools.
Endpoint Detection and Response products enable infosec professionals to perform threat hunting by analyzing atypical behavior and suspicious activity.