In computing, an endpoint is any device that has the ability to communicate with a larger network. Laptops, smartphones, and tablets are all examples of endpoint devices. Endpoint Detection and Response – often shortened to EDR – is an essential part of any modern cyber security strategy. The term ‘Endpoint Detection and Response’ was coined by Gartner Analyst Anton Chuvakin in 2013. He correctly identified an emerging kind of security package that used automation to detect and respond to threats that appeared on hosts and endpoint devices. Traditional computer forensics was concerned with the detection of threats within a system as a whole.
These days, Endpoint Detection and Response is a must-have. Here is a very brief guide to the features you should look out for when searching for an EDR solution.
Continuous Endpoint Data Collection
As with almost every other computing security solution, the effectiveness of an EDR package is highly reliant upon a constant collection of data. Threat hunting involves the monitoring of data produced constantly by the endpoint devices themselves in their operation. Changes in operation are usually so small as to go unnoticed by the humans manually operating them. Business owners need to be careful to integrate security systems that prevent malware from covertly exfiltrating data or infiltrating worm viruses.
Automated Analytics
The automation of the data analytics used to make sense of all the information collected about the operation of endpoint devices is what makes EDR solutions so unique. Using machine learning algorithms, a good Endpoint Detection and Response package can, in theory, improve the level of protection it provides over time. Automation allows for a far more consistent level of protection than was ever possible previously. A good EDR package will also automate the acquisition of new data from sources outside the network it is installed in. This means that any new discoveries relating to emergent threats will be integrated into the protection it offers.
Containment, Removal, and Communication
Once a threat has been detected in an endpoint device or host server, an EDR package has three important tasks: containment, removal, and communication. Containment involves isolating the threat so that it cannot spread throughout a network. Removal is precisely what it sounds like. Communication usually takes the form of an automated alert – both to the client and to the program creator in the form of a report. This will allow similar threats to be dealt with more quickly in the future.
Incident Triaging
If you have ever been into an ER with an injury, the first person you usually see is a triage nurse. This nurse’s job is to determine the correct course of action for the rest of your treatment before sending you to a doctor or specialist nurse. In computing, incident triaging has much the same function. Determining an order of priorities when faced with a threat, a good EDR package will ‘triage’ the likely causes and most useful responses before proceeding to contain, remove, and communicate.
