What is endpoint detection and response? EDR security explained

October 28, 2020  |  Mark Stone

This blog was written by a third party author.

The evolving endpoint attack surface

As recent global health events have changed the world, the cybersecurity landscape has changed along with it. Almost all organizations — large or small — have seen their attack surface grow.

For those unfamiliar with the term, an attack surface represents the sum total of all the ways in which a bad actor can exploit an endpoint or network to retrieve data. Every endpoint that connects to or communicates with the network is part of the network attack surface.

It’s important to note that people are an essential element of an attack surface. Your employees represent a gateway to your network and critical data.

The attack surface is not only a critical measure for large business but smaller and mid-sizes organizations as well. While many small businesses may believe they aren’t big enough to be hacked, the size of their attack surface — which is probably expanding — may be enough to expose it to serious risk.

The endpoint attack surface has evolved further than what experts predicted. Today’s attack surface for most organizations is broader and more complex than ever before due to a combination of factors, including the shift to a work from home (WFH) model, and more smartphones and IoT devices connecting to networks in unprecedented numbers.

What is endpoint detection and response?

Endpoint Detection and Response (EDR) is the process of monitoring and detecting, in real-time, any suspicious activity or events occurring at the endpoint. The goal of EDR solutions is to allow your company visibility into threats on a detailed timeline and provide real-time alerts in the event of an attack.

EDR, at its core, should provide visibility — one of the most critical security capabilities.

As the attack surface widens, organizations are increasingly relying on endpoint detection and response (EDR) solutions for that next level of visibility and to alert on any attacks that may not be triggered by firewall or IDS/IPS rules.

A good analogy for EDR is to think of EDR like a black box used on airplanes to record flight data. In this analogy, the airplane represents your endpoints and the black box represents the endpoint data such as the running processes, installed programs, and network logins of your devices (or threat surface). Just like how black box data can prevent similar crashes in the future, EDR can help prevent similar future cyberattacks.

Enterprise Endpoint Security Solution

Endpoint protection, detection, response, and control for advanced forensic mapping and automated response.

Learn more

The benefits of EDR security

With the right EDR solution, IT and security teams gain the visibility they require to reveal the type of threats that would otherwise would have gone unseen.

When EDR is properly deployed in your organization, you can look forward to the following benefits:

  • Unified security management - Having all of your business-critical devices — including mobile devices, fixed endpoints, and server environments —visible through a “single pane of glass” makes managing and securing everything easier.
  • Safeguard against key threat vectors — Especially in the current WFH (work from home) climate, mobile endpoints must be protected against key threat vectors both inside and outside the corporate network’s safe perimeter.
  • Identify and close security gaps — Gaps in endpoint security are easily overlooked, especially as the amount of data, apps, and connections increase in number and complexity. With improved visibility of your endpoints on the perimeter, these gaps can shift to the forefront.
  • Simplify endpoint management — Any robust EDR solution brings many security tools and layers together so data from each can be shared, protecting your organization from multiple angles. This simplified management allows you to focus on your business instead of using precious resources managing the devices.
  • Advanced response capabilities and automation — An effective EDR solution provides specialized tools that help you assess and react to security incidents — whether that means detection, prevention, forensics, or threat intelligence. Automation is an essential component of this advanced response capability.
  • Prevention — All the best security technology isn’t completely effective if it can’t offer methods to prevent future attacks. Typically, prevention is triggered by behavioral analysis of your organization’s incoming and outgoing traffic. The EDR technology can mitigate attacks undetectable by reactive solutions like antivirus or anti-malware.
  • Protect your reputation - When you possess highly secure endpoints, you gain the confidence that your organization can be kept out of the headlines and maintain its reputation.

Types of endpoint security solutions: comparing EPP and EDR

Staying on top of security threats is costly and time-consuming. When sourcing an EDR security solution, understanding the different types of endpoint security solutions is an essential first step. Like the market for other security tools, not all endpoint solutions are the same and many don’t qualify as endpoint detection and response.

Adding to the confusion: more acronyms to remember.

For example, endpoint detection and response (EDR) is not the same as endpoint protection platforms (EPP). Endpoint protection, as the name suggests, protected endpoints. EPPs can detect and block threats on the endpoints and often use signature-based models.

EPPs can also include several security solutions, such as AV/anti-malware, network and application firewalls, intrusion prevention systems (IPS), and encryption protocols.

Here’s where EPP and EDR differ: EPP’s role is more of a first line of defense against threats whereas EDR is an additional safeguard for detecting and responding to any attacks missed at the endpoint.

EPP and EDR security solutions can be used in a few different ways; they can be used separately as standalone solutions, used together in a bundle, or combined into one comprehensive solution. With the evolving threat landscape, all-in-one solutions are more common, cost-effective, and efficient.

While standalone EDR solutions do offer the endpoint visibility you need, they do not provide complete visibility of your entire environment (on-premises networks, public cloud accounts, and business-critical cloud apps).

When looking for an all-in-one, single pane of glass solution, look for those that offer a combination of the essential security capabilities you need to effectively detect and respond to threats, such as:

  • Asset discovery
  • Vulnerability assessment
  • Network intrusion detection (NIDS)
  • Endpoint detection and response (EDR)
  • SIEM event correlation and log management

Ultimately, EDR is only one major component of a bigger picture solution.

The very best solutions offer centralized security visibility of the activities on your endpoints, cloud platforms, cloud apps, and on-premises networks. Solutions like USM Anywhere from AT&T, for example, allow you to detect threats earlier, investigate and respond faster, and accelerate your compliance efforts.

Share this with others


Featured resources



2024 Futures Report