Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" (e.g. a client device such as a mobile phone, laptop, Internet of things device) to mitigate malicious cyber threats. [1] [2] [3]
In 2013, Anton Chuvakin of Gartner coined the term "endpoint threat detection and response" for "tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints". [4] Now, it is commonly known as "endpoint detection and response".
According to the Endpoint Detection and Response - Global Market Outlook (2017-2026) report, the adoption of cloud-based and on-premises EDR solutions are going to grow 26% annually, and will be valued at $7273.26 million by 2026. [5] According to the Artificial Intelligence (AI) in Cyber Security Market report by Zion Market Research, the role of machine learning and artificial intelligence will create a $30.9 billion cyber security market by 2025. [6] [7]
Endpoint detection and response technology is used to identify suspicious behavior and advanced persistent threats on endpoints in an environment, and alert administrators accordingly. It does this by collecting and aggregating data from endpoints and other sources. That data may or may not be enriched by additional cloud analysis. EDR solutions are primarily an alerting tool rather than a protection layer but functions may be combined depending on the vendor. The data may be stored in a centralized database or forwarded to a SIEM tool for cyber monitoring. [8] [9]
Every EDR platform has its unique set of capabilities. However, some common capabilities include the monitoring of endpoints in both the online and offline mode, responding to threats in real-time, increasing visibility and transparency of user data, detecting stored endpoint events and malware injections, creating blocklists and allowlists, and integration with other technologies. [1] [8] Some vendors of EDR technologies leverage the free MITRE ATT&CK classification and framework for threats. [10]
The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.
Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems. Fortinet has offices located all over the world.
Webroot Inc. is an American privately-held cybersecurity software company that provides Internet security for consumers and businesses. The company was founded in Boulder, Colorado, US, and is now headquartered in Broomfield, Colorado, and has US operations in San Mateo and San Diego, and globally in Australia, Austria, Ireland, Japan and the United Kingdom.
Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.
Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers.
Secureworks Inc. is an American cybersecurity company. The company has approximately 4,000 customers in more than 50 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries.
Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.
An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.
User behavior analytics (UBA) or user and entity behavior analytics (UEBA), is the concept of analyzing the behavior of users, subjects, visitors, etc. for a specific purpose. It allows cybersecurity tools to build a profile of each individual's normal activity, by looking at patterns of human behavior, and then highlighting deviations from that profile that may indicate a potential compromise.
Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.
The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.
Gigamon is a privately held computer security company with products that delivers network-derived intelligence and insights to cloud, security, observability, and network management tools. It is one of the main parts in the deep observability market. Formerly traded publicly, it is now owned by Elliott Management and headquartered in Santa Clara, California.
The industrial internet of things (IIoT) refers to interconnected sensors, instruments, and other devices networked together with computers' industrial applications, including manufacturing and energy management. This connectivity allows for data collection, exchange, and analysis, potentially facilitating improvements in productivity and efficiency as well as other economic benefits. The IIoT is an evolution of a distributed control system (DCS) that allows for a higher degree of automation by using cloud computing to refine and optimize the process controls.
Browser isolation is a cybersecurity model which aims to physically isolate an internet user's browsing activity away from their local networks and infrastructure. Browser isolation technologies approach this model in different ways, but they all seek to achieve the same goal, effective isolation of the web browser and a user's browsing activity as a method of securing web browsers from browser-based security exploits, as well as web-borne threats such as ransomware and other malware. When a browser isolation technology is delivered to its customers as a cloud hosted service, this is known as remote browser isolation (RBI), a model which enables organizations to deploy a browser isolation solution to their users without managing the associated server infrastructure. There are also client side approaches to browser isolation, based on client-side hypervisors, which do not depend on servers in order to isolate their users browsing activity and the associated risks, instead the activity is virtually isolated on the local host machine. Client-side solutions break the security through physical isolation model, but they do allow the user to avoid the server overhead costs associated with remote browser isolation solutions.
Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).
Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.
Security orchestration, automation and response (SOAR) is a group of cybersecurity technologies that allow organizations to respond to some incidents automatically. It collects inputs monitored by the security operations team such as alerts from the SIEM system, TIP, and other security technologies and helps define, prioritize, and drive standardized incident response activities.
Identity threat detection and response (ITDR) is a cybersecurity discipline that includes tools and best practices to protect identity management infrastructure from attacks. ITDR can block and detect threats, verify administrator credentials, respond to various attacks, and restore normal operations. Common identity threats include phishing, stolen credentials, insider threats, and ransomware.
Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.
Managed detection and response is a type of cybersecurity service providing customers with a cyberdefense technology and the associated remotely delivered human expertise. Those services help organizations monitor, detect, analyze and respond to advanced cyber threats. MDR is a form of managed security service (MSS).