Hybrid work has become business as usual for many companies, which has altered the calculus for enterprise security. In this new model, IT leaders aim to provide workers with the proper tools and network access while maintaining adequate security requirements. And when it comes to securing the new network edge, more companies are turning to cybersecurity services like Endpoint Detection and Response (EDR) solutions. This article explores what EDR is and what it’s not, highlighting research from Nemertes, which shows EDR can help reduce serious security incidents by up to 50%.
Before getting into the definition of EDR, it may help to define the endpoint first. An endpoint is a device that connects to a network. Laptop computers and smartphones are endpoints, to name two of many examples. Endpoints are literally at the end of the network, representing the network’s physical reach. As the frontline edge of the network, endpoints are good at being the earliest detectors. And due to their generally large numbers, they are well situated to detect cyber threats early in an attack cycle.
This capacity helps explain why EDR solutions leverage advanced technology to turn endpoints into cybersecurity sensors detecting threats. These solutions can also potentially use endpoints to help with cyber incident response. Learn more about how EDR works in this guide to Endpoint security.
Flashy cybersecurity technologies and new paradigms come along every year, making security and IT professionals quickly forget about last year’s novel innovation. Some industry experts have suggested that EDR will be “replaced” by Extended Detection and Response (XDR). Not only is this untrue, but XDR is also quite different from EDR.
XDR solutions collect data streams from multiple sources to detect and respond to threats across various environments. In this context, XDR solutions connect with EDR solutions, receiving information from all endpoints and their installed cybersecurity sensors.
EDR is also distinct from endpoint protection (EPP), which may include anti-virus solutions. However, in some cases, EDR and EPP solutions come in a single package, together with technologies for endpoint forensics and related functions.
Furthermore, EDR solutions may be incorporated into a broader threat detection and response ecosystem, flowing data into Secure Access Service Edge (SASE) solutions to spot anomalies that suggest an attack is underway. According to Nemertes, about 47% of those organizations using EDR also use a SASE solution.
When added to the SASE mix, EDR can provide critical real-time feedback on unfolding threats at the network edge. It can feed data into the SASE platform aiding other components, such as Cloud Access Service Brokers (CASBs) and/or Zero Trust Network Access (ZTNA) solutions. This capability can help slow down an attack vector like ransomware. Bottomline: EDR is a core component in widening protections and helping your security reach further.
EDR matters now for a variety of reasons. The increasingly severe threat environment is one factor in making EDR an essential cybersecurity countermeasure. Consider that ransomware has reached a new high, victimizing 71% of organizations, according to the 2022 CyberEdge Group’s Cyberthreat Defense Report 2022.
The most significant issue, however, is the shift to persistent hybrid work. Employees are working from pretty much anywhere, on a range of devices. This sprawl means more endpoints in more places, connecting to the network through more means.
And the internet is making matters worse: The risk of endpoint compromise or infection rises as endpoints connect to the network through the public internet, away from protective services provided by the on-premises network. Staying on top of those endpoints is essential to detect threats such as ransomware as early as possible. An EDR solution can help do this, enabling the endpoint to become part of a centrally orchestrated, automated, distributed response.
Interest in EDR is strong. Nemertes found that:
EDR appears to be delivering value too.
Nemertes also revealed that:
EDR solutions generate a great deal of security data, and while data analysis will be highly automated much of the time, the human touch is still necessary. For this data to positively affect security, people must play a key role in analyzing data in real-time and building a response plan when threats are confirmed. This process means integrating EDR with the Security Operations Center (SOC), where security analysts can review alerts from the EDR solution and determine what action is needed.
EDR is essential for achieving and maintaining a robust security posture in this era of hybrid work. The technology utilizes pervasive and widely distributed endpoints as the earliest detectors of threats and agents of rapid response to cyber incidents. EDR has a natural fit with SASE and broad Zero Trust strategies. Therefore, to work optimally, EDR solutions should integrate with the SOC.
To learn more about managed endpoint detection and response from Comcast Business, please visit: https://business.comcast.com/enterprise/products-services/cybersecurity-services