Endpoint Detection and Response (EDR) technologies have become an increasingly important part of today’s cybersecurity landscape. As organizations look at the cybersecurity threats facing their business, executives are increasingly focused on one of the weakest links in the chain—their employees—and the devices they use in our ever-expanding mobile world. This has encouraged these companies to look at how they can secure the interface by which their employees interact with the organization’s IT infrastructure, applications, and data. These interfaces are often the personal computers that employees use for their daily job. This focus on securing end user devices from cyber threats has caused companies to turn towards EDR technologies to reduce the risk their business is exposed to. This blog will look at what EDR technologies are, how they help organizations secure their data, and where the market is evolving over the next few years.
What are EDR Technologies?
According to Gartner’s market guide, “the EDR market is defined as solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.” Gartner goes on to say that there are 4 critical capabilities that any EDR solution must deliver: 1) the ability to detect security incidents; 2) the ability to contain the incident at the endpoint; 3) the ability to investigate security incidents and conduct forensic analysis; and 4) the ability to provide remediation guidance. Armor sees the following common characteristics among EDR solutions: They’re agent-based, have threat-hunting capabilities, security event detection, post-event forensics, behavioral detection, anomaly detection, containment features, and full activity capture at the host and/or endpoint level.
Now that we understand what EDR solutions technically do, where do EDR solutions play in an organization’s overall security strategy? EDR solutions:
- Address the gap and risk organizations have in terms of advanced threats targeted at endpoints.
- Act as a recorder, capturing all activity happening on the endpoint (including running processes, changes in processes, changes to registries, etc.) to identify behaviors and anomalies that suggest a threat.
- Typically provide automated response capabilities such as containment of the endpoint.
- Provide for deep forensic analysis of the endpoint.
- Allow more proactive, resourced teams to perform threat hunting.
Issues with EDR Solutions
The forensic power of these tools is useful to have in any organization’s cybersecurity toolbelt. However, there are a few issues that come with using EDR solutions:
- EDR is driven by security concerns. Therefore, any organization that is guided by compliance concerns often must have complementary tools and processes within its stack to meet these needs.
- EDR solutions are still somewhat complex to manage as well as monitor and act on that monitoring. Also, implementation of EDR tools is often complex, technically challenging, and demands a certain skill set of employees. Therefore, companies often put off these projects or struggle with implementation, and this has created the rise of managed EDR providers within the market.
- Endpoint data may not be correlated to other event data from other security devices operating in the environment. Therefore, endpoint protection is only one of many security technologies that an organization needs to successfully defend their business.
All in all, the EDR market has proved strategically beneficial for many organizations and is growing towards maturity and saturation. Statista indicates that the EDR tools market will grow to be a $1.5 billion market by 2020 and the broader Endpoint Protection Platform (EPP) market will reach $3.6 billion. Gartner indicates what this means for market adoption of EDR capabilities by enterprises: “By 2025, 70% of organizations with more than 5,000 seats will have endpoint detection and response (EDR) capabilities, up from 20% today.” The market size and growth of this market is impressive. The question is, how is the market evolving and where does the growth potential reside? Armor sees a couple of ways in which the market will evolve:
- EDR and Managed EDR providers will move toward usage in the cloud. This will include both protecting virtualized desktop endpoints, such as Amazon Workspaces, and a consolidation of traditional server endpoint protection and desktop endpoint protection.
- Automation, especially to simplify and accelerate the investigation of alerted activities on endpoints, will be a priority. These tools will have deeper integration with the rest of a company’s security orchestration, automation, and response (SOAR) capabilities.
- Expect further consolidation of key EPP and EDR capabilities into a single agent approach.
- As Armor explored in our blog on managed detection and response trends, MDR providers will continue to make EDR a central focal point of the work they do. This is often because of the complexity associated with EDR implementations. This trend will continue, and management of EDR will remain a big theme for companies. MSSPs will also continue to make EDR technologies a part of the tools they implement, monitor, and manage on behalf of organizations. They will deliver this Security-as-a-Service to help companies reduce alert fatigue and focus their attention on the alerts that truly matter.
- EDR will remain a major investment of companies. Gartner indicates that EDR is a top 10 security project for companies in 2019.
This market evolution will ultimately persist in making EDR solutions a dominant force within the cybersecurity landscape. Armor personally looks at these tools as one part of the bigger picture for organizations. Armor Anywhere technology provides endpoint detection and response capabilities on cloud server endpoints. This allows Armor to focus on providing cloud workload protection through a Security-as-a-Service model and continue to evolve with the market as the market shifts substantially to the cloud. We can holistically incorporate data from more traditional endpoint detection and response capabilities by ingesting logs from these tools and correlating them for broader context with the rest of the security telemetry we collect through our log and data management solution. We think this synergy provides the most defense-in-depth approach to securing organizations’ critical applications and data. We hope that this blog has provided you with a good overview of EDR tools and their weaknesses and gaps, as well as given you a sense as to where the market and these tools are heading.