As increasingly more employees are either accessing their company’s network remotely or bringing their own devices into the workplace, the demand for solutions that monitor endpoints has accelerated. After all, each and every device that connects to our network is a potential threat to our systems and data.
What is Endpoint Detection and Response Software
Endpoint Detection and Response (EDR) is a type of software that is designed to monitor the endpoints on a network for suspicious activity.
An ‘endpoint’ is any device that connects to our networks, such as a laptop, desktop, or mobile device.
EDR solutions primarily focus on providing visibility into activities relating to malware and other attack vectors. Most EDR solutions are able to aggregate and correlate event data from a wide range of sources. For example, they can simultaneously monitor endpoints from on-premise and cloud-based environments and display the results via a single console. They can also collect and analyze threat intelligence feeds to help them identify various types of malware.
As it stands, most EDR solutions are only available for Windows environments, however, some newer solutions can be installed on other operating systems such as Linux, Unix, iOS, and Android.
How Does EDR Compare with Other Log Monitoring Technologies
The world of data security is awash with acronyms and buzzwords that are used to describe technologies that are similar to each other, which naturally creates confusion for decision-makers. Below are some comparisons that might help to clear up the differences between EDR and other similar technologies.
EDR VS Anti-virus
Given that an EDR solution’s main purpose is to identify security threats on endpoints, some might assume that EDR software is the same as anti-virus software. However, this is not really the case. You could think of an AV solution as being a part of an EDR solution, but as stand-alone products, they differ in a number of important ways.
Firstly, EDR solutions have a much greater scope than most traditional AV solutions.
The main purpose of anti-virus software is to scan, detect and remove viruses and other types of malware from an endpoint. An EDR solution, on the other hand, will also provide firewall solutions, intrusion prevention systems, whitelisting tools, monitoring tools, a dashboard, and more.
An EDR solution can help protect against Advanced Persistent Threats (APT), something that traditional AV solutions can’t do as they don’t have real-time auditing capabilities.
Most anti-virus solutions work by matching the signatures of known viruses, which is fine for detecting existing threats, but is not much help when the threats are unique and targetted.
An EDR solution will use a broad range of techniques and data sources to identify malware, including attack vectors that haven’t been previously identified.
An EDR solution can aggregate and correlate event data from DNS servers, sockets, memory dumps, system calls, IP addresses, and more, in an attempt to identify and respond to suspicious activities.
EDR VS SIEM
EDR and SIEM solutions have many overlapping functionalities/capabilities, which might trick people into thinking they are the same. The main difference between the two is that a Security Information and Event Management (SIEM) is not limited to monitoring endpoints.
For example, SIEM solutions can aggregate event data from firewalls, servers, routers, switches, proxies, and Intrusion Prevention Systems (IPS).
They can also collect log data from applications, databases, and repositories. In fact, anything that is able to generate event logs can be monitored by a SIEM solution. The same is not true for EDR solutions.
EDR VS DCAP
Data-Centric Audit & Protection (DCAP) is another acronym used to describe platforms that can collect and correlate event data from multiple sources, including both on-premise and cloud-based environments.
However, unlike EDR and SIEM solutions, DCAP solutions focus on changes made to privileged accounts and confidential data, such as protected health information (PHI), payment card information (PCI), and other forms of personally identifiable information (PII). There are other terms that are linked to DCAP, such as User Behavior Analytics (UBA), Privileged Access Management (PAM), Identity Access Management (IAM), and more.
Unlike most SIEM solutions, both EDR and DCAP solutions are able to generate real-time alerts, which can be sent to your inbox or mobile app. This enables administrators to quickly respond to potential threats.
Some of the more sophisticated DCAP solutions are able to automatically detect and respond to events that match a pre-defined threshold condition, such as multiple failed login attempts, or when a certain number of files have been encrypted within a given time frame.
This is obviously helpful when it comes to preventing the spread of ransomware. For example, if X number of files have been encrypted within Y seconds, a custom script can be executed which can disable a user account, stop a specific process, change the firewall settings, initiate a backup, shut down the affected server, and so on.
As you can see, EDR, AV, SIEM, and DCAP solutions are not exactly competing for technologies. In fact, they can actually complement each other if used for their intended purposes.