On any given network there will be a large number of endpoints such as desktop computers, servers, laptops, smart phones, smart watches and other mobile devices. It is increasingly difficult to protect against advanced attacks that enter through these endpoints, because of the sheer number and variety of them. This means that endpoints are often where hacker activity takes place and, even with the most advanced protection, a breach could still occur.
What is EDR?
Endpoint Detection and Response (EDR), also known as Endpoint Threat Detection and Response (ETDR), is a cybersecurity solution that continually monitors end-user devices to detect and respond to cyber-threats like ransomware and other kinds of malware. It provides IT security teams with the visibility they need to uncover incidents that may otherwise remain invisible, allowing them to know if and when an attacker is in the network, detect the path of the attack if it happens, and respond to incidents quickly.
Why is EDR important?
Endpoint security has always been an important part of an organisation’s cybersecurity strategy, and even more so as remote work becomes more common. IT security professionals are facing increasingly complex cyber-threats, while at the same time dealing with large numbers and types of endpoints accessing the network. In many cases, cyber incidents are not being handled adequately by existing defences, with hackers becoming more sophisticated and increasingly working their way around anti-virus solutions. This requires EDR solutions to provide powerful protection, analysis and response at this critical entry point.
39% of businesses reported cybersecurity breaches or attacks in the last 12 months.
31% of businesses experience breaches or attacks at least once a week.
1 in 5 of the businesses reporting cyber-attacks lost money, data or other assets.
Source: Cyber Security Breaches Survey 2022 - GOV.UK (www.gov.uk)
How does EDR work?
EDR runs through sensors installed on all endpoints, and applies behavioural analytics that analyse billions of events in real-time to automatically detect traces of suspicious behaviour. All of this data is pieced together to build a complete picture of endpoint activity, no matter where the device is located. Essentially, the technology senses behaviour that is out of the ordinary for a given user on the system.
This gives IT security teams the information they need, including:
- All user accounts that have logged in to the network, both directly and remotely
- Local and external addresses to which the host is connected
- A summary of changes to Active Server Pages (ASP) keys, executables and administrative tool usage
- Process executions
- Summary and detailed process-level network activity, including Domain Name System (DNS) requests, connections, and open ports
- Archive file creation, including ZIP and RAR
- Use of removable media such as UBS memory sticks, external hard drives and smart phones
What type of threat does EDR detect?
Endpoint Detection and Response detects the following threats to a network:
- Malware (spyware, ransomware, viruses, bots etc.)
- Misuse of legitimate applications
- Stolen user credentials
- Suspicious user activity and behaviour
- Fileless attacks (also called zero-footprint, macro, or non-malware attacks), where malicious software is not installed, often meaning these attacks are more likely to be missed by anti-virus tools.
What’s the difference between EDR and anti-virus software?
EDR observes endpoint activity continuously, and works alongside your anti-virus software. Both technologies serve a purpose in protecting your network, but there are some key differences.
Anti-virus software (including next-generation anti-virus software) is focused on preventing cyber-attacks, however, in the event of an attack it offers little visibility into what happened or where the threat moved on the network. EDR tells the whole story—it lets you know when an attack occurred, and shows the attack path on the network, from where it entered to the actions it took.
While anti-virus software can analyse the behaviour and threats on a single endpoint, EDR consolidates the data across all endpoints to provide a full picture of potential threats. EDR can also provide visibility when an attack is stopped by anti-virus software, but also when it fails, making EDR vital in the detection of malicious activities that might make their way around the anti-virus software.
Integrated endpoint security
Endpoint Detection and Response is a valuable addition to an organisation’s cybersecurity arsenal, but the most effective way to strengthen your endpoint security is to take an integrated approach.
By combining key security elements such as EDR, anti-virus software, and Multi-Factor Authentication (MFA), you can build greater defences. It’s also important to ensure you are delivering effective cybersecurity awareness training for employees, as well as considering other proactive solutions such as phishing simulations, vulnerability scanning and penetration testing. Gallagher’s Cyber Risk Management Practice can help you with all of these aspects of your cybersecurity.
For more information, please contact: