By IT Brew Staff
less than 3 min read
Definition:
Endpoint detection and response (EDR) involves the use of a collection of software tools, including automated cybersecurity defenses and analytics, which allows IT pros to constantly monitor and defend their organization’s endpoints, like laptops and other devices, from attack. If properly implemented, EDR can detect and mitigate the impact of a variety of cyber incursions along the perimeter, including (but certainly not limited to) social engineering and fileless malware.
An optimized EDR platform will include:
- Software installed on endpoints that will log activity
- A centralized point for the data collected from those endpoints, which security teams can review for any unusual actions (such as repeated failed logins)
- Further data analysis to reveal any trends or issues missed by the security teams; this part of the EDR can incorporate the latest threat intelligence
- The ability to alert the organization about suspected attacks
- A log or store of data about previous activity that can be analyzed for long-term trends
If executed correctly, EDR enables organizations to proactively eliminate cyber threats, including sophisticated attacks, reduce existing attack surfaces, and give cybersecurity pros more data to investigate and validate dangers in the tech stack. The automation aspects of EDR—including the ability to automatically isolate an endpoint due to suspicious activity—can help overstretched security teams better manage their bandwidth and resources.
However, EDR has its downsides if not managed properly. Inexact calibration can result in a cybersecurity team receiving a slew of alerts, most of them for harmless activity; this “alert fatigue” can cause even the most experienced IT pros to accidentally miss signs of a real attack. Integrating EDR into a large organization with a complicated tech stack can prove incredibly challenging, as well become a burden on resources.
