Executive Summary

• Endpoint Detection and Response, or EDR, is a real-time threat protection and mitigation system which monitors your network for threats and reacts proactively. EDR systems use machine learning and AI to identify and mitigate potential attacks.
• Unlike conventional anti-virus systems, EDR doesn’t check files retroactively – it takes immediate action in real-time to ensure network activities are not threats. If a threat is detected, an EDR system can take immediate mitigative action.
• EDR systems protect businesses against far more than simple viruses, including ransomware, fileless attacks, zero-day malware, and more.
   

Introduction

How secure is your business?

It’s easy to assume that some enterprise-class anti-virus software and a bit of employee training is enough to keep you safe from most cyberattacks, but that isn't true anymore.

As cyberattacks have become more advanced, businesses are facing new threats which are smarter – and more invasive – than ever before. With 96% of business reporting a cyberattack attempt in the last 12 months, it’s not difficult to see why threat protection is high on the agenda in 2022 and beyond.

The truth is that anti-virus software is not enough anymore. With fileless attacks, ransomware, and other advanced attacks becoming more common, you need to up your defences.

Luckily, there is a solution: Endpoint Detection and Response, or EDR.

What is Endpoint Detection and Response?

Originally coined by security specialist Anton Chuvakin in 2013, Endpoint Detection and Response (EDR) is a real-time protection system which continuously monitors and responds to potential threats on a network. It uses artificial intelligence algorithms and machine learning to recognise and respond to potential attacks in real time.

Unlike conventional anti-virus tools, which work passively on the basis of recognising known threats (i.e. checking detected anomalies against a list of threats it’s seen before), EDR works actively to identify and mitigate threats in real time.

EDR works by constantly monitoring each endpoint in a network.

What is an endpoint? Well, these days it could be anything from the desktop and laptop computers your team uses to an internet-enabled fridge (no, we’re not kidding). Essentially, any device which can access the internet is an endpoint and is thus a gate through which an attacker may attempt entry.

An EDR system will monitor each endpoint and collect data about common events. If something unusual or unexpected happens, data about the event is sent back to the centralised EDR system and analysed. If a threat is identified, the EDR system will take preventative or mitigative action, such as immediately disconnecting the endpoint or even rolling back infected file changes.

How EDR can protect your business

Now that you’re familiar with the concept of EDR, you might wonder why it’s so important to have such advanced cyberattack protection. Isn’t regular anti-virus enough? The truth is that, sadly, anti-virus is unable to handle the types of modern attacks being thrown at businesses today.

Here are some of the attack types your business could be vulnerable to right now:

• Ransomware. These attacks will immediately encrypt local files on a computer, then display a message requesting payment of some kind to unlock the files. A good example of such an attack is the “WannaCry” cyberattack in 2017, which infected older Windows machines and affected more than 200,000 machines across the world.
• Fileless attacks. As the name suggests, a fileless attack doesn’t require the user to open an email attachment or file of any kind. It’s a form of ‘stealth’ cyberattack and potentially one of the most damaging. These operate unlike viruses, which reside on hard drives, instead infecting memory and attacking endpoints at a much deeper (and more difficult to eliminate) level.
• Lateral movement attacks. One of the more sophisticated attacks, the ‘lateral movement’ in the name refers to an attacker moving from one endpoint to another in order to avoid detection, sometimes even impersonating genuine users. This process effectively ‘dodges’ any anti-virus software – but it can’t avoid a good EDR system.
• Zero-day malware. Cyberattackers are always working to identify exploits in systems like Microsoft Windows. A ‘zero-day’ attack happens when attackers use an exploit which the developers haven’t yet patched. This can be a big security risk, but an EDR is able to identify – and mitigate against – the negative impact of such attacks.

Historically, these types of attacks have required either dedicated software for detection – or, worse, have simply been missed by conventional anti-virus solutions.

As attackers have become more sophisticated, it’s become clear that preventative measures must likewise evolve – and it’s here that EDR comes into play.

How EDR works – and why it’s so much smarter than anti-virus

One of the big differences between EDR and conventional anti-virus is that it’s based on modern artificial intelligence and machine learning technologies.

In plain English, that means that the EDR system will leverage all of the data it’s collected from all endpoints and use it to decide whether a particular event represents a cyberattack threat.

Once the EDR system has a baseline understanding of how endpoints should behave, it can begin to ask questions of particular events as they occur.

For example, let’s say a user downloads a file attachment from a random email address on their laptop. In real time, the EDR system may ask the following:

• Does this file appear unusual in any way?
• Has this endpoint performed this action before, and if so, how often?
• Is the downloaded file requesting access to sensitive or protected areas of the endpoint?

Every EDR system is different, but this is the core of the concept – it’s proactively monitoring activity in real time and making an immediate decision about whether to act, based on historical data.

Downloading weekly virus definitions for a nightly scan seems a little inadequate in comparison, right?