Call us today: (09) 974 2379

What is EDR software? The replacement for ANTIVIRUS SOFTWARE (EPP)

Belton uses advanced threat protection over legacy endpoint protection.

SentinelOne is EDR and EPP software in one package. Legacy antivirus is just EPP Software.

The primary functions of an EDR security system are to: Monitor and collect activity data from endpoints that could indicate a threat. Analyze this data to identify threat patterns. Automatically respond to identified threats to remove or contain them, and notify security personnel.

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. The term was suggested by Anton Chuvakin at Gartner to describe emerging security systems that detect and investigate suspicious activities on hosts and endpoints, employing a high degree of automation to enable security teams to quickly identify and respond to threats.

The primary functions of an EDR security system are to:

Monitor and collect activity data from endpoints that could indicate a threat

Analyze this data to identify threat patterns

Automatically respond to identified threats to remove or contain them, and notify security personnel

Forensics and analysis tools to research identified threats and search for suspicious activities

EDR security provides an integrated hub for the collection, correlation, and analysis of endpoint data, as well as for coordinating alerts and responses to immediate threats. EDR tools have three basic components:

Endpoint data collection agents. Software agents conduct endpoint monitoring and collect data—such as processes, connections, volume of activity, and data transfers—into a central database.

Automated response. Pre-configured rules in an EDR solution can recognize when incoming data indicates a known type of security breach and triggers an automatic response, such as to log off the end user or send an alert to a staff member.

Analysis and forensics. An endpoint detection and response system may incorporate both real-time analytics, for rapid diagnosis of threats that do not quite fit the pre-configured rules, and forensics tools for threat hunting or conducting a post-mortem analysis of an attack.

A real-time analytics engine uses algorithms to evaluate and correlate large volumes of data, searching for patterns.

Forensics tools enable IT security professionals to investigate past breaches to better understand how an exploit works and how it penetrated security. IT security professionals also use forensics tools to hunt for threats in the system, such as malware or other exploits that might lurk undetected on an endpoint.

New EDR capabilities improve threat intelligence

New features and services are expanding EDR solutions’ ability to detect and investigate threats.

For example, third-party threat intelligence services, such as Trellix Global Threat Intelligence, increase the effectiveness of endpoint security solutions. Threat intelligence services provide an organization with a global pool of information on current threats and their characteristics. That collective intelligence helps increase an EDR’s ability to identify exploits, especially multi-layered and zero-day attacks. Many EDR security vendors offer threat intelligence subscriptions as part of their endpoint security solution.

Additionally, new investigative capabilities in some EDR solutions can leverage AI and machine learning to automate the steps in an investigative process. These new capabilities can learn an organization’s baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.

Another type of threat intelligence is the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) project underway at MITRE, a nonprofit research group that works with the U.S. government. ATT&CK is a knowledgebase and framework built on the study of millions of real-world cyberattacks.

ATT&CK categorizes cyberthreats by various factors, such as the tactics used to infiltrate an IT system, the type of system vulnerabilities exploited, the malware tools used, and the criminal groups associated with the attack. The focus of the work is on identifying patterns and characteristics that remain unchanged regardless of minor changes to an exploit. Details such as IP addresses, registry keys, and domain numbers can change frequently. But an attacker’s methods—or “modus operandi”—usually remain the same. An EDR can use these common behaviors to identify threats that may have been altered in other ways.

As IT security professionals face increasingly complex cyberthreats, as well as a greater diversity in the number and types of endpoints accessing the network, they need more help from the automated analysis and response that endpoint detection and response solutions provide.

What is antivirus software (Our historic protection method):
Endpoint Antivirus is a type of software designed to help detect, prevent and eliminate malware on devices. This traditionally included viruses, but some endpoint antivirus software will also detect worms, bots, trojans and more.

Endpoint antivirus solutions are installed on endpoint devices both inside and outside an organization’s firewall—these typically include desktop and laptop computers and network servers but can also include things like mobile phones. Endpoint Antivirus software is available from a variety of vendors, with versions designed for personal use, small businesses, and large enterprises.

Traditional endpoint antivirus solutions feature large databases of virus signatures and definitions. They find malware by scanning files and directories and looking for patterns that match the virus signatures and definitions on file. These systems can only recognize known threats. Endpoint antivirus vendors, then, must constantly be on the lookout for new malware, so that they can add it to the databases.  Since new malware is being developed all the time, with endpoint antivirus, if you don’t constantly update the software, it will be unable to detect the latest malware, leaving you open to an attack.

In some cases, if malware is found on an endpoint, the software can automatically block, quarantine or remove it. Otherwise, it will issue an alert notifying the user that malware has been found and prompts them to take action to resolve the threat. Notifications also appear to remind users to update their directories, if it has been awhile and they have become out of date.

Let’s keep the conversation going

Contact Us