Endpoint Detection and Response (EDR) Systems are like DVRs

Mike Reynolds
by Mike Reynolds
category Product
tags EDR, Endpoint Detection and Response

Endpoint Detection and Response (EDR) is a cybersecurity technology that addresses the need for continuous monitoring and response to advanced threats. It is a subset of endpoint security technology and a critical piece of an optimal security posture.

Another way to think about what an EDR does is to compare it to a TIVO or DVR system.  TIVOs and DVRs record television programming so someone can view the content later.  In a similar fashion, EDR systems record and store all process activity on a computer at the deepest levels of the operating system.  This includes file writes, executions and network connections.  EDR vendors write alerts against the repository of process data, which needs to be monitored and triaged in real time by security analysts to ensure nothing malicious is happening.

Recently, Respond Software announced support for EDR systems from CrowdStrike, SentinelOne and Carbon Black.  With support for these EDR systems, the Respond Analyst is able to interpret the data and information generated from them to help organizations find security threats in their environment.

So why is this important?  The typical security analyst starts their career with a Global Information Assurance Certification (GIAC) for intrusion detection, which trains them to monitor malicious traffic on a network.  However, analyzing network information is different than doing the same on a server at the operating system level, which is exactly where EDR systems monitor.   The analyst needs to have intimate knowledge of various operating system as well as the threat vectors unique to the operating system and version to understand what is really happening in the EDR alert.  The analyst must also understand the baseline of normal operation compared to abnormal activity.  If the analyst does not possess this operating system level skill set, analyzing EDR data will be a challenge, if not impossible.

To solve these issues, some organizations are relying on Managed Detection and Response (MDR) services to handle their EDR data.  The problem with this approach is that it does not have the capability to cross reference malicious activity with other alerts and information coming from different sensors in the environment.  Other sensors may include Network Intrusion and Detection Systems (NIDS), Endpoint Protection Platforms (EPP) and web filters that are monitoring outbound web communications.

Now that Respond Software has integrated support for EDR systems, the Respond Analyst handles the complexity of interpreting generated alerts with automation.  Respond Software built expert interpretation models for EDR data to let organizations know when they have a security incident on system.  What is different about the Respond Analyst is that it couples EDR data, with what is being monitored on the network to determine if there really is a malicious incident.   This provides a holistic view of the security posture within the environment from servers and endpoints, to the network and web filters freeing analysts from needing to understand operating systems at the lowest level.  It also allows them to spend their time doing other activities like threat hunting and remediation – or checking out their favorite programs recorded on their DVR.

For more information: