forrester wave report 2023

Close your ransomware case with Open NDR



Corelight now powers CrowdStrike solutions and services



Alerts, meet evidence.



5 Ways Corelight Data Helps Investigators Win



10 Considerations for Implementing an XDR Strategy



Don't trust. Verify with evidence



NDR for Dummies



The Power of Open-Source Tools for Network Detection and Response



The Evolving Role of NDR



Detecting 5 Current APTs without heavy lifting



Network Detection and Response



What Is EDR (Endpoint Detection and Response)?

Endpoint Detection and Response is an advanced technology for protecting many of the endpoints in the enterprise.


What is Endpoint Detection and Response?

Endpoint Detection and Response (EDR) refers to a cybersecurity technology that creates alerts whenever malicious behavior is detected on endpoints, such as desktops, laptops, mobile devices, or servers. As the name suggests, EDR’s capabilities cover threat detection, remediation, and containment. Used proactively, it can enable threat hunting as well as analysis and forensic reporting capabilities.

EDR is sometimes referred to as part of, or a complement to, a broader endpoint protection platform (EPP). EPPs typically include host-based defenses such as antivirus, firewalls, anti-malware, data loss prevention tools, and encryption. This suite of tools comprises a crucial component of a comprehensive security strategy. While effective, EPP tools can be evaded by sophisticated social engineering and fileless attacks that target endpoint memory.

Endpoint Detection and Response provides a critical buttress to EPP capabilities. Its real-time, automated detection and response functions are meant to find indicators of compromise (IOC) and attack (IOA) before the attack spreads across the network to other enterprise assets.

An EDR solution comprises one part of the SOC Visibility Triad, a concept created by Gartner to help create a mutually reinforcing, comprehensive approach to enterprise security. As such, it is best deployed in tandem with Network Detection and Response (NDR), Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) solutions.


What are the components of EDR technology?

Like any cybersecurity approach, EDR’s purpose is multi-faceted, but its primary objective is to provide an in-depth view into endpoint activities for the purposes of monitoring, analysis, and threat mitigation. To provide security teams with that level of visibility, most Endpoint Detection and Response solutions will include some version of these features:

  • Real-time monitoring and threat detection. EDR will deploy software components, known as agents, to continuously monitor all activity occurring on the endpoint, which collect telemetry for analysis and pattern matching. Detection capabilities include signature-based and anomaly-based behavioral analysis to detect known, persistent threats as well as novel attack methods.
  • Incident and threat response. Automated alerting systems elevate the most serious threats to the security team, enabling a rapid response. The response may include isolation and containment measures to prevent lateral movement and remediation procedures, or the removal of corrupted or malicious files.
  • Proactive threat hunting. The data collected by EDR should create in-depth visibility into the endpoint, and typically include data or file modifications, user activity, process executions, network connections, and more. Endpoint Detection and Response solutions have access to databases that maintain a current list of attack signatures, malicious domains and IP addresses, and other information that can help security teams discover indicators of attack (IOA) before attackers are able to execute. With EDR, security teams can create queries that allow them to parse large volumes of data efficiently.
  • Forensic analysis. EDR’s data collection and behavioral analytics are useful in expediting incident response and also enrich post-incident analysis. It enables security teams to learn from cyber incidents while recovering from the incident and bolstering defenses to defend against repeat attacks.
  • Filtering and triaging alerts. EDR’s automated functions filter alerts and surface those with the most likely to signify malicious activity. The solution helps the security operations center prioritize alert responses and avoid the common problem of chasing alerts generated by anomalous, but normal, activity on the endpoint.

What are the benefits of Endpoint Detection and Response?

Aside from providing a layer of defense that can address attacks missed by perimeter defenses, EDR technology can facilitate a number of common objectives of security teams, including:

  • Improved threat detection and response times. No security solution is foolproof, which makes mean-time-to-respond (MTTR) an important metric of effectiveness. With continuous, real-time monitoring of endpoints, EDR provides a measurable improvement in response times while generating information that can be used to predict and defend against future attacks. It also helps security teams anticipate threats and find weaknesses in endpoints before attackers can exploit them.
  • Visibility that supports security policies. In addition to responding to threats and attacks, Endpoint Detection and Response helps the enterprise keep track of software installations, prohibited user behavior, or violations of operations policies. Visibility into endpoints can also help security teams detect insider threats, such as improper access to files and systems or attempts to exfiltrate proprietary data.
  • Improved forensic capabilities. Information collected during investigations and attack remediations can help security or forensic analysts create a more accurate picture of an incident and its scope. By providing a detailed record of endpoint activity, the enterprise can create detailed post-incident reports for regulatory or compliance purposes, as well as inform future monitoring and response strategies the security team can implement.
  • Support for a comprehensive security approach. EDR solutions work in conjunction with other parts of the security toolkit, such as NDR, SIEM and XDR, and provide the SOC with a holistic view of the enterprise attack surface.

What factors should be considered when choosing an EDR solution?

Every organization has specific security requirements, so there is no one-size-fits-all EDR solution. That said, there are some fundamental questions that, when answered, can help a security team determine which solution will be the best fit.

  • Does the solution cover the endpoints and operating systems you need to protect, and can it scale to protect the full complement of endpoints in the enterprise? The security team should ensure the EDR solution can cover a sufficient number of devices, and the right device types, in their organization.
  • Does it provide sufficiently modernized threat detection? The most effective Endpoint Detection and Response Solution will leverage machine learning, advanced behavioral analysis, and real-time monitoring capability.
  • Is the solution compatible with the existing security stack? To prevent siloing and complicated workflows, the EDR solution should integrate well with SIEM, NDR, next-generation firewalls (NGFW), or other established security tools.
  • Does the solution aid analysis through connection to regularly updated databases, or sandbox environments in which files can be executed for the purposes of threat detection or forensics? EDR databases and applications should be updated regularly, and include protected areas, or sandboxes, where files can be inspected for any signs of malicious code.
  • How challenging is it to implement and configure the EDR solution? In large organizations that already use many other security tools, an EDR solution can add significant complexity. The security team should determine if they have sufficient expertise to configure and monitor the EDR.

What are some limitations of Endpoint Detection and Response?

At a time when attackers are well-funded, patient, and use multiple attack approaches, even the best EDR solution is not a stand-alone defense of the enterprise. And while EDR has evolved considerably since it was first introduced, security teams should be aware of some common limitations in the technology.

The primary challenge is that Endpoint Detection and Response focuses only on endpoints, and does not extend to networks, cloud deployments, and other attack surfaces. What’s more, many are not designed to cover embedded devices or systems, IoT devices, Industrial Control Systems (ICS), Operational Technology (OT), and other components that have become legitimate targets for cyber attacks.

Like any other alerting technology, without regular retuning and calibration, EDR can generate a deluge of alerts that can overwhelm the security team, including false positives that consume valuable time via manual analysis and verification. EDR solutions that deploy signature-based detection can miss many legitimate threats (false negatives), although even solutions that deploy behavior-based analysis can miss the stealthiest attacks. Also, since attackers are constantly adapting their attack patterns or creating new ones, it can be challenging for EDR to maintain a cadence of updates that keeps security teams current.


How can EDR and NDR complement each other?

Incident response that harnesses Endpoint Detection and Response and Network Detection and Response is more likely to respond quickly and effectively to threats that elude endpoint defenses alone. NDR’s passive monitoring of network traffic allows security teams to trace a threat’s lateral movement, identify systems involved beyond the initial point of compromise, and accelerate response and remediation.

While EDR’s coverage of endpoints is considered to be narrow and deep, NDR’s coverage of network traffic and behavior is broader, and based on packets and behavior that are considered to be the gold standard of evidence in enterprise security.

An immediate benefit of using EDR in conjunction with NDR is correlation of evidence. By harnessing two different data streams, security teams can use endpoint activity to validate evidence gleaned from network traffic patterns, or vice-versa.

The Power of EDR and NDR

Watch and learn how EDR and NDR work together to:

  • Provide unprecedented visibility into environments
  • Give security teams the breadth and depth to disrupt attacks
  • Become a force multiplier for security teams


2022-10-WB-SANS NDR with Open Source Tools


When EDR is augmented by NDR, the enterprise can gain greater visibility into every device connection by generating data in the form of file hashes, DNS query/response, and TLS connections. The threat intelligence feeds and databases of each technology can help security teams create a clearer picture of the current threat landscape.


Corelight’s Open NDR Platform provides a strong complement to EDR

Integrating Corelight's Open NDR Platform with EDR can significantly improve attack response and detection. Open NDR uses open-source analytics from Zeek® to convert network traffic into comprehensive, correlated evidence and analytics. This data can automatically sync with EDR notifications, providing the context to investigate incidents faster, thereby reducing MTTR while providing a holistic view of the enterprise's security landscape.

Book a demo

We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization tackle cybersecurity risk.