Endpoint detection (EDR)

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.

Key components of EDR security

EDR security provides an integrated hub for the collection, correlation, and analysis of endpoint data, as well as for coordinating alerts and responses to immediate threats. EDR tools have three basic components:

Endpoint data collection agents. Software agents conduct endpoint monitoring and collect data—such as processes, connections, volume of activity, and data transfers—into a central database.

Automated response. Pre-configured rules in an EDR solution can recognize when incoming data indicates a known type of security breach and triggers an automatic response, such as to log off the end user or send an alert to a staff member.

Analysis and forensics. An endpoint detection and response system may incorporate both real-time analytics, for rapid diagnosis of threats that do not quite fit the pre-configured rules, and forensics tools for threat hunting or conducting a post-mortem analysis of an attack.

  • A real-time analytics engine uses algorithms to evaluate and correlate large volumes of data, searching for patterns.
  • Forensics tools enable IT security professionals to investigate past breaches to better understand how an exploit works and how it penetrated security. IT security professionals also use forensics tools to hunt for threats in the system, such as malware or other exploits that might lurk undetected on an endpoint.