Why do I need EDR for my IT Security and what is EDR anyways?
Why do I need EDR for my IT Security and what is EDR anyways?
If your IT company or department is keeping up with security then you probably have already heard of
Endpoint Detection and Response or “EDR” and may be aware “EDR” is running on your computer. You
may be wondering though what happened to Anti-Virus and why doesn’t IT use it as part of their
Around 2011 businesses started to realize their legacy anti-virus was not a viable solution. As malicious
code writers became savvier, legacy anti-virus responded by adding more complexity to thwart malware
and viruses, slowing down their already heavily weighted application. Legacy anti-virus was using more
memory and more CPU resources and end-users were frustrated at the slowness and unresponsiveness
anti-virus was causing. IT providers too were frustrated at the inability to manage anti-virus programs on
a large scale. They were frustrated at the amount of computer resources required, in some cases entire
servers dedicated to just anti-virus, and sympathized with the performance discomforts users were
Some anti-virus companies found ways around this by re-writing their backend anti-virus engines
making them sleeker. This was only a temporary solution though as hackers were finding ways to get
around antivirus detection by encrypting the payloads or altering the virus sequences allowing to be
deployed undetected. Hackers were also becoming interested in the financial gains of stealing company
data or using ransomware to ransom company data. Hackers were no longer just writing detectable
malicious code causing malice and disruptions — they were becoming organized and found it as a way to
earn a lucrative income. Legacy anti-virus could no longer compete.
The Evolution of End-Point Protection (EPP)
Legacy Anti-Virus companies, such as Norton, realized they needed to change to keep up with the new
tactics of hackers. So, the Anti-Virus companies continued to load their applications with even more
features, often not needed in a business environment due to other security features already in place,
such as device firewall, device blocking, and network security access. These were attractive to personal
users but not without a sacrifice to performance and with much frustration of being unable to access
valid devices, such as USB drives, and accessing legitimate Internet sites. Furthermore, the added
features did very little or nothing to thwart data theft and ransomware. IT companies and IT
departments were looking for alternatives. Lightweight, able to protect better, and with centralized
management. This led to the evolution of End-Point Protection (EPP).
Endpoint Protection offered the protections of legacy anti-virus, and further protected in real-time using
advanced cloud-based services. EPP had a minimal impact on performance, and offered cloud-based
centralized management. Features also included anti-malware and intrusion prevention and blocked
data transfers to unauthorized device types, such as USB flash drives or Bluetooth devices.
EPP though, like legacy anti-virus, still required active monitoring for alerts, after-the-fact reaction, and
remediation by IT staff, and did nothing to detect the hackers once they infiltrated onto a system. In
many cases cyber hackers often infiltrated months prior for the purpose of gathering as much
information on an organization’s entire network before encrypting on all data including backups and
redundant data for ransom. Like legacy anti-virus, EPP was also signature-based, comparing known
patterns to scanned local data.
Endpoint Detection and Response (EDR)
EPP was not keeping pace with the evolution and techniques of hackers. As with legacy Anti-Virus, EPP
was focused on prevention. Security developers realized they needed to focus more on the detection of
suspicious activity once a compromise occurred and embraced the idea of “assume breach”. This
concept though was not new. Anton Chuvakin, a research director at Gartner, a global research and
advisory firm, first used the term in July 2013. He surmised a concept of “endpoint threat detection and
response.” Using “tools primarily focused on detecting and investigating suspicious activities”.
EDR relies on artificial intelligence (AI) to automatically remediate and proactively defend against cyber
threats, taking the burden off of IT staff who may be quick to respond but not quick enough. Analyzing
thousands of computer activities, and events EDR evaluates threats in real time. Once suspicious
activities are detected, EDR develops a list of evasive actions and responds using predefined algorithms
to counter the activity. EDR actions include immediate snapshots of data to a hidden secure
compartment if it detects the data is being encrypted thus allowing easy recovery in the event of a
ransomware attack. Other response actions include the isolation of the computer from the network,
disabling the hacker’s remote access, and restricting the hacker user’s access to the computer.
Once a hacker compromises an organization’s network, a common method is to use the computer’s task
scheduler to pre-schedule attacks to run at a future date and time. Although hackers are no longer
present on the endpoint or in the network, the attacks will still occur, scheduled often to run on a
weekend or during holidays when human detection and IT staff response times are low. Endpoint
Detection and Response detects and deletes scheduled tasks it deems as malicious as they are
scheduled or when they are executed.
When an attack is detected, EDR allows the enforcement of network containment of endpoints by
isolating potentially compromised hosts from all network activity. While under containment, an
endpoint can still send and receive information to the predetermined security monitoring team,
allowing IT staff to take instantaneous action, but the endpoint still remains contained and access to the
network and internet is disabled.
Gartner predicts $175.5B will be spent on Information Security and Risk Management by 2023. Hackers
are continuing to evolve their cyberattack techniques and processes. EDR is designed to combat these
emerging threats by using artificial intelligence as a form of behavioral analysis, making EDR effective
against advanced cyberattacks. EDR is an integral part of today’s cybersecurity – it protects Endpoints,
empowering them to Detect and Respond to cyberthreats.
About the Author
Clinton A. Pownall is the President & CEO of Computer Business Consultants, an IT managed services
provider for onsite, cloud-based, and mobile infrastructure, with specialization in system backups,
disaster recovery, and cybersecurity. Pownall served in the U.S. Navy for six years as a Weapons Systems
Technician, has a Bachelor of Science in Computer Engineering, and has been in the IT field since 1990. A
member of the Florida Police Chiefs Association, he advises law enforcement agencies and businesses
on cybersecurity. He is also actively involved with the Department of Homeland Security and the U.S.
Cybersecurity and Infrastructure Security Agency.