Enterprise Blogs Partners Support

Your ProductsThreatsResourcesWhy Join

Goals McAfeeUs
Business Home (/enterprise/en-us/home.html) 
Threat Center (/enterprise/en-us/threat-center.html) 
Security Awareness (/enterprise/en-us/security-awareness.html) 
Endpoint (/enterprise/en-us/security-awareness/endpoint.html) 

What is Endpoint
Detection and
Response?

Endpoint detection and response (EDR), also known as endpoint threat detection and
response (ETDR), is an integrated endpoint security solution that combines real-time
endpoint monitoring and collection of endpoint data with rules-based automated
response and analysis capabilities. The term was suggested by Anton Chuvakin
(https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-
detection-response/) at Gartner to describe emerging security systems that detect and
investigate suspicious activities on hosts and endpoints, employing a high degree of
automation to enable security teams to quickly identify and respond to threats.
The primary functions of an EDR system are to:
1. Monitor and collect activity data from endpoints that could indicate a threat
2. Analyze this data to identify threat patterns
3. Automatically respond to identified threats to remove or contain them, and notify
security personnel
4. Forensics and analysis tools to research identified threats and search for
suspicious activities

Adoption of EDR Solutions

Adoption of EDR is projected to increase significantly over the next few years. According to Stratistics MRC's
Enterprise Blogs Partners Support
Endpoint Detection and Response - Global Market Outlook (2017-2026)
(https://finance.yahoo.com/news/global-7-27-bn-endpoint-131500381.html), sales of EDR solutions—both
on-premises and cloud-based—areYourexpected
ProductsThreatsResourcesWhy Join an annual growth rate of
to reach $7.27 million by 2026, with
nearly 26%. Goals McAfeeUs

One of the factors driving the rise in EDR adoption is the rise in the number of endpoints attached to
networks. Another major driver is the increased sophistication of cyberattacks, which often focus on
endpoints as easier targets for infiltrating a network.

New types of endpoints and endpoint attacks

An average IT department manages thousands of endpoints across its network. These endpoints include
not only desktops and servers, but laptops, tablets, smartphones, internet of things (IoT) devices, and even
smart watches and digital assistants. The SANS Endpoint Protection and Response Survey (/enterprise/en-
us/solutions/lp/sans-endpoint-survey.html) reports that 44% of IT teams manage between 5,000 and
500,000 endpoints. Each of these endpoints can become an open door for a cyberattack.

While today's antivirus solutions can identify and block many new types of malware, hackers are constantly
creating more. Many types of malware are difficult to detect using standard methods. For example, fileless
malware—a recent development—operates in the computer's memory, thus avoiding malware signature
scanners.

To bolster security, an IT department may implement a variety of endpoint security solutions, as well as
other security applications, over time. However, multiple standalone security tools can complicate the
threat detection and prevention process, especially if they overlap and produce similar security alerts. A
better approach is an integrated endpoint security solution.

Key components of endpoint detection and response

EDR provides an integrated hub for the collection, correlation, and analysis of endpoint data, as well as for
coordinating alerts and responses to immediate threats. Endpoint detection and response applications
have three basic components:

Endpoint data collection agents. Software agents conduct endpoint monitoring and collect data—
such as processes, connections, volume of activity, and data transfers—into a central database.

Automated response. Pre-configured rules in an EDR solution can recognize when incoming data
indicates a known type of security breach and triggers an automatic response, such as to log off the
end user or send an alert to a staff member.
 Enterprise Blogs Partners Support
Analysis and forensics. An endpoint detection and response system may incorporate both real-time
analytics, for rapid diagnosis of threats that do not quite fit the pre-configured rules, and forensics
Your ProductsThreatsResourcesWhy
tools for threat hunting or conducting a post-mortem analysis of an attack.Join
A real-time analyticsGoals
engine uses algorithms to evaluate andMcAfee Us large volumes of data,
correlate
searching for patterns.
Forensics tools enable IT security professionals to investigate past breaches to better
understand how an exploit works and how it penetrated security. IT security professionals also
use forensics tools to hunt for threats in the system, such as malware or other exploits that
might lurk undetected on an endpoint.

New EDR capabilities improve threat intelligence

New features and services are expanding EDR solutions' ability to detect and investigate threats.

For example, third-party threat intelligence services, such as McAfee Global Threat Intelligence
(/enterprise/en-us/threat-center/global-threat-intelligence-technology.html), increase the effectiveness of
endpoint security solutions. Threat intelligence services provide an organization with a global pool of
information on current threats and their characteristics. That collective intelligence helps increase an EDR's
ability to identify exploits, especially multi-layered and zero-day attacks. Many EDR vendors offer threat
intelligence subscriptions as part of their endpoint security solution.

Additionally, new investigative capabilities in some EDR solutions can leverage AI and machine learning to
automate the steps in an investigative process. These new capabilities can learn an organization's baseline
behaviors and use this information, along with a variety of other threat intelligence sources, to interpret
findings.

Another type of threat intelligence is the Adversarial Tactics, Techniques, and Common Knowledge
(ATT&CK) (https://attack.mitre.org/) project underway at MITRE, a nonprofit research group that works with
the U.S. government. ATT&CK is a knowledgebase and framework built on the study of millions of real-
world cyberattacks.

ATT&CK categorizes cyberthreats by various factors, such as the tactics used to infiltrate an IT system, the
type of system vulnerabilities exploited, the malware tools used, and the criminal groups associated with
the attack. The focus of the work is on identifying patterns and characteristics that remain unchanged
regardless of minor changes to an exploit. Details such as IP addresses, registry keys, and domain numbers
can change frequently. But an attacker's methods—or "modus operandi"—usually remain the same. An
EDR can use these common behaviors to identify threats that may have been altered in other ways.

As IT security professionals face increasingly complex cyberthreats, as well as a greater diversity in the
number and types of endpoints accessing the network, they need more help from the automated analysis
and response that endpoint detection and response solutions provide.

Share This   

Resource Categories
 Cloud Security (/enterprise/en-us/security-awareness/cloud.html)
Enterprise Blogs Partners Support
Endpoint Security (/enterprise/en-us/security-awareness/endpoint.html)
Security Operations (/enterprise/en-us/security-awareness/operations.html)
Your ProductsThreatsResourcesWhy Join
Cybersecurity (/enterprise/en-us/security-awareness/cybersecurity.html)
Goals McAfeeUs
Data Protection (/enterprise/en-us/security-awareness/data-protection.html)
Malware & Ransomware (/enterprise/en-us/security-awareness/ransomware.html)

Next Article
Next-Generation Endpoint Security
Read More >

Additional Endpoint Security

Articles
 What is Endpoint Detection and Response? (/enterprise/en-us/security-
Enterprise Blogs Partners Support
awareness/endpoint/what-is-endpoint-detection-and-response.html)
Your ProductsThreatsResourcesWhy Join
Goals McAfeeUs
How Do Mobile Device Management and Mobile Threat Detection
Differ? (/enterprise/en-us/security-awareness/endpoint/mobile-device-
management.html)

What is an Endpoint Protection Platform? (/enterprise/en-us/security-

awareness/endpoint/what-is-an-endpoint-protection-platform.html)

BYOD Endpoint Security (/enterprise/en-us/security-

awareness/endpoint/byod-endpoint-security.html)

What is Endpoint Encryption? (/enterprise/en-us/security-

awareness/endpoint/what-is-endpoint-encryption.html)
What is Advanced Endpoint Protection? (/enterprise/en-us/security-
awareness/endpoint/what-is-advanced-endpoint-protection.html)

What is Endpoint Protection Software? (/enterprise/en-us/security-

awareness/endpoint/what-is-endpoint-protection-software.html)

Next-Generation Endpoint Security (/enterprise/en-us/security-

awareness/endpoint/what-is-next-gen-endpoint-protection.html)

Endpoint Data Security and Protection (/enterprise/en-us/security-

awareness/endpoint/endpoint-security-and-data-protection.html)

  Feedback
(https://twitter.com/mcafee)
 Enterprise Blogs Partners Support
(http://www.facebook.com/mcafee)

Your ProductsThreatsResourcesWhy Join

 Goals McAfeeUs
(https://www.linkedin.com/company/2336?
trk=prof-exp-company-name)


(http://www.youtube.com/mcafee)


(https://securingtomorrow.mcafee.com/)

New to McAfee? Resources

What Is MVISION? Enterprise Support

Cloud Security Products Product Downloads
Endpoint Protection Products Product Documentation
Explore Products Shop Online
Explore Services Renew Products
Free Trials Partner Portal Login
Free Tools

Connect with Us About McAfee

Contact Us About Us
Find a Partner Latest News
MPOWER Diversity & Inclusion
Events Careers
Webinars Blogs

 United States / English

Privacy (/enterprise/en-
us/about/legal/privacy.html) (//www.scanalert.com/RatingVerify?ref=www.mcafee.com)
Legal Notices (/enterprise/en-
us/about/legal/notices.html)
Legal Contracts & Terms
(/enterprise/en-
us/about/legal/contracts-terms.html)
Site Map (/enterprise/en-us/site-
map.html)
Copyright ©2019 McAfee, LLC