Endpoint Detection and Response (EDR) is a cybersecurity technology that continuously monitors all incoming and outbound internet traffic on a network. When installed and tuned properly, an EDR system can scan traffic and recognize potential threats to a network (ie. malware, phishing attacks, etc.)

Additionally, the EDR can alert and shut down potentially dangerous attacks before they spread to other machines and users.

In this brief, we will take a closer look at how this is done and why this technology has become a critical component of cybersecurity.

How Does Endpoint Detection & Response Work?

One of the interesting advantages of EDR is its ability to scan emails at the attachment level. Why is this useful? Many cybercriminals will use an end user’s attached file (ie. excel, word) as a ‘host’ for malware.

Here’s an example.

The EDR system sees an email from a legitimate user with a normal .xls attachment. However, when the file is scanned using the EDR, it notices there’s a .exe or executable file installed. Based on past inspections, the EDR is programmed to learn the normal aspects of the end user’s content.

If in this example, the user never installs a .exe on a company file, the EDR assumes a malware has been added by an outside threat.

The EDR can quarantine the email and alert the system administrator so further investigation can be performed.

Once the file is safely inspected, the administrator can release or shut down the email accordingly. The EDR’s ability to review files at this granular level means potential threats can be found early. Without this level of inspection, these malware types, if not caught and isolated early, can cause tremendous damage to your organization.

What’s the Value of Endpoint Detection & Response?

The EDR’s ability to review files at this granular level means potential threats can be found early. Without this level of inspection, these malware types, if not caught and isolated, can cause tremendous damage to your organization.

In Summary

  • Adds analytics to inspection on the file level
  • Looks for behavior changes in a file
  • EDR recognizes changes to the file (items hidden in the file like .exe)
  • Proactive quarantine isolates a machine if there’s suspected ransomware/malware until the issue is resolved by IT
  • No single solution is offered a la carte because all systems need to work together to create the best defense possible

Leave a Comment