EDR stands for endpoint detection and response. EDR is a security strategy that matters now more than ever given the skyrocketing growth of endpoints across the internet of things (IoT), internet of medical things (IoMT), OT, 5G, and smart devices. Every new endpoint expands an organization’s attack surface, and many endpoints are unmanaged and effectively invisible to legacy security tools and solutions.
In addition to traditional endpoints like on-premises desktop computers and servers, today’s endpoints can include everything from virtual machines and cloud data storage to wireless security cameras, smartwatches, connected industrial control system (ICS) devices, and more. An even wider view of endpoints includes “network switches, routers, load balancers, firewalls, and VoIP apps” — in short, an endpoint can be defined as “anything that can be identified, addressed, or attacked.”
Endpoints can also be defined or classified by their behavior. For example, wireless security cameras are stationary by design, while tablets are mobile. Each endpoint will have its own communication timing and volume profile, a list of cloud services that it accesses, and specific tunnels that it may use. Depending on the type of data they handle and the organization’s security practices, endpoint communication may or may not be encrypted.
The challenge in endpoint detection now is that most cyber devices are unmanaged and unagentable. Traditional security scans can’t detect them and may interfere with their functionality. Devices with certain wireless connectivity protocols may be invisible to legacy security solutions that look for Ethernet and Wi-Fi connections but can’t see Bluetooth, NFC, and other newer protocols.
Without a complete view of all endpoints across the environment, organizations are more vulnerable to a host of security threats, including the remote takeover of control systems, network intrusions via unpatched vulnerabilities in device firmware and software, ransomware attacks, and data theft. For example, unmanaged devices represent 31% of Log4j threats detected by Armis. Without a complete inventory of all endpoints and real-time insight into their activity, such threats may go undetected.
The “response” element in EDR includes responding to vulnerabilities and to threats. An EDR solution that can compare each endpoint to a device knowledgebase to identify and remediate vulnerabilities can reduce the risk of real-time threats. An EDR tool that also monitors endpoint behavior — including communication frequency, destination, and encryption status — can raise real-time alerts when a device or other endpoint is behaving abnormally.
EDR solutions must identify and monitor every device in an organization’s environment to fully secure endpoints. The Armis platform provides EDR capabilities to identify all devices — managed and unmanaged, assess them for vulnerabilities, automatically install updates, monitor device behavior, and raise alerts when threats emerge in real time.