What is EDR Cyber Security?

EDR stands for endpoint detection and response. EDR is a security strategy that matters now more than ever given the skyrocketing growth of endpoints across the internet of things (IoT), internet of medical things (IoMT), OT, 5G, and smart devices. Every new endpoint expands an organization’s attack surface, and many endpoints are unmanaged and effectively invisible to legacy security tools and solutions.

Defining Endpoints

In addition to traditional endpoints like on-premises desktop computers and servers, today’s endpoints can include everything from virtual machines and cloud data storage to wireless security cameras, smartwatches, connected industrial control system (ICS) devices, and more. An even wider view of endpoints includes “network switches, routers, load balancers, firewalls, and VoIP apps” — in short, an endpoint can be defined as “anything that can be identified, addressed, or attacked.”

Endpoints can also be defined or classified by their behavior. For example, wireless security cameras are stationary by design, while tablets are mobile. Each endpoint will have its own communication timing and volume profile, a list of cloud services that it accesses, and specific tunnels that it may use. Depending on the type of data they handle and the organization’s security practices, endpoint communication may or may not be encrypted.

Detecting Endpoints and Responding to Endpoint Threats

The challenge in endpoint detection now is that most cyber devices are unmanaged and unagentable. Traditional security scans can’t detect them and may interfere with their functionality. Devices with certain wireless connectivity protocols may be invisible to legacy security solutions that look for Ethernet and Wi-Fi connections but can’t see Bluetooth, NFC, and other newer protocols.

Without a complete view of all endpoints across the environment, organizations are more vulnerable to a host of security threats, including the remote takeover of control systems, network intrusions via unpatched vulnerabilities in device firmware and software, ransomware attacks, and data theft. For example, unmanaged devices represent 31% of Log4j threats detected by Armis. Without a complete inventory of all endpoints and real-time insight into their activity, such threats may go undetected.

The “response” element in EDR includes responding to vulnerabilities and to threats. An EDR solution that can compare each endpoint to a device knowledgebase to identify and remediate vulnerabilities can reduce the risk of real-time threats. An EDR tool that also monitors endpoint behavior — including communication frequency, destination, and encryption status — can raise real-time alerts when a device or other endpoint is behaving abnormally.