In our Acronym Series, Nexum’s expert engineers define the industry’s most popular topics.

Acronym: EDR – Endpoint Detection and Response

Definition:

EDR is a category of cybersecurity tools used to continually detect and investigate threats on mobile devices, PCs, laptops, cloud workloads, and Internet of Things (IoT) devices in real time, ultimately mitigating malicious threats.

Explanation: 

EDR analyzes events and offers advanced threat detection, investigation, response and alert triage, suspicious and malicious activity detection, and regulation.

Traditional anti-virus programs relied heavily on signatures to detect when something was malicious. Signature matching uses a database of “known bad” items, and when something matches, it’s considered a threat. Although the primary method of threat detection is still signature matching, recent versions of anti-virus solutions added some behavioral detection.

In contrast, EDR tools rely heavily on behavioral analysis to detect a threat. As zero-day vulnerabilities increase, it is essential to find an EDR solution that provides real-time visibility, a broad threat database, behavioral approach protections that search for indicators of an attack before being compromised, and a fast and accurate response to stop attacks before a breach occurs.

Many cybersecurity attacks can be prevented with the right EDR tools, minimizing the number of attacks that require in depth analysis. Key EDR functions uncover stealthy attackers by analyzing events and providing threat intelligence and proactive defense. Security teams can analyze alerts in real-time and gain visibility to local and external addresses to which hosts are connected, as well as which users have logged into the hosts (which can help detect attackers using legitimate credentials, and other potentially malevolent network activity).