Securing the Network Edge

We’re living in a new world of permanent freedom thanks to trends in remote work. But new business models represent significant security liabilities to the enterprise. Did you know that when a remote worker is the cause of a breach, the cost of remediation rises by $1M? When innovation comes with high risk at an even higher cost, it’s all the more important for IT leaders to balance hybrid work with the requirements of security. And when it comes to putting protection at the new network edge, more companies are turning to Endpoint Detection and Response (EDR) solutions. This article explores what EDR is and what it’s not, highlighting research from Nemertes which shows EDR can reduce serious security incidents by 50%.

What is EDR?

Before getting into the definition of EDR, it may help to define the endpoint first. An endpoint is a device that connects to a network. Laptop computers and smartphones are endpoints, to name two of many examples. Endpoints are literally at the end of the network, representing the network’s physical reach. As the frontline edge of the network, endpoints are good at being the earliest detectors. And due to their generally large numbers, they are well situated to detect cyber threats early in an attack cycle.

This helps explain why EDR solutions leverage advanced technology to turn endpoints into cybersecurity sensors detecting threats. These solutions can also potentially use endpoints to help with cyber incident response. Learn more about how EDR works in this guide to Endpoint security.

What is XDR and how is it different from EDR?

Flashy cybersecurity technologies and new paradigms come along every year, making security and IT professionals quickly forget about last year’s novel innovation, and EDR is at risk of this notoriously short attention span. Word on the street is that EDR has evolved and been “replaced” by Extended Detection and Response (XDR). Not only is this untrue, XDR is also quite different from EDR and can’t possibly replace it.

XDR takes in data streams from multiple sources to detect and respond to threats across a wide variety of environments. It is in this context that XDR connects with EDR solutions, receiving information from all endpoints and their installed cybersecurity sensors.

EDR is also distinct from endpoint protection (EPP), which may include anti-virus solutions. However, in some cases, EDR and EPP solutions come in a single package, together with technologies for endpoint forensics and related functions.

EDR: Rolling it into a broader SASE solution

Furthermore, EDR solutions may be incorporated into a broader threat detection and response ecosystem, flowing flow data into Secure Access Service Edge (SASE) solutions, with the goal of spotting anomalies that suggest an attack is underway. According to Nemertes, about 47% of those using EDR said they also used a SASE solution.

When added to the SASE mix, EDR can provide critical real-time feedback on unfolding threats at the network edge. It can feed data into the SASE platform aiding other components, such as Cloud Access Service Brokers (CASBs) and/or Zero Trust Network Access (ZTNA) solutions. This can help slow down an attack vector like ransomware. Bottomline: EDR is a core component in widening protections and making security reach everywhere.

Why is EDR important today?

EDR matters now for a variety of reasons. The increasingly serious threat environment is one factor in making EDR an essential cybersecurity countermeasure. Consider that ransomware has reached a new high, victimizing 71% of organizations, according to the 2022 CyberEdge Group’s “2022 Cyberthreat Defense Report.”

The most significant issue, however, is the shift to persistent hybrid work. Employees are working from pretty much anywhere, on a range of devices. This means more endpoints in more places, connecting to the network through more means.

The internet is making matters worse.

The risk of endpoint compromise or infection rises as endpoints connect to the network through the public internet, away from protective services provided by the on-premises network. It is essential to stay on top of those endpoints to detect threats such as ransomware as early as possible. An EDR solution can do this, enabling the endpoint to become part of a centrally orchestrated, automated, distributed response.

EDR reduces serious security incidents by 50%

Interest in EDR is strong. Nemertes’ studies found that:

• 56% of organizations had begun to deploy EDR in 2021
• Another 24% intended to buy them by the end of 2022

EDR appears to be delivering value too.

Nemertes’ studies also revealed that:

• Security organizations using EDR had a 50% lower rate of serious security incidents than those not using EDR. An 82.5% reduction in serious security incidents was associated with the use of a combined EDR/EPP client.
• The most successful security organizations are 165% more likely to be using the combination of EDR and EPP.
• An 82.5% reduction in serious security incidents was associated with the use of a combined EDR/EPP client.

Ensuring success through operations

EDR solutions generate a great deal of security data, and while much of the time, data analysis will be highly automated, the human touch is still necessary. For this data to have any positive effect on security, people must play a key role in analyzing data in real time and building a response plan when threats are confirmed. This means integrating EDR with the Security Operations Center (SOC), where security analysts can review alerts from the EDR solution and determine what action is needed.

Conclusion: Good value in early detection

EDR is essential for achieving and maintaining a robust security posture in this era of hybrid work. The technology utilizes pervasive and widely distributed endpoints as the earliest detectors of threats and agents of rapid response to cyber incidents. EDR has a natural fit with SASE and broad Zero Trust strategies. To work optimally, EDR solutions should integrate with the SOC.