After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.
So, to summarize:
- Category name: Endpoint Threat Detection & Response
- Capabilities: see On Endpoint Sensing
- Use cases: see Endpoint Visibility Tool Use Cases
- Examples: Mandiant (MIR and MSO tools), CarbonBlack, Guidance Software (EnCase Cybersecurity [yes, that really is the name of the tool] and EnCase Analytics tools), RSA ECAT, CounterTack, CrowdStrike, etc.
The tools do have somewhat differing capabilities (such as the extent of data analysis performed on the agent vs the backend, collection timing and scope, integration of OOB indicators/intelligence, etc), but IMHO belong under the same general label.
By the way, a few other related tools may have broader functions and thus may justify a broader name – in their case the name “Endpoint Threat Detection & Response” can be applied to relevant tool capabilities and not to the entire toolset. Examples include Tanium, Bit9, HBGary, etc.
This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents) and tools’ primary usage for both detection and incident response. While some may argue that “endpoint” label may be seen as applicable to workstations and not to servers, this minor loss of precision seems acceptable for the sake of brevity (others will say that four words is already too long).
These tools usually do not focus on full disk image acquisition and analysis (traditional computer forensics), but some can acquire such data as well as perform other forensic functions. On the other hand, the “next gen” endpoint prevention/blocking/isolation-focused tools should get their own category – but they are not my problem at this point
There you have it! Thanks to everybody who participated in this discussion.
UPDATE (2015): these tools are now known as “EDR”; more research Gartner research refers to them as EDR tools. In essence, ETDR (2013) = EDR (2015).
Posts related to the same project:
- Endpoint Threat Indication & Response?
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- A Quiet Assumption
- All posts tagged security incident response
- All posts tagged endpoint
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.