Gartner Blog Network


Reality Check on EDR / ETDR

by Anton Chuvakin  |  July 23, 2015  |  8 Comments

How exciting is Endpoint Detection and Response (EDR) technology? — Sorry to piss on your parade, but for many organizations it is NOT exciting at all.

Look, it is hard for me write this since personally I am super-excited about EDR / ETDR [hey, I came up with the original name]. Also, given the open source EDR-like options (GRR, MIG, El Jefe and the new one, Lima Charlie [updated Jan 2016]), the level of excitement is clearly high enough for some organizations to write and open-source their own. Also, there are now dozens (!) of vendors that promise EDR tools, EDR-like functionality, etc [some are new, some are “intruding” on the security domain from system management domain; even some SIEM tools that have flexible collection agents can sometimes be used in a pinch as a “toy EDR”]

Still, despite all this e-x-c-i-t-e-m-e-n-t, I see a lot of snoozing faces in the crowd … and why is that?

What are some of the EDR / ETDR headwinds:

  • Agent-based approach of most EDR tools: while we are seeing a bit of a revival of the agents, a lot of organizations hate security-focused agents with such passion that nothing (literally – not metaphorically, BTW!) will make them deploy yet another agent. You may have the smallest, safest, “effective-est” EDR in the galaxy … yet your prospective customers will still hate you with a passion [only because some stupid fat agent killed their dear Excel or slowed the system to a crawl 5 years ago]. Of course, I am watching the attempts to create a decent “agentless EDR” with much elation …
  • Woeful immaturity of monitoring and IR practices at many organizations: given the fact that EDR tooling makes certain tasks (like checking what is running on all your machines, etc) easier, there is an implication that there is a desire to perform those tasks and that there is somebody to actually do those tasks…
  • It seems like there are more skilled network security analysts than – eh … see, there isn’t even a name for it – “endpoint security analysts”: lots of people can say “this packet looks weird”, but much fewer can credibly say “this process looks weird” [I dunno…this one may be a stretch. What do you think?]

As I said to somebody “focus on the endpoint” may be a trend, but it does not mean it is operationally feasible for a lot of companies.

Finally, what about the stinking elephant in the room? The ANTI-VIRUS. My recent EDR-related clients calls (and there, BTW, very few of those) seem to be all about the blocking/prevention/mitigation features of the EDR tools, so the clients were not looking for endpoint visibility and better situational awareness, but for a less-abominable AV.

To me, that is nice, but entirely separate, and (IMHO) we need both:

  • Better AV, “NG AV” that focuses on better prevention (e.g. see this excellent GTP document), but also …
  • Better endpoint visibility, “EDR proper” that focuses on knowing what the hell is happening on your endpoints.

Yes, there will be some cross-over and hybridization, but the needs ARE separate. If you deploy an EDR tool while secretly hoping for a “better AV” tool, you are going to FAIL TWICE.

FYI, all Gartner papers on EDR / ETDR are listed below [2 require Gartner access and 1 requires Gartner GTP access]:

Enjoy!

Possibly related posts on EDR / ETDR:

Category: endpoint  etdr  malware  monitoring  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Reality Check on EDR / ETDR


  1. […] Anton Chuvakin How exciting is Endpoint Detection and Response (EDR) technology? — Sorry to piss on your parade, […]

  2. Glenn says:

    Anton,

    Glad to see you tackle this as it as the time has arrive.

    Some major clients make heavy investments in state of the art (AV) if there is such a thing, however they have made the same level of investments in EDR as they need to rely on both as neither one will do all.

  3. Matthew Gardiner says:

    The sweet spot buyer of ETDR from RSA (ECAT) are organizations with IR practices (SOC/CIRC) that they need to make more efficient. Usually led by the malware analyst (or the guy that usually handles the malware related investigations)that would really like most investigations to not come to him and be resolved by lower level analysts. But agreed if organizations are still stuck in a purely preventive security mindset, the value of better detective and investigative capabilities will be lost on them.

    • Thanks a lot for your comment, Mattew. Indeed, the enlightened orgs do know what to do with their EDR / ETDR tools, but the interesting question is how low towards the mainstream can it spread?

  4. Neil MacDonald says:

    er, some amount of disillusionment is normal as new technologies move through Gartner Hype Cycle… reflects relative immaturity of the technology, don’t mistake that for irrelevance or failure. Most go on to the “plateau of productivity”

    • Thanks a lot for the comment, Neil. Indeed, ERD is new and “fresh”, and we need to figure out [eventually] how much down into the mainstream it can/will go….

      No need to mention irrelevance – if people write their own, it is definitely relevant for some :-)

  5. […] of commercial tools, and then there are GRR and MozDef (as osquery, sort of). [See more details here and in this GTP […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.