How exciting is Endpoint Detection and Response (EDR) technology? — Sorry to piss on your parade, but for many organizations it is NOT exciting at all.
Look, it is hard for me write this since personally I am super-excited about EDR / ETDR [hey, I came up with the original name]. Also, given the open source EDR-like options (GRR, MIG, El Jefe and the new one, Lima Charlie [updated Jan 2016]), the level of excitement is clearly high enough for some organizations to write and open-source their own. Also, there are now dozens (!) of vendors that promise EDR tools, EDR-like functionality, etc [some are new, some are “intruding” on the security domain from system management domain; even some SIEM tools that have flexible collection agents can sometimes be used in a pinch as a “toy EDR”]
Still, despite all this e-x-c-i-t-e-m-e-n-t, I see a lot of snoozing faces in the crowd … and why is that?
What are some of the EDR / ETDR headwinds:
- Agent-based approach of most EDR tools: while we are seeing a bit of a revival of the agents, a lot of organizations hate security-focused agents with such passion that nothing (literally – not metaphorically, BTW!) will make them deploy yet another agent. You may have the smallest, safest, “effective-est” EDR in the galaxy … yet your prospective customers will still hate you with a passion [only because some stupid fat agent killed their dear Excel or slowed the system to a crawl 5 years ago]. Of course, I am watching the attempts to create a decent “agentless EDR” with much elation …
- Woeful immaturity of monitoring and IR practices at many organizations: given the fact that EDR tooling makes certain tasks (like checking what is running on all your machines, etc) easier, there is an implication that there is a desire to perform those tasks and that there is somebody to actually do those tasks…
- It seems like there are more skilled network security analysts than – eh … see, there isn’t even a name for it – “endpoint security analysts”: lots of people can say “this packet looks weird”, but much fewer can credibly say “this process looks weird” [I dunno…this one may be a stretch. What do you think?]
As I said to somebody “focus on the endpoint” may be a trend, but it does not mean it is operationally feasible for a lot of companies.
Finally, what about the stinking elephant in the room? The ANTI-VIRUS. My recent EDR-related clients calls (and there, BTW, very few of those) seem to be all about the blocking/prevention/mitigation features of the EDR tools, so the clients were not looking for endpoint visibility and better situational awareness, but for a less-abominable AV.
To me, that is nice, but entirely separate, and (IMHO) we need both:
- Better AV, “NG AV” that focuses on better prevention (e.g. see this excellent GTP document), but also …
- Better endpoint visibility, “EDR proper” that focuses on knowing what the hell is happening on your endpoints.
Yes, there will be some cross-over and hybridization, but the needs ARE separate. If you deploy an EDR tool while secretly hoping for a “better AV” tool, you are going to FAIL TWICE.
- Competitive Landscape: Endpoint Detection and Response Tools, 2014
- Market Guide for Endpoint Detection and Response Solutions
- Endpoint Threat Detection and Response Tools and Practices
Possibly related posts on EDR / ETDR:
- The Future Is Here … And It Is … Network? Endpoint?
- My Paper on Endpoint Tools Publishes
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Threat Indication & Response?
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- All posts tagged endpoint
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
What Matters When Securing IoT?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.