Gartner Blog Network


EDR Research Commencing: Call To Action!

by Anton Chuvakin  |  January 27, 2016  |  6 Comments

As we mentioned in this post, we are about the visit the land of EDR (formerly: ETDR) in order to update Gartner GTP EDR coverage and to create one new document with a deeper technical dive on EDR technology.

If you recall, I’ve been whining incessantly about the fuzzy boundary between EDR (at least the way we originally defined it – as a visibility tool) and all types of “Next Generation Endpoint Protection.” Now another curveball was added to this: vendors who do remediation so rapidly, that it looks like prevention. On top of this, we have those isolation vendors that dabble with visibility too….

So…what should poor analysts do to provide some much needed clarity to their enterprise clients? In essence, we will suffer for vendors’ marketing sins … but I digress.

Here is what we are thinking now … maybe [all subject to change as our research progresses!]:

Protection – visibility balance Example “EDR-ness”
All protection, no/little visibility capabilities Cylance, EMET, etc Not EDR [not in our EDR Market Guide]
All visibility, no protection, no remediation Open src EDR like GRR live here EDR
All visibility, some remediation, no protection Many EDR vendors live here EDR
A balance of significant visibility and protection / remediation functions 1-2 vendors live here EDR but also EPP? A mythical “NG-EPP”?
Lots of focus on protection, a little on visibility Some vendors here… Probably not EDR … a very fuzzy bucket

All in all, we will have to look at BOTH EDR capabilities [can your tool do it?] AND “funded use cases” [if you are predominantly purchased to BLOCK and PREVENT, we will not cover you in this paper] to decide who to include and who to profile for the paper.

Now, my traditional call to action:

  • EDR vendors or related endpoint visibility vendors, got anything to say about this or just want to update us on your new capabilities and use cases? Here is a briefing link … you know what to do [reminder: to brief an analyst you do not need to be a Gartner client – so it is free]!
  • Enterprises, got an EDR or endpoint visibility / monitoring/ detection / response story – either a WIN or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).

Related blog posts on EDR:

Category: endpoint  etdr  incident-response  monitoring  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on EDR Research Commencing: Call To Action!


  1. Eric Schurr says:

    Anton,
    I like the direction you’re heading with this structure. A few thoughts:

    1. We’re seeing enterprises expressing interest in “something” that addresses both threat prevention (BTW, I find customers use “prevention” and “protection” synonymously so I will do that here, too) and detection and response. They don’t know what to call “it,” but the most common term we’re hearing is “next-generation endpoint security.” The problem with calling it “NG-EPP” is that: 1. it places way too much emphasis on “protection” instead of a balanced view of protection and response. Both functions are essential 2. It sounds too much like “a new generation of everything in the current definition of EPP.” The latter isn’t what folks are looking for (e.g., they don’t want a new generation of disk encryption, personal firewalls, etc.) They’re looking for something “newer and better than traditional tools that specifically addresses targeted attacks and modern malware.”

    2.Your model doesn’t mention “Detection.” You might be subsuming it under “visibility,” but there are products that provide some form of visibility/recording/polling of endpoints and yet they don’t proactively self-detect malware. Customers want products to tell them if malware is present, so this is an important function.

    Hope this helps.

    • Eric, thanks a lot for the comment. First, DETECTION is at the center of it, for sure. And yes, visibility covers (in my informal usage here) basically “NOT prevention NOT remediation” — so detection, IR support, any hunting, etc.

      Re: combining visibility [detection/ IR/whatever] with prevention — this is will be a topic, a major one of this effort.

  2. […] planned, we are starting our research effort on EDR, but also one on security incident response (IR), a topic we last touched in 2013. Most likely, we […]

  3. Dori Fisher says:

    Hi Anton,
    I think you can add an axis that describes the ability to contain a threat.
    It’s not protection, visibility or remediation, example:
    An asset is infected with malware that speads via smtp. The endpoint agent is able to stop any communication to port 25 from the asset, but cannot protect the asset or remediate it.
    Or maybe add signature vs policy driven as an axis also.or maybe realtime vs scheduled.

    What do you think?

    • Ah, very true — we have containment in the narrative but not here. I’d say that contain/mitigate is indeed a key function. Probably even more important than remediation or prevention.

  4. […] research on EDR tools and practices renders some very interesting discussions on tools capabilities. While many EDR vendors will focus […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.