We are nearing the end of our Endpoint Detection and Response (EDR) research project; we just pushed our first paper – on EDR operational practices – into review and are concentrating on a technology comparison paper, a more difficult effort.
One thing has emerged from many of the recent conversations with EDR vendors and users. The thing we secretly suspected, but feared to explicitly say – until we have more data.
What IS this thing?
So far in our experience, EDR tool WINS (= examples of wildly successful deployments) tend to be concentrated at a highly mature, “Type A of Type A”, lean-forward, advanced security organizations.
Huh? Are you simply saying that “if you are better at something, things tend to be better for you”? Or are you saying “warning: EDR is a tool for security 1%-ers?”
Not exactly! We are a bit more careful here and we are not branding EDR “a 1%-er tool.” However, success with EDR is found more often in the land of 10+ person SOCs and full-time standing CIRTs, rather than in the land of “we just hired our 1st security person.”
When buying an EDR tool, please be aware of that!
Blog posts related to our current EDR research:
- EDR Mud Fight: Kernel or Userland?
- Using EDR For Remediation?
- EDR Research Commencing: Call To Action!
- Where Does EDR End and “NG AV” Begin?
- Reality Check on EDR / ETDR
- My Paper on Endpoint Tools Publishes (2013)
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- All posts tagged endpoint
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.