Gartner Blog Network


Our Paper “Endpoint Detection and Response Tool Architecture and Operations Practices” Publishes

by Anton Chuvakin  |  May 26, 2016  |  2 Comments

OK, I am being very late here, but the 1st of 2 of our 2016 EDR papers titled “Endpoint Detection and Response Tool Architecture and Operations Practices” has published. Augusto promptly announced it here [while I was working hard in Honolulu…] and so I am late here, but I have some fun quotes. This paper is about using EDR and growing the associated security processes and practices.

A word of warning: this is NOT the EDR vendor comparison you were looking for :-) [that’s paper #2 of 2, and we are not done with it yet]

The quotes follow below:

  • “The name “EDR” defines the tool category as related to the endpoint (as opposed to the network) and the tools’ primary usage for both threat detection and IR (rather than deep forensics or prevention of attacks).”
  • “Extracting the full value of EDR tools demands mature security operations and IR processes. EDR tools are not very useful for organizations not prepared to handle alerts produced by detection capabilities or without incident response (IR) processes to leverage the additional investigation capabilities.”
  • EDR tools are designed to collect data from potentially compromised endpoints, including those that have been under attacker control for an extended period.[well, let’s be honest here: the good ones are :-)]
  • Cloud analytics for EDR has an added advantage that the logic of the analysis platform is far removed from any possible attacker and can be changed by its developers easily and for all their clients. Thus, cloud detection methods are theoretically less likely to be reversed by the attacker, who can purchase the server-based solution and reverse-engineer the detection logic.”
  • “… after an organization has gone through a protracted, painful, costly IR process — possibly involving hundreds of thousands of dollars in consulting fees for months of investigative work — the business case for a [EDR] tool that can shrink the time for the investigation from months to hours or days practically writes itself.”
  • “EDR users report that, although their tools were instrumental in “detecting the undetectable,” they also delivered many other alerts that were not actionable in their environments.”

Enjoy the paper! [Gartner GTP access required]

Blog posts related to our current EDR research:

Category: edr  etdr  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Our Paper “Endpoint Detection and Response Tool Architecture and Operations Practices” Publishes


  1. […] Anton Chuvakin OK, I am being very late here, but the 1st of 2 of our 2016 EDR papers titled “Endpoint Detection […]

  2. […] Our Paper “Endpoint Detection and Response Tool Architecture and Operations Practices” Publishes […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.