Where Does EDR End and “NG AV” Begin?

What is the difference between Endpoint Detection and Response (EDR, previously named ETDR) and “NG anti-virus” (“NG AV” is not an official term)? Specifically, where EDR ends and AV begins?

Short answer: Damned if I know 🙂

Longer answer: Why am I even writing about EDR, for gods’ sakes?! Shouldn’t I be focused on SIEM use cases? Well, I am – but one of the recent EDR-focused clients calls (and, mind you, they happen very rarely, barely 1/month!) just pushed me over the edge….

So, here is what I think (please also reread my Reality Check on EDR / ETDR):

• As originally conceived, EDR (formerly ETDR) is primarily a VISIBILITY tool – for detection, for IR support [post-incident visibility], for proactive threat hunting, etc. So, if your EDR does not block anything, that may be OK. In fact, it may be BETTER, since it is probably safer to deploy something that cannot block/kill/disrupt to all of your 50,000 systems. In light of this, questions such as “what is the ‘false positive’ rate of this EDR tool?” may not make sense, as what is the FP rate of a search engine?
• On the other hand, there are plenty of “new endpoint security companies” (that I informally call “NG AV” – some are discussed in this excellent Gartner GTP paper) focus on better PREVENTION. Many of them provide no more visibility than traditional AV, some provide even less (such as those that use non-deterministic methods such as ML to decide what process to block).

Yes, there are tools that purport to do both VISIBILITY and PREVENTION. There are tools that do one well, and the other barely. There are also tools that can remediate so rapidly that it looks like prevention. There are tools that can act only if you write a script for it. While it may be tempting to say “if you need prevention/blocking, don’t look at EDR”, today it would be wrong – tools do exist that can give you decent visibility and OK prevention (or vice versa). So, it is a H-U-G-E mess overall.

What to do?! FOCUS ON CAPABILITIES. Don’t think “I need to shortlist me some EDR vendors”, don’t think “my AV sucks – I need EDR”, think WHAT ENDPOINT SECURITY CAPABILITIES DO I NEED NOW?

Some examples may include:

• Collect lots of data and search after an incident
• Monitor endpoints for some anomalous behaviors
• Block malware before it runs
• Match all endpoint objects vs threat intel indicator lists

See… the above examples today may be covered by 2-3 tools [eeewwh … so many agents! :-(], if you want to do a great job on each. “Eventually maybe” ™ big anti-virus (we call them EPP) vendors are likely to integrate EDR for a nice little EPP/EDR package. But today you need to focus on REQUIRED CAPABILITIES!

Blog posts related to EDR / ETDR:

• Reality Check on EDR / ETDR
• The Future Is Here … And It Is … Network? Endpoint?
• My Paper on Endpoint Tools Publishes
• Endpoint Threat Detection & Response Deployment Architecture
• Essential Processes Around Endpoint Threat Detection & Response Tools
• Named: Endpoint Threat Detection & Response
• Endpoint Threat Indication & Response?
• Endpoint Visibility Tool Use Cases
• On Endpoint Sensing
• RSA 2013 and Endpoint Agent Re-Emergence
• All posts tagged endpoint