Blog post

Where Does EDR End and “NG AV” Begin?

By Anton Chuvakin | December 03, 2015 | 4 Comments

securitymonitoringincident responseETDRendpoint

What is the difference between Endpoint Detection and Response (EDR, previously named ETDR) and “NG anti-virus” (“NG AV” is not an official term)? Specifically, where EDR ends and AV begins?

Short answer: Damned if I know 🙂

Longer answer: Why am I even writing about EDR, for gods’ sakes?! Shouldn’t I be focused on SIEM use cases? Well, I am – but one of the recent EDR-focused clients calls (and, mind you, they happen very rarely, barely 1/month!) just pushed me over the edge….

So, here is what I think (please also reread my Reality Check on EDR / ETDR):

  • As originally conceived, EDR (formerly ETDR) is primarily a VISIBILITY tool – for detection, for IR support [post-incident visibility], for proactive threat hunting, etc. So, if your EDR does not block anything, that may be OK. In fact, it may be BETTER, since it is probably safer to deploy something that cannot block/kill/disrupt to all of your 50,000 systems. In light of this, questions such as “what is the ‘false positive’ rate of this EDR tool?” may not make sense, as what is the FP rate of a search engine?
  • On the other hand, there are plenty of “new endpoint security companies” (that I informally call “NG AV” – some are discussed in this excellent Gartner GTP paper) focus on better PREVENTION. Many of them provide no more visibility than traditional AV, some provide even less (such as those that use non-deterministic methods such as ML to decide what process to block).

Yes, there are tools that purport to do both VISIBILITY and PREVENTION. There are tools that do one well, and the other barely. There are also tools that can remediate so rapidly that it looks like prevention. There are tools that can act only if you write a script for it. While it may be tempting to say “if you need prevention/blocking, don’t look at EDR”, today it would be wrong – tools do exist that can give you decent visibility and OK prevention (or vice versa). So, it is a H-U-G-E mess overall.

What to do?! FOCUS ON CAPABILITIES. Don’t think “I need to shortlist me some EDR vendors”, don’t think “my AV sucks – I need EDR”, think WHAT ENDPOINT SECURITY CAPABILITIES DO I NEED NOW?

Some examples may include:

  • Collect lots of data and search after an incident
  • Monitor endpoints for some anomalous behaviors
  • Block malware before it runs
  • Match all endpoint objects vs threat intel indicator lists

See… the above examples today may be covered by 2-3 tools [eeewwh … so many agents! :-(], if you want to do a great job on each. “Eventually maybe” ™ big anti-virus (we call them EPP) vendors are likely to integrate EDR for a nice little EPP/EDR package. But today you need to focus on REQUIRED CAPABILITIES!

Blog posts related to EDR / ETDR:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Andre Gironda says:

    Enjoy the bit on EDR. For NG AV, there are questions of infrastructure scale (AV on Mesos?) but more-important questions of resiliency. IF the NG AV dies from a one-packet kill (or one-memory block kill) then why consider it NG AV? Same can be said of network-based IPS or EPP. Time to move everybody into the bottom-left corner of the Challengers quadrant.

    • Well…. I am just not a believer in some “next gen” totally reliable preventative tech that does not provide visibility…. whether NIPS or EPP. Especially the one that is based on some non-deterministic method…

  • Matthew Gardiner says:

    An important point of the discussion of EDR is for which primary user is the product being acquired – the endpoint security/ops. management guy, the Level 1 SOC analyst, malware analyst, or incident responder, or some combination. We find that when you have an established SOC, enterprise visibility which supports both detection and investigation is a priority, followed by the sophistication of the detective analytics the tool enables. This is followed by capabilities such as blocking. But overall EDR is only part of the security monitoring story!

    • Thanks for an insightful comment. I agree the user matters a lot but not every stakeholder will have a chance to push an agent to , say, 100K endpoints. An endpoint guy can, but [in some places] a SOC guy cannot…