Blog post

EDR Research Commencing: Call To Action!

By Anton Chuvakin | January 27, 2016 | 4 Comments

securitymonitoringincident responseETDRendpoint

As we mentioned in this post, we are about the visit the land of EDR (formerly: ETDR) in order to update Gartner GTP EDR coverage and to create one new document with a deeper technical dive on EDR technology.

If you recall, I’ve been whining incessantly about the fuzzy boundary between EDR (at least the way we originally defined it – as a visibility tool) and all types of “Next Generation Endpoint Protection.” Now another curveball was added to this: vendors who do remediation so rapidly, that it looks like prevention. On top of this, we have those isolation vendors that dabble with visibility too….

So…what should poor analysts do to provide some much needed clarity to their enterprise clients? In essence, we will suffer for vendors’ marketing sins … but I digress.

Here is what we are thinking now … maybe [all subject to change as our research progresses!]:

Protection – visibility balance Example “EDR-ness”
All protection, no/little visibility capabilities Cylance, EMET, etc Not EDR [not in our EDR Market Guide]
All visibility, no protection, no remediation Open src EDR like GRR live here EDR
All visibility, some remediation, no protection Many EDR vendors live here EDR
A balance of significant visibility and protection / remediation functions 1-2 vendors live here EDR but also EPP? A mythical “NG-EPP”?
Lots of focus on protection, a little on visibility Some vendors here… Probably not EDR … a very fuzzy bucket

All in all, we will have to look at BOTH EDR capabilities [can your tool do it?] AND “funded use cases” [if you are predominantly purchased to BLOCK and PREVENT, we will not cover you in this paper] to decide who to include and who to profile for the paper.

Now, my traditional call to action:

  • EDR vendors or related endpoint visibility vendors, got anything to say about this or just want to update us on your new capabilities and use cases? Here is a briefing link … you know what to do [reminder: to brief an analyst you do not need to be a Gartner client – so it is free]!
  • Enterprises, got an EDR or endpoint visibility / monitoring/ detection / response story – either a WIN or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).

Related blog posts on EDR:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Eric Schurr says:

    I like the direction you’re heading with this structure. A few thoughts:

    1. We’re seeing enterprises expressing interest in “something” that addresses both threat prevention (BTW, I find customers use “prevention” and “protection” synonymously so I will do that here, too) and detection and response. They don’t know what to call “it,” but the most common term we’re hearing is “next-generation endpoint security.” The problem with calling it “NG-EPP” is that: 1. it places way too much emphasis on “protection” instead of a balanced view of protection and response. Both functions are essential 2. It sounds too much like “a new generation of everything in the current definition of EPP.” The latter isn’t what folks are looking for (e.g., they don’t want a new generation of disk encryption, personal firewalls, etc.) They’re looking for something “newer and better than traditional tools that specifically addresses targeted attacks and modern malware.”

    2.Your model doesn’t mention “Detection.” You might be subsuming it under “visibility,” but there are products that provide some form of visibility/recording/polling of endpoints and yet they don’t proactively self-detect malware. Customers want products to tell them if malware is present, so this is an important function.

    Hope this helps.

    • Eric, thanks a lot for the comment. First, DETECTION is at the center of it, for sure. And yes, visibility covers (in my informal usage here) basically “NOT prevention NOT remediation” — so detection, IR support, any hunting, etc.

      Re: combining visibility [detection/ IR/whatever] with prevention — this is will be a topic, a major one of this effort.

  • Dori Fisher says:

    Hi Anton,
    I think you can add an axis that describes the ability to contain a threat.
    It’s not protection, visibility or remediation, example:
    An asset is infected with malware that speads via smtp. The endpoint agent is able to stop any communication to port 25 from the asset, but cannot protect the asset or remediate it.
    Or maybe add signature vs policy driven as an axis also.or maybe realtime vs scheduled.

    What do you think?

    • Ah, very true — we have containment in the narrative but not here. I’d say that contain/mitigate is indeed a key function. Probably even more important than remediation or prevention.