Blog post

One More Time On EDR Use Cases

By Anton Chuvakin | May 03, 2016 | 0 Comments


Our first EDR paper is about to be published, but I wanted to draw your attention to my favorite topic – the use cases.

We touched on the EDR (back then: ETDR) use cases in this post in 2013, but we are revisiting them in current research. In our view, EDR use cases can be classified in the following manner:

  1. Data search and investigations (the “R” in EDR)
  2. Suspicious activity detection (the “D” in EDR)
  3. Suspicious activity validation (triage process, that sites between security monitoring and IR; essentially the space between “D” and “R”)
  4. Data exploration or hunting (proactive hunting for malicious activity, typically a high-maturity security organization use case)
  5. Malicious activity blocking and containment (the active use case where the EDR is used for mitigation and remediation)

Prevention, naturally, is missing since EDR is not about prevention, but some tools can deliver on the preventative use cases in various ways (to be discussed in the paper).

Blog posts related to our current EDR research:

Comments are closed