Gartner Blog Network

One More Time On EDR Use Cases

by Anton Chuvakin  |  May 3, 2016  |  2 Comments

Our first EDR paper is about to be published, but I wanted to draw your attention to my favorite topic – the use cases.

We touched on the EDR (back then: ETDR) use cases in this post in 2013, but we are revisiting them in current research. In our view, EDR use cases can be classified in the following manner:

  1. Data search and investigations (the “R” in EDR)
  2. Suspicious activity detection (the “D” in EDR)
  3. Suspicious activity validation (triage process, that sites between security monitoring and IR; essentially the space between “D” and “R”)
  4. Data exploration or hunting (proactive hunting for malicious activity, typically a high-maturity security organization use case)
  5. Malicious activity blocking and containment (the active use case where the EDR is used for mitigation and remediation)

Prevention, naturally, is missing since EDR is not about prevention, but some tools can deliver on the preventative use cases in various ways (to be discussed in the paper).

Blog posts related to our current EDR research:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: edr  etdr  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on One More Time On EDR Use Cases

  1. […] One More Time On EDR Use Cases […]

  2. […] EDR research is winding down, so we are about to start our next cycle, here is what we have in […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.