Blog post

One More Time On EDR Use Cases

By Anton Chuvakin | May 03, 2016 | 0 Comments


Our first EDR paper is about to be published, but I wanted to draw your attention to my favorite topic – the use cases.

We touched on the EDR (back then: ETDR) use cases in this post in 2013, but we are revisiting them in current research. In our view, EDR use cases can be classified in the following manner:

  1. Data search and investigations (the “R” in EDR)
  2. Suspicious activity detection (the “D” in EDR)
  3. Suspicious activity validation (triage process, that sites between security monitoring and IR; essentially the space between “D” and “R”)
  4. Data exploration or hunting (proactive hunting for malicious activity, typically a high-maturity security organization use case)
  5. Malicious activity blocking and containment (the active use case where the EDR is used for mitigation and remediation)

Prevention, naturally, is missing since EDR is not about prevention, but some tools can deliver on the preventative use cases in various ways (to be discussed in the paper).

Blog posts related to our current EDR research:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed