Blog post

Our Paper “Endpoint Detection and Response Tool Architecture and Operations Practices” Publishes

By Anton Chuvakin | May 26, 2016 | 0 Comments


OK, I am being very late here, but the 1st of 2 of our 2016 EDR papers titled “Endpoint Detection and Response Tool Architecture and Operations Practices” has published. Augusto promptly announced it here [while I was working hard in Honolulu…] and so I am late here, but I have some fun quotes. This paper is about using EDR and growing the associated security processes and practices.

A word of warning: this is NOT the EDR vendor comparison you were looking for 🙂 [that’s paper #2 of 2, and we are not done with it yet]

The quotes follow below:

  • “The name “EDR” defines the tool category as related to the endpoint (as opposed to the network) and the tools’ primary usage for both threat detection and IR (rather than deep forensics or prevention of attacks).”
  • “Extracting the full value of EDR tools demands mature security operations and IR processes. EDR tools are not very useful for organizations not prepared to handle alerts produced by detection capabilities or without incident response (IR) processes to leverage the additional investigation capabilities.”
  • EDR tools are designed to collect data from potentially compromised endpoints, including those that have been under attacker control for an extended period.[well, let’s be honest here: the good ones are :-)]
  • Cloud analytics for EDR has an added advantage that the logic of the analysis platform is far removed from any possible attacker and can be changed by its developers easily and for all their clients. Thus, cloud detection methods are theoretically less likely to be reversed by the attacker, who can purchase the server-based solution and reverse-engineer the detection logic.”
  • “… after an organization has gone through a protracted, painful, costly IR process — possibly involving hundreds of thousands of dollars in consulting fees for months of investigative work — the business case for a [EDR] tool that can shrink the time for the investigation from months to hours or days practically writes itself.”
  • “EDR users report that, although their tools were instrumental in “detecting the undetectable,” they also delivered many other alerts that were not actionable in their environments.”

Enjoy the paper! [Gartner GTP access required]

Blog posts related to our current EDR research:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed