Our 2018 Update for “Endpoint Detection and Response Architecture and Operations Practices” Publishes
by Anton Chuvakin | December 14, 2018 | Comments Off on Our 2018 Update for “Endpoint Detection and Response Architecture and Operations Practices” Publishes
Our main EDR document (“Endpoint Detection and Response Architecture and Operations Practices”) was just updated by Jon Amato, and it looks much better now. The abstract states “’Increasing complexity and frequency of attacks elevate the need for detection of attacks and incident response, all at enterprise scale. Technical professionals can use endpoint detection and response tools to speedily investigate security incidents and detect malicious activities and behaviors.”
A few of my favorite quotes are:
- “Extracting the full value of EDR tools demands mature security operations and IR processes. Organizations not prepared to handle the large volume of alerts produced by EDR tools may wish to consider a managed EDR service.” [reminder: a managed EDR is a type of MDR, while not every MDR uses EDR]
- “EDR tools are also not malware-centric; they reflect a broader focus on all threats affecting endpoints, rather than the more narrow coverage of malware detection and prevention, as is the case for traditional anti-malware tools.” [this is obvious to many, but a useful reminder to some]
- “This combination of EDR and advanced anti-malware [from one vendor] is so pervasive that many Gartner clients conflate the two tools, treating EDR as synonymous with advanced machine learning-type anti-malware. This is incorrect. EDR and EPP (including advanced anti-malware) are still two separate pieces of technology that happen to be found very commonly in the same product and platform.”
- “Most EDR business cases seen by Gartner for Technical Professionals were focused on: Saving on IR costs | Detecting threats faster and better | Enabling wider and deeper endpoint visibility”
- “EDR users need not assume that all data coming from the compromised endpoints is wrong, only that it needs to be verified through other means (such as network monitoring) and cross-referenced by different types of information (such as verification of the list of running processes by means of direct memory read)”
Posts related to paper publication:
- Our “How to Operate and Evolve a SIEM Solution” Publishes
- Our “How to Architect and Deploy a SIEM Solution” Publishes
- Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes
- The “How To Build a SOC” Paper Update is OUT! (by Augusto)
- New Paper Published: “How to Start Your Threat Detection and Response Practice”
- Our Threat Testing and BAS Papers Are Out!
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE!
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.