What is EDR

 EDR (Endpoint Detection and Response) are tools built on end-user devices, based on increasing information security and reducing data breaches.

In addition to antivirus elements, EDR tools increase the visibility of threats and facilitate forensic analysis with features such as real-time anomaly detection, warning, tracking and recording of processes running on endpoints.

EDR logs every file execution and modification, registry change, network connection and miscellaneous operations, increasing the visibility of threats.

In summary, EDR systems have been developed for end-user devices to detect and respond to sophisticated malware and cyber attacks.

For example, the black-box on airplanes records a lot of information such as altitude, speed, fuel and altitude, and this information can be analyzed after an accident and used to prevent future accidents. Likewise, EDR systems help to prevent a possible cyber attack with both the detection of the attack and the data collected before/after the event. However, black box alone cannot prevent the accident, and EDR systems cannot prevent cyber attacks alone unless there is an antivirus, anti-malware, anti-exploit program that it works with.

EDR provides a set of features that enhance the ability to manage cybersecurity risk;

Improved Visibility: EDR solutions provide a single point of view of continuously monitored and analyzed data.

Rapid Investigations: EDR solutions are designed to automatically collect and process data and provide a specific response.

Remediation Automation: EDR solutions provide intervention to detected threats based on predetermined rules.

Contextualized Threat Hunting: With EDR solutions constantly collecting and analyzing data from endpoints, greater visibility into the state of endpoints in the system is provided. This allows potential threats to be identified and investigated.

EDR solutions must have some components to detect cyber threats effectively and proactively;

Incident Triaging Flow: An EDR solution should automatically prioritize potentially suspicious or malicious events from emerging False Positive alerts and contribute to the security analyst's investigations.

Threat Hunting: EDR solutions should support threat detection activities against potential intrusions.

Data Aggregation and Enrichment: It is necessary to distinguish correctly between true positives and false positives (true threats and false alarms). EDR solutions should use as much data as possible to make informed decisions about potential threats.

Integrated Response, Multiple Response Options: Once a threat has been identified, the EDR solution should quickly provide analysts with multiple response options, such as eliminating or quarantining a specific pest.

It must be integrated or interoperable with the AV(Anti-Virus) / EPP(Endpoint Protection Platforms) solution.