EDR

Designed by stories / Freepik

EDR, also known as Endpoint Detection and Response, is an integrated endpoint security solution that combines continuous real-time monitoring and endpoint data collection with automated response and rule-based analytics. The term was coined to describe new security systems that detect and investigate suspicious activity on hosts and endpoints. They use a high degree of automation to enable security teams to quickly identify and respond to threats.

The main features of EDRs are:

Monitoring and collecting activity data from endpoints that could indicate a threat.

• Analysing this data to identify threat patterns.
• Automatically responding to identified threats to eliminate or reduce them and inform security personnel.
• Forensic and analytical tools to investigate identified threats and search for suspicious activity.

Antivirus

Image by rawpixel.com on Freepik

Antivirus software, also known as AV, is the lowest common denominator of endpoint security.
Antivirus scans the operating system and file system. It looks for known malware such as Trojans, worms and ransomware and removes them from the system when detected.

Antivirus usually detects malware by comparing binary files with known signatures. It uses heuristic analysis to determine whether running processes or installed software have suspicious characteristics. Integrity checking monitors whether malware has interfered with existing files on the computer.

Antivirus uses several types of scanning to identify malware on a computer system:

Signature scan – detects new programs on the computer, reads them, and compares them to known malware signatures.
Heuristic scanning – detects programs that, while not matching malware signatures, exhibit abnormal behavior. An antivirus program can run a suspicious program and determine if it has malicious activity, such as whether it deletes or encrypts files or runs many processes.
Integrity check – detects changes to files on the computer, especially system files, which may indicate a malicious process.

Behavioral analysis-Advanced antivirus software analyzes process behavior using machine learning and artificial intelligence techniques. It identifies processes that are behaving unusually compared to the normal behavior of processes on the system or compared to known malicious behaviour such as ransomware. It can help identify unknown, null or evasive malware that uses obfuscation techniques.

What is the difference between EDR and AV?

Although antivirus is an essential part of endpoint security, its ability to prevent sophisticated threats is limited. Zero-day threats or unknown threats can evade even advanced antivirus software. New types of attacks may be invisible to antivirus programs; for example, fileless attacks that run in memory without creating binaries on the file system cannot be stopped by many antivirus programs.

The EDR system was designed with the assumption that the endpoint will be breached at some point.
Antivirus can provide excellent protection, but if it fails, the organization has no visibility into what is happening on the endpoint, and security teams cannot immediately access the endpoint and address the breach.

In other words, antivirus solutions have traditionally relied heavily on so-called signature matching to identify threats to devices. AV software matches files against a known database of “bad” files. If a match is found, the file is recognized as a threat. AV software can also use heuristics, and therefore behaviour-based predictions, to try to detect the behaviour of a file or process, but the main method of detection or protection is the signature database.

EDR software inverts this model and relies primarily on endpoint behaviour analysis. For example, if a Word document creates a PowerShell process and executes an unknown script, this is a troubling situation. The file will be flagged and quarantined until the process is validated. Not relying on signature files allows EDR software to better respond to new advanced threats.

When evaluating EDR and antivirus, it is important to remember that detection and endpoint response make up all the best antivirus solutions and then some. If an EDR solution is installed, it is recommended that other antivirus tools be removed, as running them can cause slowdowns or other technical issues on systems and devices. To defend against complex and evolving threats, the choice is clear, and therefore endpoint detection and response will provide the user with more advanced security.