Endpoint Detection and Response Products Offer Detailed Insight, But Are Time Intensive
For aviation accidents, in-flight recorders provide crucial technical details around when a mishap occurred. For desktops and laptops that have been attacked by a hacker, the equivalent is endpoint response and detection, a popular class of products produced by vendors such as FireEye, Carbon Black, Tanium, Crowdstrike and others.
EDR products are powerful tools that provide a play-by-play of exactly what happened on a computer during and after an attack. The insights can reveal details of how a hacker mounted an attack and moved throughout systems. Programmed with the right rules, EDR products can also cut off potentially infected machines from the network and stem further damage.
Many anti-virus companies have long collected this type of information, but just never made it available to customers. Making that data available spawned a whole new class of products.
But there are caveats: EDR products record so much technical data from endpoints that it can be difficult, without trained specialists, to make sense out of it. That’s challenging for smaller IT security teams, which may not have the resources to get EDR’s full benefits.
Eric Ouellet, a research vice president with Gartner, gave a rundown of what organizations should keep in mind with EDR at the firm’s Security & Risk Management Summit in Sydney on Tuesday. The bottom line? EDR has amazing capabilities, but organizations should be aware of what’s required to make the most of it.