Endpoint Detection and Response: What Data Do You Need?

In 2021, the weekly average ransomware attacks targeting corporate networks increased by 50% compared to 2020. That number continues to rise as corporate networks grow and become increasingly distributed to accommodate new hybrid work models, digitalization, and the BYOD trend. It’s estimated that cybercriminals can now penetrate 93% of company networks.

One area of the network that’s particularly vulnerable to attack is the edge. Endpoint threats such as phishing emails, social engineering, DDoS attacks and ransomware can easily exploit vulnerabilities in end-user devices that are either outdated or unprotected. 

Organizations are implementing Endpoint Detection and Response (EDR) systems to combat the increasing number of endpoint attacks, and the market for these systems is exploding. By 2026, the EDR market will be valued at $6.72 billion, up from 1.76 billion in 2020 – a CAGR of over 25%. 

But what exactly is EDR? How does it work and what data do EDR systems need to be effective? Let’s examine how access to up-to-date, complete data about all connected devices is essential to detecting potential threats and initiating a response.

What is EDR?

Every device connected to a network could be a gateway for cybercrime. Attackers conduct sophisticated attacks to circumvent security measures and penetrate the network on their mission to steal data and wreak havoc. Verizon found that stolen credentials are responsible for about 40% of breaches, and Windows applications and Office documents are among the most common file types containing malware. In other words, it’s not difficult for hackers to get into your network if they decide to.

EDR solutions do two things: Data collection and threat response. They capture data from all endpoints connected to a network – laptops, desktops, mobile phones, IoT devices and operational technology (OT) – then analyze it to help IT security teams identify potential vulnerabilities and threats. They also feature reporting and alerting capabilities to help teams with monitoring and threat response. EDR solutions often comprise a set of components, such as antivirus software, analytics, endpoint monitoring and management, and other tools that help teams detect and mitigate potential threats – or respond quickly to an attack or incident.

EDR solutions that work the best feature the following capabilities:

• Rich data: First, you need comprehensive data about endpoint devices. Data is the foundation for EDR. 
• Intelligent alerting: Advanced EDR systems leverage AI and machine learning to automatically identify and alert on potential threats. By sending automated alerts when a threat is detected, EDR systems help reduce response times. Alerts should also include threat scoring and prioritization capabilities to maximize your team’s effectiveness and productivity.
• Coordinated response: EDR systems should provide threat response capabilities to help teams mitigate threats and incidents, and surface other details and activities to assist with threat investigations. Systems that provide playbook execution, such as isolating endpoints on which a threat is detected (so-called ‘search-and-destroy’ capabilities) help to eliminate threats before they cause damage.
• Antivirus and endpoint security capabilities: Endpoints should be configured to block malware and other attacks with machine learning. Security tools should help to prevent unauthorized access and granular access control.

What data do EDR solutions collect? 

As much as possible! To be able to identify anomalies, potential threats and vulnerabilities, teams need access to data about devices, operating systems, users, configurations, processes and more. 

Typically, an agent is installed on the endpoint devices to collect this information, and passes it to a centralized system either on-premises or in the cloud for analysis and reporting. But what about rogue devices and “shadow IT”? If you don’t know that a device is connected to the network, how can you collect the data you need to ensure it’s secure and protected?

Automated Endpoint Discovery and Recognition, Built-In

Lansweeper Embedded Technologies enables cybersecurity companies to embed technology asset intelligence into their products, making it easy to implement effective asset detection and recognition capabilities for EDR. 

Lansweeper’s credential-free device recognition (CDR) technology employs machine-learning techniques and big data to detect and identify all connected devices, without needing credentials. In this way, it identifies all devices, even those that are non-scannable or only connect to the network briefly. The result is a complete and accurate inventory of all connected devices – routers and gateways, desktops, laptops, tablets, IoT devices, and even OT. 

In addition to providing a complete inventory, Lansweeper enriches asset data with information about the make, model, category, and OS with limited input data. It creates a fingerprint of each device, and encrypts and stores it to assist with in-depth threat analysis. Our device catalog is enriched with product metadata such as release and EOL dates, references to documentation and support, and available smart-home integrations. 

Get started today

Lansweeper Embedded Technologies makes it easy to embed Lansweeper into your EDR solution via a cloud API or multi-platform SDK. Find out more, and get started today.