By Timothy Liu, CTO & Co-founder, Hillstone Networks
In tandem with the evolution of security technology, network attacks have become more targeted, concealed, and persistent. To counter this trend, endpoint detection and response (EDR) technology provides a new medium and platform for detecting and preventing security threats at the endpoint. The advanced nature and advantages of EDR in defending against unknown threat attacks, zero-day vulnerability attacks, and APT attacks have become an important part of the overall security protection system.
As security guru, Bruce Schneier once said, “You can’t defend. You can’t prevent it. The only thing you can do is detect and respond.” EDR is designed to do exactly that.
Gartner first proposed the concept of endpoint threat detection and response in 2013, and it immediately attracted widespread attention in the security community. Industry analyst firm Technavio forecasts the EDR market to grow to nearly $1bn USD from 2020 to 2025, at a compound annual growth rate of about 10 percent.
Endpoint security products have a high technical threshold. Historically, most of the major players in the market have been professional anti-virus vendors. But in 2022, this trend will begin to change. A number of traditional network security-only vendors, like Hillstone Networks, are actively investigating this field;
In addition, a growing number of EDR vendors are incorporating or integrating with endpoint protection platforms (EPPs), which offer advanced protections against threats via machine learning and other techniques.
However, data collection technology needs improvement. Static data collection capabilities include collecting the current state of the operating system (such as asset information, services, ports, processes, threads, and vulnerabilities); dynamic data collection capabilities include various behaviors and operations that occur on the operating system, like account creation, network access, data sending, and file operations. Data collection is the premise and foundation for EDR’s threat prediction and security analysis, which makes both static and dynamic collection critical to achieving robust endpoint security;
Data mining and analysis capabilities are core competencies of EDR, and are an important feature that distinguishes EDR from standalone EPP solutions. EDR can centrally store and analyze a variety of heterogeneous data collected from the endpoints. Through deep learning, reinforcement learning, correlation analysis, cluster analysis, and other methods, it can discover and identify hidden security threats on the endpoint, discover a compromised host, or identify terminals that do not meet security requirements or regulations, for example;
Pay attention to the role of threat intelligence in EDR. Threat intelligence can provide EDR with a large amount of key data – like internal and external threat data, malicious data samples, attack feature data, and hacker organization portrait information – ؘto help comprehensively analyze and evaluate network attacks. Through multi-source intelligence correlation analysis, the attacker can be traced, and the motivation of the attacker can often be discovered. At the same time, based on threat intelligence data and big data analysis, EDR can also efficiently detect unknown attacks (like zero-day exploits). In addition, after EDR identifies and discovers threats, it extracts threat features through reverse sample files and generates threat intelligence data to improve the overall threat intelligence infrastructure (such as NDR, SIEM, SOC, or situational awareness).
For almost all organizations, endpoints represent one of the largest attack surfaces by far, both in sheer numbers and in geographic dispersion. Attackers are acutely aware of this as well – which makes the monitoring, detection and response capabilities of EDR an essential tool in IT security.
About the Author
Timothy Liu is co-founder and chief technology officer of Hillstone Networks. In his role, Mr. Liu is responsible for the company’s product strategy and technology direction, as well as global marketing and sales. Mr. Liu is a veteran of the technology and security industry with over 25 years of experience. Prior to founding Hillstone, he managed the development of VPN subsystems for ScreenOS at NetScreen Technologies, and Juniper Networks following its NetScreen acquisition. Mr. Liu is also a co-architect of the patented Juniper Universal Access Control and holds an additional patent on Risk Scoring and Risk-Based Access Control for NGFW. In his career, Mr. Liu has served in key R&D positions at Intel, Silvan Networks, Enfashion and Convex Computer. He Liu holds a Bachelor of Science from the University of Science and Technology of China and a Ph.D. from the University of Texas at Austin.
Tim can be reached online at @thetimliu and at our company website https://www.hillstonenet.com/