Why EDR is Important
EDR products provide the critical information needed by incident response teams to conduct forensic investigations. They provide visibility into the behavior of endpoints so that forensic security analysts and forensic teams have the information they need to investigate suspicious activity. Continuous monitoring of the endpoint, detection of anomalous activity, and supplying forensic detail to empower incident response are the core features of an EDR product.
In theory, an endpoint protection platform (EPP)/antivirus (AV) product blocks attacks while an EDR product detects the attacks that were not blocked. Using this approach, incident response investigations can focus on what happened and whether any data was compromised or lost.
EDR products are not for everyone. Proper utilization of an EDR product requires a team of forensic specialists. However, for organizations that are constantly under attack, an EDR product can save time and money. NSS Labs recommends that organizations that are likely to be the target of advanced persistent threats (APT) deploy an EDR product. This is especially true for organizations deemed to be critical infrastructure.
NSS Labs recommends deploying EDR products strategically on systems with access to critical information and systems in the data path that can be used to gain entry to (or exfiltrate) a network.
Forensics are particularly important for some enterprises, which is why EDR products that focus on forensic investigation and continuous monitoring remain in demand. In the 2018 NSS Labs Network Security Study, 89.4% of the US enterprises surveyed indicated the use of some forensic features on their endpoint products.1
EDR products are developed with different philosophies and capabilities. Some are designed to identify threats pre-execution, others contain technology that lends itself to the identification of threats during execution, and still others excel at identifying attacks post-execution. The reality is that most products have a mix of detection capabilities that enable detection pre-execution, during execution, and post-execution. However, this does not preclude the possibility of some performing better in one area than another, and these relative strengths and weaknesses are important to consider when evaluating which EDR product is right for your organization. Find out the relative strengths and weaknesses of each EDR product tested.
The test introduced real-world cyberattack scenarios to determine how effective products were at detecting, logging, and reporting on the following threats:
Today's malware is delivered over multiple infection vectors including social exploits, web-based HTTP traffic, and non-HTTP traffic such as email and cloaked executables. Find out how effectively each EDR product detected and logged malware.
Attackers often lure users to websites where the users are then exploited. An exploit is an attack against a computer that takes advantage of a vulnerability in some part of the system, such as a logical flaw in a program installed on the machine. Learn how well each EDR product is able to detect exploits and their aftermath.
Blended threats leverage exploiting multiple vulnerabilities, such as spear phishing, infected peripherals, and sophisticated antivirus evasion techniques to infect the endpoint device. Learn how well each EDR product is able to detect blended threats and successfully distinguish between malicious and legitimate activity.
Cybercriminals deploy evasion techniques to disguise and modify attacks at the point of delivery in order to avoid detection. If an EDR product can be tricked by an evasion, an attacker can potentially deliver malware that the product would normally detect. Find out which EDR products are tricked by evasions, and which are not.
The ability of the EDR product to correctly identify and allow benign content (for example, legitimate application traffic, files, and documents) is as important as its ability to detect malicious content. Find out how each EDR product fared during false positive testing.
After an EDR product detects malicious or anomalous behavior, it should support follow-on investigation, incident response, and remediation efforts. Learn which EDR products conveyed detailed and timely threat event and forensics data.
Implementation of EDR products can be complex, with several factors affecting the overall operating cost. NSS has developed a unique opex model to determine the cost of EDR solutions. Find out which tested EDR products have the lowest operating cost and the highest ROI so you can better analyze risk and make informed purchasing decisions for your organization.
Just because a product is the least expensive doesn't mean it provides the best value or meets your needs. NSS Labs can help you determine which products are right for you.
Any time we conduct a test, there is more information than we can possibly include in our test reports. NSS Research Analysts help clients from the world's most demanding organizations get the answers they need.
3 out of 4
Products Achieved a
Between 39.0% and 96.3%
Opex per System
$253 to US$1621
Individual Test Reports
Test Reports provide detailed analysis for each product tested. Data from these reports is used in the NSS Labs Comparative Reports.
Test Reports enable enterprise security teams to understand the impact of features and limitations across different products. These reports are used to shortlist products for further evaluation and proof-of concept testing.