Endpoint Detection and Response (EDR)


Why EDR is Important

EDR products provide the critical information needed by incident response teams to conduct forensic investigations. They provide visibility into the behavior of endpoints so that forensic security analysts and forensic teams have the information they need to investigate suspicious activity. Continuous monitoring of the endpoint, detection of anomalous activity, and supplying forensic detail to empower incident response are the core features of an EDR product.

In theory, an endpoint protection platform (EPP)/antivirus (AV) product blocks attacks while an EDR product detects the attacks that were not blocked. Using this approach, incident response investigations can focus on what happened and whether any data was compromised or lost.

EDR products are not for everyone. Proper utilization of an EDR product requires a team of forensic specialists. However, for organizations that are constantly under attack, an EDR product can save time and money. NSS Labs recommends that organizations that are likely to be the target of advanced persistent threats (APT) deploy an EDR product. This is especially true for organizations deemed to be critical infrastructure.

NSS Labs recommends deploying EDR products strategically on systems with access to critical information and systems in the data path that can be used to gain entry to (or exfiltrate) a network.

Forensics are particularly important for some enterprises, which is why EDR products that focus on forensic investigation and continuous monitoring remain in demand. In the 2018 NSS Labs Network Security Study, 89.4% of the US enterprises surveyed indicated the use of some forensic features on their endpoint products.1

What We Tested & Why

Performance and Latency - NSS Labs

EDR products are developed with different philosophies and capabilities. Some are designed to identify threats pre-execution, others contain technology that lends itself to the identification of threats during execution, and still others excel at identifying attacks post-execution. The reality is that most products have a mix of detection capabilities that enable detection pre-execution, during execution, and post-execution. However, this does not preclude the possibility of some performing better in one area than another, and these relative strengths and weaknesses are important to consider when evaluating which EDR product is right for your organization. Find out the relative strengths and weaknesses of each EDR product tested.

The test introduced real-world cyberattack scenarios to determine how effective products were at detecting, logging, and reporting on the following threats:

Social Engineered Malware (SEM) - NSS Labs

Today's malware is delivered over multiple infection vectors including social exploits, web-based HTTP traffic, and non-HTTP traffic such as email and cloaked executables. Find out how effectively each EDR product detected and logged malware.

Exploit Block Rate - NSS Labs

Attackers often lure users to websites where the users are then exploited. An exploit is an attack against a computer that takes advantage of a vulnerability in some part of the system, such as a logical flaw in a program installed on the machine. Learn how well each EDR product is able to detect exploits and their aftermath.

Blended Threats - NSS Labs

Blended threats leverage exploiting multiple vulnerabilities, such as spear phishing, infected peripherals, and sophisticated antivirus evasion techniques to infect the endpoint device. Learn how well each EDR product is able to detect blended threats and successfully distinguish between malicious and legitimate activity.

Evasions - NSS Labs

Cybercriminals deploy evasion techniques to disguise and modify attacks at the point of delivery in order to avoid detection. If an EDR product can be tricked by an evasion, an attacker can potentially deliver malware that the product would normally detect. Find out which EDR products are tricked by evasions, and which are not.

False Positives - NSS Labs

The ability of the EDR product to correctly identify and allow benign content (for example, legitimate application traffic, files, and documents) is as important as its ability to detect malicious content. Find out how each EDR product fared during false positive testing.

Remediation - NSS Labs

After an EDR product detects malicious or anomalous behavior, it should support follow-on investigation, incident response, and remediation efforts. Learn which EDR products conveyed detailed and timely threat event and forensics data.

Operating Expense - NSS Labs

Implementation of EDR products can be complex, with several factors affecting the overall operating cost. NSS has developed a unique opex model to determine the cost of EDR solutions. Find out which tested EDR products have the lowest operating cost and the highest ROI so you can better analyze risk and make informed purchasing decisions for your organization.

Value To You - NSS Labs

Just because a product is the least expensive doesn't mean it provides the best value or meets your needs. NSS Labs can help you determine which products are right for you.

Is Your Enterprise Looking for Insights in addition to the EDR Test Reports?

Exploit Block Rate - NSS Labs

Any time we conduct a test, there is more information than we can possibly include in our test reports. NSS Research Analysts help clients from the world's most demanding organizations get the answers they need.

Who We Tested

SNOW Self-Managed v12.18.0
CounterTack GoSecure
Endpoint Protection Platform v5.8.4
Deep Detect v18.0
NetWitness Endpoint v4.4.0

What are the Key Takeaways from the 2018 EDR Group Test?

3 out of 4
Products Achieved a
Recommended Rating

Overall Security
Between 39.0% and 96.3%

Opex per System
Ranged from
$253 to US$1621

What You Get:
EDR 1.0 Group Test

EDR Comparative Report

This report uses data from NSS' individual EDR Test Reports to determine the relative security and relative cost of the tested EDR products. Products are scored on multiple factors that affect their overall security effectiveness, including: Detection capabilities, resistance to evasions, and reporting capabilities.

Security Value MapTM (SVM) Comparative Report

The SVM Comparative Report uses empirical data from the individual EDR Test Reports and the Comparative Report to create NSS' unique Security Value Map (SVM). The SVM illustrates the relative value of each product by mapping Security Effectiveness against Opex per System.

Individual Test Reports

Test Reports provide detailed analysis for each product tested. Data from these reports is used in the NSS Labs Comparative Reports.

Test Reports enable enterprise security teams to understand the impact of features and limitations across different products. These reports are used to shortlist products for further evaluation and proof-of concept testing.