Endpoint detection and response tools work by monitoring endpoint and network events and recording the information in a central database where further analysis, detection, investigation, reporting, and alerting take place. A software agent installed on the host system provides the foundation for event monitoring and reporting.
Ongoing monitoring and detection are facilitated through the use of analytic tools. These tools identify tasks that can improve a company’s overall state of security by identifying, responding to, and deflecting internal threats and external attacks.
Not all endpoint detection and response tools work the same way or offer the same spectrum of capabilities. Some endpoint detection and response tools perform more analysis on the agent, while others focus on the backend via a management console. Some vary in collection timing and scope or in their ability to integrate with threat intelligence providers
However, all endpoint detection and response tools perform the same essential functions with the same purpose: to provide a means for continuous monitoring and analysis to more readily identify, detect, and prevent advanced threats.
The Primary functions of an EDR security system are to
- Monitor and collect activity data from end points that could indicate threat
- Analyze this data to identify threat patterns
- Automatically respond to identified threats to remove or contain them and notify security personnel
- Forensics and analysis tool to research identified threats and search for suspicious activities