Endpoint Detection and Response (EDR) is a cybersecurity technology that addresses the need for continuous monitoring and response to advanced threats. It is a subset of endpoint security technology. EDR differs from other endpoint protection platforms (EPP) such as antivirus (AV) and anti-malware in that its primary focus isn't to automatically stop threats in pre-execution phase on an endpoint. Rather, EDR is focused on providing the right endpoint visibility with the right insights to help security analysts discover, investigate and respond to very advanced threats and broader attack campaigns stretching across multiple endpoints. Many EDR tools, however, combine EDR and EPP.
The EDR market is booming, and with good reason. Security breaches are more prevalent than ever, and most enter networks via endpoints. All it takes is one gullible user and the bad guys can sneak inside.
EDR revenues more than doubled in 2016, reaching $500 million, according to Gartner. Four vendors account for more than half of that total – Tanium, FireEye, CrowdStrike and Carbon Black. But there are others worthy of inclusion. This guide also examines Guidance, Symantec, Cyberreason, RSA, Cisco, and Countertack. But that list is destined to become shorter.
"We expect to see considerable consolidation in the endpoint security market going forward," said Avivah Litan, an analyst at Gartner. "Endpoint security products need to elevate the information and alerts they provide to the user and data level and further automate their response and remediation capabilities."
Despite that consolidation, Gartner's forecast is for almost 50% annual growth for EDR at least through 2020. That puts it way out in front of most areas of IT, where the overall growth rate is only 7%. Another factor in EDR's explosive growth is the fact that only 40 million EDR endpoints are currently installed, compared to the estimated 711 million desktop, laptop and other devices that can utilize the software.
The features that most EDR solutions have include:
- The ability to detect and prevent hidden exploit processes that are more complex than a simple signature or pattern and evade traditional AV
- Threat intelligence
- Visibility throughout endpoints, including applications, processes and communications, to detect malicious activities and simplify security incident response
- Automation of alerts, as well as defensive responses such as turning off specific processes when an attack is detected
- Forensic capabilities, because once an attacker is inside, you need the ability to take a deep dive into their activities so you can understand their movements and minimize the impact of the breach
- Data collection to build a repository used for analytics
Here, then, are 10 top EDR solutions worth considering. Gartner named each of these vendors as the top ten providers in terms of market share in its report "Competitive Landscape: Endpoint Detection and Response Tools." That document also laid out the various required features for EDR solutions that are considered here.
We summarize the EDR solutions below and link to a deeper analysis of each product, and at the bottom of this article is a chart comparing EDR product features.
FireEye Endpoint Security
FireEye serves organizations with anywhere from 250 to 350,000 endpoints, and is also beginning to penetrate smaller companies with a network security endpoint product called CloudHX. The company has more than 1,000 experts responding to incidents and researching attacks, and its network scanning appliances have boosted throughput to more than 1,000 Mbps.
Get an in-depth look at FireEye Endpoint Security.
Carbon Black Cb Response
Carbon Black boasts a CIA and NSA cybersecurity pedigree and supports 150,000 endpoints per cluster with unlimited scalability. It can be deployed as software or in the cloud, with a one-year subscription starting at $30 per endpoint.
Get an in-depth look at Carbon Black Cb Response.
Guidance Software EnCase Endpoint Security
EnCase boasts a majority of the Fortune 500 as customers. The EDR solution can scale to hundreds of thousands of nodes and has also been used to secure ATMs, POS systems and manufacturing devices.
Get an in-depth look at Guidance Software's EnCase Endpoint Security.
Cybereason Total Enterprise Protection
Cybereason was launched by Israeli cyber intelligence professionals and is aimed at companies of any size with little IT security expertise. It has no limit in number of endpoints supported and can process 8 million questions a second.
Get an in-depth look at Cybereason Total Enterprise Protection.
Symantec Endpoint Protection
Symantec stops nearly all advanced threats, and the company's EDR add-on adds incident investigation and response. It can scale to hundreds of thousands of nodes and is supported by the world's largest threat intelligence network.
Get an in-depth look at Symantec Endpoint Protection.
RSA NetWitness Endpoint
NetWitness offers more than 300 behavioral indicators that users can customize. The EDR solution uses behavior analytics, machine learning and threat intelligence to detect and prioritize threats.
Get an in-depth look at RSA NetWitness Endpoint.
Cisco Advanced Malware Protection for Endpoints
Cisco AMP boasts rapid detection capabilities and a 100% score from NSS Labs for malware and exploit detection. Its 14 integrated detection techniques can block 20 billion threats a day.
Get an in-depth look at Cisco AMP for Endpoints.
Tanium EDR boasts more than $400 million in funding from top-tier venture capital firms and more than doubled its sales last year. Its architecture can scale to millions of endpoints without requiring additional infrastructure. Twelve of the top 15 banks are customers.
Get an in-depth look at Tanium EDR.
CrowdStrike Falcon Insight
Falcon Insight is a cloud-based platform that collects and analyzes more than 30 billion endpoint events per day from millions of sensors deployed across 176 countries. It performs analysis of more than 70 adversaries, their tactics, techniques, procedures and campaigns.
Get an in-depth look at CrowdStrike Falcon Insight.
CounterTack Endpoint Threat
CounterTack uses a strategic partnership with SAP's HANA in-memory analytics platform to perform billions of scans per second. CounterTack applies a combination of behavioral analysis, machine learning and reputational techniques to counter threats.
Get an in-depth look at CounterTack Endpoint Threat.