Endpoint Detection and Response. Basically a new term for antivirus/antimalware but that reports back to defenders and helps them respond to malicious software that may be on the device.

so it's malware.

"antivirus/antimalware" has gotten such a bad rap that it needed a makeover: EDR

A declaration of reputational bankruptcy, but where's the concomitant effort to restructure the reputational debt that necessitated it?

"I'd rather have ED than EDR."

never worked in an environment with hard security requirements?

tell me, if your responsibility was to prevent, identify, and respond to breaches, what policies and technologies would you utilise to achieve this goal?

The comments on this site are really something after having worked for an engineering corp that was actively targeted for industrial espionage. You guys really don't wanna monitor what processes on your boxes are doing? Hopefully your servers don't do anything of consequence lol.

Do these actually work?

We've got one of those at work, and the most visible effect is it makes me feel like driving around with the handbrake on.

Then, every so often, it'll flag the code I'm working on as "malicious". It's pretty basic glue stuff, and launching the executable in their sandbox usually turns up nothing. Sure, I can add an exception for what I'm working on and my tools so it doesn't scan rustc every time it runs. But exceptions can only be paths. Aren't we lucky that bad guys would never ever overwrite the files I've excluded.

When we first started deploying it, I wrote a quick and dirty cryptolocker. Reading files and rewriting their content encrypted in AES. Didn't take any evasive action, just traverse directories and fetch all the files. I even went out of my way to do it multi-threaded, so I wouldn't have to wait too long while testing. Sure enough, it flagged my test-crypto.exe as suspicious. But I guess I'm not enough of threat, since I've tried renaming it to meh.exe and, wouldn't you know it, I could happily encrypt my own home folder without any bother.

So I'm still not fully convinced these aren't just like the antivirus of old, only with a different name.

Yes, I have operated carbon black, huntress, and crowdstrike and they all work very well at stopping real attacks. You are always going to have edge cases, but there's a lot of power in being able to roll back anything even if it wasn't initially blocked. Within a few minutes of badstuff.exe being flagged I can have a graph of everything it's ever touched, how it got there, say with certainty if consumer data was impacted, and know everything that was exfiltrated. We can go back to patient zero and see everything that it branches out to and freeze every iteration of it out of the network instantly. And it's easy, you used to be down for weeks and hire a DFIR firm to puzzle it out. Now it's a button.

> there's a lot of power in being able to roll back anything even if it wasn't initially blocked. Within a few minutes of badstuff.exe being flagged I can have a graph of everything it's ever touched, how it got there, say with certainty if consumer data was impacted, and know everything that was exfiltrated.

I can certainly see the value in that.

But does that work when the threat is actually "new"? Say, some badstuff.exe managed to run and do its thing without being flagged by the EDR. Somehow you found out about it, say on another box. Can you investigate a posteriori how it got on the initial box and what it did there?

Oh, I fully understand why it's needed, and I have experience working with EDR software - which is why I stand by my statement that I'd rather deal with ED than EDR because at least there's a remedy for the former :P

SolarWinds.

Oh wait! It keeps happening!

First step, get rid of windows. :)

- if something requires windows, then we don't need that something.

Fire everyone.

Like Advertising (surveillance and dossier creation)

no, it's that the capabilities have evolved far beyond traditional antivirus that it's simply inaccurate to describe it as such.

The only difference between malware and security software is the intent of its author. Functionally they are equivalent however.

Well antivirus is also software that has to:

- be in a priviledged position on the system

- open up all kind of files for analysis without the user's interaction

Now if you want a way to create a juicy target for malware authors and increase the attack surface of your system, this is one way to do it.

I partially agree with you after seen behaviors of some "security" software that really put the "intent of its author" in question.

Well, the intent is usually the same: extract money from user, either outright stealing, or scare them and get paid for "protection"

what part of EDR software seems malicious to you?

The company I work for recently had the beautiful experience of having Windows Defender delete our program from many of our customers computers during the weekend, with the consequent support calls the next day about "your program does not run and I'm losing money!" and the headache of having to find out why the exe is magically gone, since the antivirus going crazy is the last thing you think of.

"Thankfully" it seems they did a progressive rollout of whatever version of Defender that detects our software so we didn't get every customer angry at once, which would come pretty close to a business ending event.

So yeah malware seems an adequate word to me. Especially since there's no way to find out what heuristic we're tripping and no one to ask for help so there's no guarantee that this won't happen again in a few weeks.

The malicious mindset is right in the name. It redefines my computer to exist only in context of another thing. My hardware is now an """endpoint""" and not a standalone system.

I'm trying to see your point, but it doesn't really track; a re-definition based on modern context isn't malicious.

Threats are not simply viruses, and network detection / response is objectively different.

You also probably connect your "standalone system" to a network.

It's not something that you're going to install on personal machines. It's something that the CISO wants installed on company machines for compliance reasons. And before you claim that you don't want your activity monitored on the company laptop, the laptop belongs to the company. There's no expectation of privacy.

In a corporate setting (where this kind of software is often used), „your“ computer is not really yours and does in fact only exist in context of another thing (the corporation).

> new term

friend, the current term is XDR (eXtended Detection and Response - although that was a year or two ago and might be old in the market by now!)

XDR is a marketing term for a service that bundles or aggregates EDR with other types of enterprise level security monitoring. The endpoint part is still called EDR.

i know that, but the discussion was about the latest buzzwords in the endpoint domain and EDR is definitely very mature technology at this point

Quick, change it again so I can't know what you're talking about!

Some EDR examples for those wondering

* CrowdStrike

* SentinelOne

* Heimdal

I'm glad you asked, because I was baffled myself when I couldn't find a definition in the article.

Yes, in many ways it is not a well-written article for those outside the the field.

Perhaps because it was not written for those outside a particular field?