Friday, July 26, 2013

Named: Endpoint Threat Detection & Response [BACKUP FROM DEAD GARTNER BLOG]

NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one reminds the world that I invented the term EDR :-)

After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.

So, to summarize:

  • Category name: Endpoint Threat Detection & Response
  • Capabilities: see On Endpoint Sensing
  • Use cases: see Endpoint Visibility Tool Use Cases
  • Examples: Mandiant (MIR and MSO tools), CarbonBlack, Guidance Software (EnCase Cybersecurity [yes, that really is the name of the tool] and EnCase Analytics tools), RSA ECAT, CounterTack, CrowdStrike, etc.

The tools do have somewhat differing capabilities (such as the extent of data analysis performed on the agent vs the backend, collection timing and scope, integration of OOB indicators/intelligence, etc), but IMHO belong under the same general label.

By the way, a few other related tools may have broader functions and thus may justify a broader name – in their case the name “Endpoint Threat Detection & Response” can be applied to relevant tool capabilities and not to the entire toolset. Examples include Tanium, Bit9, HBGary, etc.

This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents) and tools’ primary usage for both detection and incident response. While some may argue that “endpoint” label may be seen as applicable to workstations and not to servers, this minor loss of precision seems acceptable for the sake of brevity (others will say that four words is already too long).

These tools usually do not focus on full disk image acquisition and analysis (traditional computer forensics), but some can acquire such data as well as perform other forensic functions. On the other hand, the “next gen” endpoint prevention/blocking/isolation-focused tools should get their own category – but they are not my problem at this point 🙂

There you have it! Thanks to everybody who participated in this discussion.

UPDATE (2015): these tools are now known as “EDR”; more research Gartner research refers to them as EDR tools. In essence, ETDR (2013) = EDR (2015).

Posts related to the same project:

Monday, July 01, 2013

Monthly Blog Round-Up – June 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Why No Open Source SIEM, EVER?” contains some of my thinking from 2009. Is it relevant now? Well, you be the judge.
  2. Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
  3. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
  4. On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
  5. My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on incident response:
Past network forensics research:
Past security data sharing research:
Miscellaneous fun posts:

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Dr Anton Chuvakin