Friday, July 26, 2013

Named: Endpoint Threat Detection & Response [BACKUP FROM DEAD GARTNER BLOG]

NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via archive.org) some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one reminds the world that I invented the term EDR :-)

After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.





So, to summarize:

  • Category name: Endpoint Threat Detection & Response
  • Capabilities: see On Endpoint Sensing
  • Use cases: see Endpoint Visibility Tool Use Cases
  • Examples: Mandiant (MIR and MSO tools), CarbonBlack, Guidance Software (EnCase Cybersecurity [yes, that really is the name of the tool] and EnCase Analytics tools), RSA ECAT, CounterTack, CrowdStrike, etc.

The tools do have somewhat differing capabilities (such as the extent of data analysis performed on the agent vs the backend, collection timing and scope, integration of OOB indicators/intelligence, etc), but IMHO belong under the same general label.

By the way, a few other related tools may have broader functions and thus may justify a broader name – in their case the name “Endpoint Threat Detection & Response” can be applied to relevant tool capabilities and not to the entire toolset. Examples include Tanium, Bit9, HBGary, etc.

This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents) and tools’ primary usage for both detection and incident response. While some may argue that “endpoint” label may be seen as applicable to workstations and not to servers, this minor loss of precision seems acceptable for the sake of brevity (others will say that four words is already too long).

These tools usually do not focus on full disk image acquisition and analysis (traditional computer forensics), but some can acquire such data as well as perform other forensic functions. On the other hand, the “next gen” endpoint prevention/blocking/isolation-focused tools should get their own category – but they are not my problem at this point 🙂

There you have it! Thanks to everybody who participated in this discussion.

UPDATE (2015): these tools are now known as “EDR”; more research Gartner research refers to them as EDR tools. In essence, ETDR (2013) = EDR (2015).

Posts related to the same project:

Dr Anton Chuvakin