Key Criteria for Evaluating Endpoint Detection and Response (EDR) Solutionsv2.0

1. Summary

The endpoint presents an unusual problem forced on organizations and security teams. Endpoints are portals through which sensitive data is accessed and manipulated by staff. They’re often mobile, moving from location to location, and sometimes operated by multiple users. Compounding the problem, endpoint telemetry can be cryptic or completely absent.

Endpoint detection and response (EDR) addresses these risks through enhanced visibility of the endpoint landscape and by correlating individual anomalous events into a unified series, helping security teams to prioritize potential threats. Once anomalous events are detected, EDR solutions deploy automated responses to mitigate risks.

Automated response features available in EDR solutions that aren’t found in legacy antivirus (AV) solutions include: the ability to isolate an endpoint remotely until security staff can address the risk, forensic data collection, automated response workflows, and cross-device event correlation.

EDR is often delivered as part of a managed solution, wherein a trusted third party handles some or all of the investigation and triage work. This is a popular service model for organizations with small security teams or business units responsible for their own security operations. EDR is also sold as a standalone, technology-only solution, which is often a more popular choice for larger organizations with mature security operations.

Given the emergence of advanced persistent threats, the burden of regulatory compliance requirements, shortages of staff and skills, and the proliferation of highly distributed work-from-home environments, EDR has evolved to address new challenges.

This evolution is evident from the fracturing of vendors in the space. On one side are vendors that see a future in which EDR transforms into extended detection and response (XDR), which supports telemetry from the endpoint as well as from SaaS, identity providers, firewalls, VPNs, and so forth. On the other side are vendors that see EDR as a separate discipline, one that will stand the test of time on its own, much as legacy AV did for decades.

This is the second year that GigaOm has reported on the EDR space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report details the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective EDR solution. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading EDR offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.