Functions of EDR(Endpoint Detection and Response)

In this blog post, we will talk about the function of EDR. Since you already know about Anti-virus which is also called Vaccine, I will compare it with EDR as below.

You may be unfamiliar with EDR because it is built mainly for large institutions and not for individuals yet. However, as the damage caused by security incidents can be severe to individuals, it is important to know the difference between EDR and Vaccine and how EDR will develop further in the future.

EDR has been developed for the purpose of responding to unknown malware. Therefore, it is very different from the traditional Anti-virus that only responds to known malware. In other words, Anti-virus merely compares, detects, and responds to known malware often after the damage has been done. However, if there is unknown malware, you have to spend lots of time and effort to detect it. EDR can solve the problems of Anti-virus which makes the EDR a special and intelligent solution that continues to evolve.

Gartner, the most recognized market research firm that predicts and analyzes information security trends around the world, cited four components of EDR.

  • Detection of security breaches: Detecting security incidents beyond those caused by file-based malware.
  • Security control: Controlling security incidents that are detected on endpoints
  • Security breach investigation: Investigating security incidents based on timeline and conducting threat hunting.
  • Endpoint treatment: Recovering endpoint to its pre-infection condition.

Similarly to Gartner’s, the following is how I organize the components of EDR for easy visualization.

  • Collection/Detection: Collecting endpoint event behaviors and files and detecting threats.
  • Threat analysis: Comparing information collected based on the rules (IOC, MITRE-based) with known malware information.
  • Threat response: Controlling malicious behavior based on analyzed results.
  • Threat management: Conducting cause analysis and providing information based on threat events.

EDR is the most advanced endpoint (e.g. computer, laptop, etc.) security product ever developed. It is in the early stage in the market with great potential to further develop and grow and is experiencing a significant change in functionality. The characteristics of information security products are constantly changing from an early stage to a mature stage, driven by the needs of the market and customers. Other products however are not changing or evolving, because their specifications are largely set.

After all, EDR doesn’t trust any files based on the principle of Zero Trust and continues to monitor and responds when threats occur.




I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

ESG & DLT Interoperability: Twitter Spaces with DOVU & Venly

BITONE Mainnet Launching Promotion

How to Start a Crypto Trading Side-Hustle

Keeping Up with Sanitation

ISP Multihoming Explained And Protocol, Boosting Internet Access Resilience


What is SOC?

Rocket Vault rebrands to RocketX Exchange

{UPDATE} Scratch Cards Lottery Pro Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Han Solo

Han Solo

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.

More from Medium

Why Getting Hacked Is Just What Your Organization Needs

Sunset in Carlsbad California

Event ID: 5 — Let’s Defend

Original alert as it was created

Auto Block Malicious IPs With Wazuh’s Active Response

An Investigation into Obfuscation