Over the past 18 months we’ve watched the Endpoint Detection and Response (EDR) market evolve and take shape as organizations both small and large and across industry are recognizing the need to protect the endpoint. A clear focus for technology market-wide, has been on trying to solve customer challenges by detecting threats faster and with more efficacy, integrating endpoint intelligence into other platforms, improving SOC workflow and preventing commodity malware in favor of focusing more on advanced threats.
The recent Market Guide for EDR published by Gartner demonstrates an evolution of how this market started, and how this market has taken shape since 2013, in now its third iteration. What has stayed consistent in this market, however, is the need to detect, contain, investigate and remediate incidents on endpoints.
Fundamentally, this market emerged out of a need for more accurate detection, and more comprehensive protection within endpoint environments. It’s certainly interesting to see how estimates of the overall market size are sitting currently at $498M, in line with Gartner’s predictions from three years ago.
Looking at Gartner’s latest report, and the market overall, we’re seeing some specific trends…
The Emergence of Endpoint Protection Platform
One key trend we are seeing is the push of Endpoint Protection Platform capabilities against EDR, which really means two things:
- The traditional players who have built the antivirus market have started to make a push into EDR-like capabilities. Adding enhanced detection and analysis capabilities, they can avoid long-standing customers bolting for a more innovative offering, ultimately to become displaced.
- We are seeing the prevention-only, or stronger prevention-like capabilities still dominate conversations, where the expectation from customers is stronger prevention that front-ends a robust detection, analysis, investigative drill-down and response capability set. Those vendors who focused on prevention first are trying to get better on the analytics side, and those who have focused on better data and context of threats are developing more innovation in how they block attacks.
EDR in the SOC
The next big trend we are seeing is the changing nature of the SOC. Most SOC managers are demanding a more robust, yet less cumbersome set of integrations into SIEM platforms. ESG Analyst Jon Oltsik nailed an understated trend—instead of just a SIEM solution, SOC teams are viewing their needs as security operations and analytics platform architecture, or SOAPA.
Where does EDR fit in here? First off, as threats often materialize quickly, or at least certain exposures or exploits are discovered during advanced, targeted attacks that indicate something malicious, it’s clear that correlation and asynchronous aggregation of data is critical to paint the cleanest, clearest illustration of what you are facing, right then and there. Oftentimes, machines are where the most visible damage is done, i.e. desktops, laptops and servers.
This means machine-based data needs to be weighted against a series of alerts and other aggregated intelligence sources to make key decisions on investigating incidents, and remediating/responding the right way. Jon Oltsik points out that EDR technology is one of the best technology sets to validate alerts from other tools in the SOC, and to further investigate threats.
The SOC analysts we work with regularly tell us they don’t need more information, but better information, more quickly, with enough detail to either launch an investigation, or to auto-respond, by killing a process, isolating the threat, or through file extraction. It bares reiterating that SOC teams need less to sift through, and more context that matters, and that is done through analyzing behavior, not simply signatures.
As Gartner points out, behavioral techniques are difficult to develop and implement, but provide more value than just looking at signatures and processes running. Signatures after all, only look for a minimal number of static sources to provide one thing – a yes or no answer about whether something is categorized as malicious.
As Gartner puts it, “The EDR market is clearly in the Gold Rush.” Regardless of the new players emerging and the larger vendors adding capabilities, one thing remains consistent—there are certain approaches within the EDR market that are resonating with experienced, dynamic SOC teams, and 2017 looks like it will become the biggest year for this category of endpoint security technology.