What to consider when evaluating EDR

Endpoint detection and response (EDR) products started as tools for gaining visibility into endpoint operating systems and remotely executing response actions on those endpoints. However, years of product consolidation and other market forces conspired to reshape EDR tools, merging them with antivirus (AV), next generation AV (NGAV), endpoint protection platforms (EPP), and more. Somewhere along the way, someone coined the phrase “extended detection and response” (XDR) and much in the same way that the legacy AV products adapted and rebranded into EDR products, many EDR products have adapted and rebranded as XDR platforms.

Given all of this change, evaluating an EDR product, always a complicated matter, is now fundamentally different than it was just a few years ago. The scope of these tools has broadened, and they now boast extensive alerting capabilities from endpoints and non-endpoints alike—in addition to the core EDR features that have existed for years. Further, not all EDR platforms have feature parity, and the implementation of features differs from one tool to the next.

There is no “best EDR platform,” but there is definitely a best EDR platform for your organization.

Many security teams count EDR platforms among their most important security tools or controls, but EDR tools are expensive—both in procurement and implementation. For these reasons, it’s extremely important for organizations to get it right when selecting an EDR tool, and that’s precisely what our new guide is intended to do: help organizations evaluate and select the EDR tool that is right for them.

The need for EDR

EDR tools offer substantial benefits to the security teams that use them, and they are a near-necessity for all but the smallest organizations. A 2023 Gartner survey found that 57 percent of organizations have EDR capabilities deployed, a 15 percent increase since 2022. Despite increased attention being paid to cloud and identity security, ransomware remains a major problem that we continue to detect on tens of thousands of endpoint threats every year, primarily using raw telemetry from a wide variety of EDR providers. We expect the percentage of organizations with an EDR platform to increase in the coming years.

Among the 43 percent of organizations that don’t have an EDR tool, assessing the capabilities of any given EDR tool and finding the right one for your organization is a challenge. As for the 57 percent of organizations that do have an EDR platform, many will consider changing platforms, and they will face the same assessment challenges as those who’ve never had one—albeit with the benefit of having done this before.

About this guide

This guide leverages Red Canary’s experience evaluating and operationalizing EDR platforms over the last decade—and helping thousands of organizations through the process of buying and operationalizing one—to explain what you should look for in an EDR tool, the features you can expect to find, and how competing platforms differ from one another. By reading this, you’ll gain a better idea of what’s available, understand the right questions to ask of EDR vendors, and be empowered to select the EDR tool that provides the most value to your unique organization.

This guide is a product-agnostic assessment of features available across EDR platforms. Since the overall quality of an EDR product nearly always depends on the needs and preferences of individual organizations, we do not recommend or even mention specific EDR providers or products in this guide. Instead, we discuss the features we believe are important—and the nuances you might find in the implementation of those features.

The core components of EDR platforms analyzed in this guide are:

• Visibility: What data sources does the tool collect from? How reliably does it deliver the telemetry it monitors? How do you access data in the EDR tool?
• Alerting: What are the volume and fidelity of the alerts generated by the tool? Is the EDR tool transparent about the criteria for its alerts? What kind of contextual information is presented with the alerts? Can you tune the alerts?
• Prevention: What does the EDR tool block? How does it block content? What controls are available for adjusting its prevention capabilities?
• Reporting: What kinds of reporting does the tool  generate? Does it create reports automatically?
• Response: What response actions are available to the tool? How does the tool protect its response capabilities?

How would we know?

We’ve spent 10 years evaluating nearly every EDR tool on the market, operationalizing them at enormous scale to build a world-class security operations platform, and guiding thousands of organizations through the process of determining which EDR tool is the best fit for their organization. Very few organizations (if any) possess Red Canary’s level of experience and expertise with EDR tools. We understand the features they offer and how those features—and the implementation of those features—vary between platforms.