Endpoint detection and response (EDR) software detects and identifies threats on network-connected devices. Compare features of top EDR tools.
Remote work has skyrocketed over the last year, leading to many workers accessing company information on personal devices. According to an HR Dive study, 60% of these personal devices aren't monitored by security tools. Even if your workforce isn't remote, unsecured personal devices can still provide hackers with easy access to company data when they connect to your company's WiFi network or cloud apps. Endpoint detection and response (EDR) software provides continuous monitoring and threat response capabilities to keep these endpoints secure.
In this guide, we'll explain why EDR software is so important for your business, explore common features, and compare the top EDR tools.
Why endpoints are the biggest threat to IT security
Employees use endpoints, like their phones or laptops, to check email, open unsecured apps, or browse the web in the same environment where they're accessing company documents and applications. With the same devices being used for both work and recreational purposes, company data is exposed to prying eyes.
Many attackers rely on social engineering to gain access to a device or network through phishing or similar tactics. Unfortunately for businesses, many employees can miss the signs that an email or website is malicious and unwittingly leave the door open for attackers to gain entry. According to Ponemon, more than 50% of breaches in small and medium businesses are the result of human error.
Without the right endpoint protection in place, these breaches can cause major damage to businesses of any size. Regardless of the organization's size, the 2019 Hiscox Cyber Readiness Report shows that a single breach could cost a company an average of $200,000—a sum a small business would be hard-pressed to recover from. To protect businesses from such devastating threats, IT security teams need the right tools to monitor endpoints and identify threats before they can escalate.
SEE: Intrusion detection policy (TechRepublic Premium)
Common features of EDR software
Some EDR tools are combined with other types of software and sold as endpoint protection platforms (EPP) that contain additional features, like a VPN, managed services, and firewalls. While these can be great for some companies, if you just need EDR software, you should focus on the following features.
Behavioral analytics is used to flag anomalies in device usage. EDR platforms generally use artificial intelligence (AI) or machine learning to analyze user behavior and create profiles. Then, when something out of the norm happens, the system sends an alert to the security team to investigate. Because so many breaches happen due to human error, behavioral analytics is essential to keeping your data safe.
Not all system alerts are going to be indicative of a threat, and they shouldn't be treated equally. Let's say a mandatory password change came up for one of your employees. The next time they go to log in, they may enter the old password out of habit, only to realize their mistake when they get the "invalid password" error message. Clearly, nothing shady is happening here, but the system might still flag the use of incorrect credentials as an indicator that someone is trying to breach the system. Your EDR software should be able to prioritize these alerts for your security team and make sure they respond to the most pressing issues first.
One of the nice things about software is that it doesn't have to take breaks or time off. EDR tools can offer continuous monitoring to identify and quarantine a threat until a member of the security team is available to remove it. These tools also reduce your internal resource load as you don't have to dedicate an entire position (or more than one) to monitoring the network for threats. Instead, your security team can focus on handling tasks that actually require their expertise while the EDR tool monitors the network.
Whitelisting and blacklisting are used to lower the number of alerts the security team has to manually investigate. Most EDR systems will automatically blacklist sites or email addresses with known malware signatures, and security administrators can add to this list as they discover more. Alternatively, security teams can whitelist websites that the EDR software has flagged as dangerous, overriding warnings to give employees access to sites and email addresses they know they can trust. This reduces the time they spend investigating false positives.
SEE: Intrusion detection policy (TechRepublic Premium)
Enterprise considerations for EDR software
According to the SANS Endpoint Protection and Response Survey, 44% of IT departments manage somewhere between 5,000 and 500,000 endpoints. With enterprises likely to fall on the higher side of that range, IT teams need the ability to identify and prioritize the most pressing issues. Enterprises should look for EDR software with AI and machine learning capabilities as well as threat intelligence databases to block known threats and reduce the number of breaches the security team has to deal with manually.
Additionally, enterprises generally have employees in multiple locations. Because of this, they'll need EDR software that contains remote monitoring and management (RMM) features, so security administrators can access the endpoint, even if they're not located in the same place. This is also important if you use a managed services provider (MSP), rather than an in-house IT team.
Finally, an enterprise EDR system should offer customized rulesets for security administrators that reduce alert fatigue and initiate quarantine and removal procedures. By automating repetitive tasks, the security team can focus on items that actually need their expertise and keep their backlog light. With this need for extra functionality, some enterprises may opt for large endpoint protection suites, rather than a standalone platform.
Best EDR software for enterprises
VMware Carbon Black
VMware Carbon Black received the highest scores in ease of use and value, despite it being about average price. It also got solid security scores from both the NSS Labs and MITRE tests. Carbon Black goes beyond just collecting information about blatant attacks, also gathering data on seemingly normal activity that attackers use to hide their tactics. Unfortunately, many of the features that customers have come to expect from medium to high-end EDR tools are either unavailable or cost extra to add, including device control, advanced threat hunting, and rollback. The program is popular with sophisticated security teams, but it also offers good value for organizations that just need standard features.
Palo Alto Networks Cortex XDR
Cortex XDR by Palo Alto Networks is actually an XDR solution, rather than simply EDR. The extended detection capabilities allow it to successfully combat all types of attacks, including targeted ones. The platform offers strong alerting capabilities along with AI and behavioral analytics tools that can track threats as they move through endpoints or the network. Because the platform is strongly integrated with Palo Alto firewalls and other products, it's most useful for customers who already use Palo Alto products. However, its high independent testing scores make it a good option for enterprise businesses.
Symantec Endpoint Security
Symantec Endpoint Security (SES) is a combined EDR and EPP product that offers threat hunting, remediation, and analytics for targeted attacks. Pricing varies widely depending on the features you select, but the wide offerings make it perfectly customizable for enterprises. One interesting feature SES includes is deception, where the platform lays out bait for attackers and tries to expose them and prevent them from getting valuable data. Even the standard plan includes vulnerability and patch management, custom rules, and guided investigations, but you can also add on web content monitoring and full-disk encryption for an extra cost. SES doesn't offer rollback, but most other common (and some less common) EDR features are covered.
BlackBerry's Cylance platform combines CylancePROTECT EPP and CylanceOPTICS EDR to prevent ransomware and unknown threats from reaching your network. It also offers automated remediation to get rid of threats faster. The product is more expensive than many on our list, but the reduced remediation time can lower operating costs. It also provides AI and zero trust options to prevent lateral movements and contain breaches if they do occur. The platform includes some advanced EDR features like threat hunting and custom rules, although it's lacking behavioral detection and patch management, among others.
Kaspersky's EDR platform is one of the more popular on the market due to its low prices and solid security ratings. The product is also feature-rich, only requiring an additional cost to include a VPN. The automated rollback feature allows users to keep working by undoing most of the malicious actions. Kaspersky automatically brings the most pressing issues to the surface to make it easier for your security team to know what to tackle first. According to users, the software is also easy to implement and use, and it includes top-notch research and support. It can be resource-intensive and will sometimes strain a device's CPU.
Sophos Intercept X
Sophos Intercept X uses a unique combination of next-generation endpoint security techniques to block advanced forms of malware and ransomware. Using deep learning capabilities, the platform can even detect never-before-seen malware, and it provides root cause analysis, so you can get insight into network threats and make sure no remnants of the attack remain in your system. Some users find that removing a file from quarantine is more complicated and requires more steps than necessary. Sophos also offers managed threat response services, perfect for companies that want to outsource their security.
FireEye Endpoint Security
FireEye Endpoint Security provides continuous monitoring for threats, including advanced malware and indicators of compromise that often go unnoticed. It offers robust investigation features to give your security team the who, what, when, and where of threats. With fewer false positives, FireEye reduces alert fatigue and improves the speed of your threat response. Users like the actionable intelligence that FireEye provides, noting that it provides exactly the type of information analysts need to deep dive into threat forensics. Unfortunately, the product is not available on Android or iOS devices, and some users feel the product is expensive to purchase and maintain.
Cisco Secure Endpoints
Cisco Secure Endpoints, formerly known as AMP for Endpoints, combines machine learning, behavioral analysis, and signature-based techniques to give your endpoints multi-faceted protection. Simplified investigation features make it easy to figure out where threats originated and what they touched. It easily integrates with other Cisco tools, making it a great option for current Cisco customers. The basic package includes behavioral monitoring, continuous monitoring, and vulnerability identification, but you'll have to opt for a higher package to get advanced search or threat hunting capabilities. Some users did note that the interface is not as user-friendly and intuitive as other options.
WatchGuard Endpoint Security
WatchGuard Endpoint Security, previously called Panda Security, combines EPP, EDR, threat hunting, and zero trust security into one platform. The threat hunting service is operated by WatchGuard analysts, allowing your team to focus on strengthening your network. Through information gathered by their threat hunting team, WatchGuard then improves the machine learning component of their EDR system to offer better protection. Patch management, content filtering, and full-disk encryption are all available in the standard package, while device control and email protection are available at an extra cost. Some users did report false positives when importing from a USB, which slowed their security team down.
FortiEDR from Fortinet provides advanced threat protection in real time for endpoints before, during, and after a breach. Once a threat has been detected, the software controls outbound communications and file modifications to avoid lateral movements or file tampering. The system offers rogue device control and even works with IoT devices. The incident response processes are customizable to help your team reduce alert fatigue. FortiEDR combines that with next-generation antivirus and rollback for a solid security system. Some users did note that the initial deployment is complex and requires more resources upfront.
SMB considerations for EDR software
Small businesses likely don't have the same IT security resources that enterprises do. They need EDR software that works right out of the box and doesn't need high levels of customization or an involved setup to work correctly. SMBs usually opt for less expensive solutions with quicker implementation times. They should look for standalone EDR solutions, rather than intricate software suites.
Because small businesses generally opt for standalone software, their EDR platform should also be able to integrate with their other security tools. SMBs should also use next-generation firewalls (NGFWs) and antivirus software to protect their network, and data from these different sources should be easy to compile and share across platforms. Some EDR software may have straightforward integrations to the platforms businesses already use, while others will offer APIs that support should be able to help with.
SEE: SMB security pack: Policies to protect your business (TechRepublic Premium)
Additionally, smaller businesses may just need the ability to block malicious software, so robust investigation tools aren't as important. Many EDR systems need consistent IT support, which will require someone with working knowledge of IT and cybersecurity to manage their endpoint software. Otherwise, they're wasting money on software that doesn't provide any protection to their business.
Best EDR software for small businesses
Check Point SandBlast
Check Point SandBlast offers automated response capabilities that make it perfect for smaller businesses or organizations without sophisticated security teams. The software is adept at handling most security threats, although it does struggle slightly with targeted attacks. In the NSS Labs test, it managed a 100 percent block rate with no false positives. It offers many of the features users expect from EDR solutions and comes with a lower price point than many others. SandBlast is missing an option for custom rules, but overall, it's hard to beat the value for the price.
Like the Check Point option, SentinelOne provides automated response features that make it easier for small businesses to keep their network secure. The platform includes many of the standard EDR features but omits most of the advanced ones, like VPN and mobile support. Rogue device discovery is available for an extra cost. There are three plan tiers that each include optional features, like dedicated support or managed detection and response. Overall, SentinelOne offers strong security at a fair price, and users scored it well in many categories, including value, response, and deployment.
BitDefender GravityZone is a solid choice for small businesses that need machine learning and behavioral monitoring to handle much of their security work for them. Along with ML and behavioral analytics, the software also includes automated remediation and risk analytics, although they don't come in the standard plan. The security scores were solid, and businesses can add premium features as needed, although guided investigation, custom rules, and threat intelligence feed integration are missing. The platform also offers remote deployment, which is perfect for securing employees' devices as they work from home.
CrowdStrike Falcon scored high in most categories, with its top scores coming in detection, response, value, and support. Pricing is above average for EDR software, but if the advanced features are executed well, the platform can pay for itself by preventing expensive breaches. There are also three customizable plans that make it pretty easy to get what you need. Aside from web content filtering and VPN, Falcon offers all of the standard features that should be included in a top EDR solution. Automated remediation does cost extra, however. Users are generally happy with the products, and it's easy to implement, making it a solid choice for small businesses.
F-Secure offered some of the highest independent testing scores, only matched by Palo Alto. For a mid-range price, the software is one of the top security options on the EDR market, also offering high scores in value and ease of use. F-Secure offers a full lineup of features, although advanced options like vulnerability monitoring, rollback, and VPN come at an extra cost. Some users did report challenges with implementation, but the customer support team is solid and can help out. If top-notch security is your main priority, you should take a deeper look at F-Secure.
Microsoft Defender for Endpoints
Microsoft Defender for Endpoints, formerly Defender Advanced Threat Protection, integrates into the Windows source code, making it an obvious choice for Windows devices. However, Microsoft has also invested in their program to make it available for Mac and Linux users as well. The product is available both as a standalone EDR product, or it can be purchased as part of a larger security suite. Defender for Endpoints received high scores in both management and ease of use. The only feature it doesn't include is analyst workflow, although rogue device discovery and VPN are only available for an extra cost. Overall, the product offers strong security and includes lots of standard features, which is great for small businesses who might not know exactly what they need from their EDR software.
Trend Micro Apex One
For those looking for strong security at a budget price, consider Trend Micro Apex One. The platform is a combination of EPP and EDR that portrayed top-tier performance in the MITRE tests, and the NSS Labs gave it one of the best total cost of ownership (TCO) scores. For businesses that use cloud office suites, Apex One integrates easily with Google G Suite and Microsoft Office 365. Unfortunately, some users have reported that they needed to manually remove malware that the product found, and many of the advanced features are missing or cost extra. However, considering the low cost of the base package, adding these advanced options shouldn't put you out much.
McAfee MVISION Endpoint
MVISION Endpoint by McAfee offers both local and cloud-based detection capabilities to keep your data safe no matter where it is. It also employs machine learning to find threats, even when they attempt to mask themselves. Using automatic remediation, MVISION Endpoint reverts a device back to its healthy state and blocks attempts at credential harvesting, so breaches are stopped before they can ever start. The cloud-based software requires no maintenance, works right out of the box, and automatically updates the defenses. MVISION does tend to have a higher volume of false positives compared to other products, which can slow down your security team.
ESET PROTECT Enterprise
ESET PROTECT Enterprise is a cloud-based console that includes endpoint protection, EDR, full-disk encryption, and a cloud sandbox. While the software itself is cloud-based, it can protect data both in the cloud and on-premises. The tool is designed to enhance the visibility of your endpoints and protect against zero-day threats and ransomware. ESET PROTECT works on computers, smartphones, and virtual machines for comprehensive endpoint security. Users have noted that ESET PROTECT is pretty resource-intensive and can strain CPUs and slow down devices.
Cybereason Defense Platform
Cybereason Defense Platform offers an enterprise plan that combines next-generation antivirus, threat intelligence, and EDR into a single console. To make investigations easier, the software provides a contextualized view of the full attack, so security teams can see exactly what remediation steps they need to take. Cybereason's internal threat intelligence team continuously monitors devices around the world to discover emerging threats and vulnerabilities. The mobile deployment also detects malicious app usage and critical system vulnerabilities without the need for custom rules. MDR, threat hunting, and mobile threat defense are available at an extra cost. Some users complained about the response speed of customer service.
Choosing the best EDR tools for your organization
Before deciding on an EDR tool for your organization, you need to take stock of your endpoints and decide which features will be most important to your organization. Do you have employees working remotely or in multiple office locations? What about salespeople that travel? If so, you need an EDR platform that offers remote access to your IT team. If you experience breaches that need to be reported to the authorities, your EDR software should include investigation tools that collect enough data to facilitate these reports. When available, take advantage of free trials and talk to customer support before making your final decision.
Author Jenn Fulmer is a content writer for TechnologyAdvice, IT Business Edge, and Baseline.
- 10 tips to protect your organization and remote endpoints against cyberthreats (TechRepublic)
- How to protect your organization's remote endpoints against ransomware (TechRepublic)
- Malicious office documents: The latest trend in cybercriminal exploitation (TechRepublic)
- Security threats on the horizon: What IT pro's need to know (free PDF) (TechRepublic)
- Checklist: Securing digital information (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)