EDR and EPP tools are merging to address new threats, so security and risk management leaders must revise related strategies. Leading vendors have created holistic tools in a single portal. These platforms can displace existing endpoint toolsets with faster detection and optional automated response.
Overview
Key Findings
- Older antivirus solutions offer insufficient protection against today’s advanced threats and lack speed of response, nor do they provide the capability to show the root cause or damage done.
- Leading EDR vendors combine modern prevention techniques with detect and response capabilities in a single lightweight agent. The best of these feature cloud-hosted infrastructure that unifies many tools in one console and offers further integration options.
- Automation is a major differentiator where security staff are scarce and there is a need for rapid detection of advanced persistent threats and to provide the fastest remediation of these.
- EDR tools must handle vast amounts of data, so cloud hosting of back-end compute, storage and reporting consoles is optimum. This also provides scalability and cost-effective hosting/storage, and offers more opportunities to automate and integrate with other services.
Recommendations
Security and risk management leaders responsible for endpoint security must:
- Prepare for periodic change to be the new “normal,” ensuring maximum flexibility in licensing and support contracts. Budget for regular upgrades to tools, processes and resources needed to detect evasive threats in time, identify and remediate the root cause, and prevent recurrence.
- Check, when selecting combined EPP and EDR solutions, that these can detect fileless exploits and “living off the land” style attacks. Ensure tools don’t rely solely on machine learning techniques and favor those that employ multiple additional detection methods.
- Use threat modelling and penetration testing to show where current tools and skills are inadequate. Plug any gaps by updating to cloud-hosted EDR tools that have automation and integration options. Defenders need training to correctly deploy and fully exploit all capabilities.
- Select vendors that submit their tools to nonsponsored public testing. Prefer those that mapped their controls to MITRE’s ATT&CK framework and performed well in MITRE evaluations.
Strategic Planning Assumption
By the end of 2023, more than 50% of enterprises will have replaced older antivirus products with combined EPP and EDR solutions that supplement prevention with detect and response capabilities.
Market Definition
This document was revised on 9 January 2020. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
EDR solutions must provide four primary capabilities:
- Detect security incidents
- Investigate security incidents
- Contain the exploit at the endpoint
- Provide guidance for remediation
In addition, EDR solutions should enable enterprises and smaller organizations to deploy a single solution that also protects against attacks and allows the collection and analysis of log and configuration data. The visibility of user, device and application activity should be combined with advanced reporting and direct intervention when abnormal activity is detected. The detection methods used must be frequently updated. Integration and automation with other tools and services are paramount. Cloud hosting is preferred, with alternative hosting options available.
Market Description
Since the complexity of attacks and threats have both continued to develop at a pace that exceeds the ability of the tools and defenders to protect against them, security solution providers have developed more flexible tools with an “assume breach” mindset. EDR tools focus on the postinfection stage of the kill chain, providing the ability to detect and respond to advanced threats in a timely and effective manner.
The techniques used by attackers and methods used to evade detection have also expanded, requiring detection engines and controls to identify them and produce alerts that also inform defenders how they should respond to the event and what remediation is possible. Increasingly, these controls and remediations are aligned to the MITRE ATT&CK framework, and many vendors now catalog their detection routines against ATT&CK controls, using MITRE terminology in alerts and reporting.
Endpoint security vendors now combine the features of EPP and EDR solutions into a single capability (see Figure 1). This is usually achieved by unifying the agents and/or sensors used, as well as establishing a single holistic management and reporting portal. Some EPP features previously provided as add-ons, such as device control and application control, may not be offered by the combined EDR tool, but are often now included in part of the host operating system (for example, Microsoft Windows 10).
Figure 1. From Separate EPP and EDR to Combined EPP and EDR
Market Direction
The controls and focus of endpoint security tools have evolved to reflect the way in which exploits have changed and the need to provide a different set of detection and remediation facilities to match (see Figure 2). Over time, since attackers have developed more stealthy exploits that evade traditional antivirus and anti-malware tools, vendors have adapted from solely using file-based scanning of storage media and hard disks, adding the use of more sophisticated behavior-based techniques. These more evolved tools distinguish between expected or “normal” activity and anomalous actions that may indicate the presence of malware, a compromised device or attackers using techniques to conceal their activity under the guise of “regular” administrative activity.
2019 Market Consolidation Activity and Vendor Competitiveness
Over the last 12 months, the EDR market and broader endpoint security market have seen multiple mergers and acquisitions. The EDR market has observed the industry trend for acquisitions, not only within the EDR market, but also in adjacent markets. To provide more of a solution-based approach for organizations, EDR vendors have been acquiring MDR service providers from the wider market. Emerging platform players are adding EDR to integrate with their prevention, detection and response capabilities and with easy provisioning for their customers and an opportunity to upsell.
Mergers and acquisitions are expected to continue through 2020, as there are over 30 vendors offering credible EDR products, and the top nine vendors currently account for more than 80% of the market share. At the same time, end users are realizing they have too many point solutions/individual vendor tools in place, and consequently it will be tougher for smaller security vendors with a single capability to get organizations to buy their products. See Table 1 for some of the notable mergers and acquisitions in 2019.
Table 1: Notable Mergers and Acquisitions
Source: Gartner (December 2019)
Figure 2. The Evolution of Endpoint Protection Tools
Since there is also a need to detect and respond to unknown, fileless and advanced persistent threats (including those associated with state-sponsored attackers), there must also be an assumption that simply trying to prevent all exploits is unrealistic. This has led to the emergence of EDR tools that provide the ability to detect exploits and malicious activity post infection. These tools also allow defenders to then respond with suitable measures to isolate or contain the threat and the facility to directly intervene at the endpoint itself (usually via remote access) should the need arise.
The evolution of EDR tools has reached the stage where some vendors include threat intelligence feeds into consoles where response teams can investigate an incident with telemetry and analytics gathered together for them. This adds to the usual facility to perform threat hunting against the database of managed endpoints for a view of both current activity and a forensic facility to examine historic data.
The speed of detection and response are critical, and many organizations lack the resources and skills to respond effectively. Therefore, the more advanced vendors in this segment are also providing expert managed detection and response (MDR) services to augment the customer’s own teams and provide alerting and monitoring.
Automated response and remediation are the most recent developments in EDR tools. These have the facility to use advanced AI analysis, with automated workflow and agents that can roll back activity to a former state.
Automation and AI is also possible at the console level to both enhance alerting with suggested remediation and offer the facility to generate scripts and automated actions. In the most advanced tools administrators can also opt devices into fully automated remediation policies.
Go to Market and Execution
EDR products have developed to fill the security gap left unaddressed by the endpoint protection platform (EPP) products. As an industry, organizations have been primarily focusing on prevention, and detection. Response capabilities were used only by a few highly mature organizations. As 100% prevention is unattainable, EDR products started offering detection and response capabilities to complement EPP to detect the attacks that have bypassed prevention/protection. Organizations deploying security tools are wary of:
- Having to install another agent on the endpoints
- Investment in and reliance on detection and response tools alone
- Vendor consolidation objectives that may affect investment plans
- The overheads to deploy and manage multiple consoles and siloed capabilities
EDR vendors started adding prevention capabilities using one single agent and management console. A single agent, SaaS-based application delivery and management features covering prevention, detection and response has become the preferred standard in the EDR market.
In addition, in order to offer best-of-breed solutions to highly mature organizations, the EDR players continue to offer coexistence alongside an existing EPP product. The primary route to market for EDR has been through channel partners (resellers/VARs) and MSSPs/MDRs. Currently, EDR is primarily being sold as a technology in more mature markets like North America, Europe and in other emerging markets through MSSPs or MDRs.
In emerging markets like Asia/Pacific and the Middle East, EDR vendors have partnered with security service firms in the region to deliver EDR technologies as a part of an MDR offering. In markets, regions or verticals that are late or reluctant adopters of cloud hosting, EDR vendors offer on-premises versions of the product as an alternative to their SaaS delivery. Some also provide a three-tier model in which EDR agents don’t talk to the internet directly but do so via an on-premises virtual or physical relay that is connected to the EDR application in the cloud. Other vendors offer private cloud hosting in the customer’s own tenant, for organizations not wishing to utilize public cloud or SaaS.
With growing concern over data sovereignty, plus data localization and privacy regulations, EDR vendors have started offering cloud hosting in regional locations.
Market Analysis
The following sections of this Market Guide are organized into subcategories that allow the reader to identify several discrete categories of vendor solutions that address specific use cases, device types and that group solutions by their respective endpoint protection, detection and response capabilities.
In order to separate controls that are collectively associated with protection of the endpoint, Gartner uses the term EPP to describe the approaches and controls that aim to prevent an exploit or block attacks.
In Figure 2, these are listed in the bottom half of the controls hierarchy, as they are regarded as highly important controls but may increasingly be part of operating system security facilities. This is especially the case with the latest Windows 10/Server 2019 releases, Server 2016 and Apple macOS.
The core detect and response capabilities at the top show the critical capabilities associated with EDR agents, and these are now recommended as must-have capabilities for effective endpoint protection.
Additional layers of security controls are desirable to realize a blended or layered approach. These are listed at the foot of the diagram and include network-, infrastructure- or hardware-level technologies that generally do not involve an agent or EDR tool functionality.
Figure 3. Endpoint Security Controls Hierarchy
Operational IT controls, including vulnerability management and hardening of the OS, are critical parts of the overall endpoint protection strategy for all organizations. They can protect against a wide range of risks and vulnerabilities, without having to rely on endpoint protection alone as a final level of protection.
Hardware virtualization and BIOS protection have recently evolved rapidly and become universally available (previously the preserve of enterprise device SKUs) as well as easier to deploy. These should be enabled at the hardware and OS level to protect and isolate encryption keys, authentication providers and to remove a large array of OS vulnerabilities and attack techniques.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.
The sections below describe distinct groups of capabilities that are evident in the EDR marketplace. The associated industry direction, characteristics and features of each category of solution are introduced, along with sample vendors representing each group.
Market Introduction
The sections below provide some examples of specific attributes, use cases and some representative vendors that demonstrate the capabilities listed in each section. Security and risk management leaders should consider what specific needs their chosen solution must address and identify the device types, skills and resources available to leverage the tools. When aligning requirements with individual or multiple subsections in this guide, it is also recommended to refer to the additional reading list at the foot of this document to see a more extensive list of vendors, solutions and the scenarios in which these should be considered.
EDR Tools With Added Automated Remediation
The once limited response part of EDR solutions is increasing in its scope, adding not just isolation of devices and quarantining of threats, but also allowing for complex exploits to be removed and devices reverted to a previous state. As solutions mature, even greater levels of integration and automation should be expected. For example, if a user opens a weaponized document in an email that is detected, part of the integrated remediation process could include identifying other users that received the document and removing the email (via the mail server) before they open it. As these playbooks of actions improve, automatic remediation and the removal of complex attacks will be possible. This includes restoring systems, files and, if necessary, reissuing user credentials.
Some EDR vendors are applying logic-driven processes to allow the administrator to enable semiautomated and fully automated remediation where an exploit can be clearly identified and where the remediation is known (or activity has been identified that is easily reversed) (see Table 2).
Automated response not only provides a tempting solution for organizations that lack the in-house skills to decide on the appropriate course of action, but it also allows for much faster response to known or recognizable events. It is expected that this trend will continue while resources are scarce and in-house expertise is lacking.
Security and risk management leaders must look for:
- Solutions that have granular options to block or isolate suspect activity proactively, pending administrator intervention and investigation.
- Automated sandbox detonation or other integrated internet services that will provide additional attestation/identification or threat context.
- Options to consume additional managed services to add expert assessment and rapid response capabilities to augment in-house staff or plug gaps in current (infosec) teams.
- A solution with automated playbooks for the most common remediation scenarios. Ensure that new customized playbooks can be easily created specific to the organization.
Table 2: Sample Vendors
EDR Vendors Directly Providing MDR Services
The goal of MDR services is to rapidly identify and limit the impact of security incidents to customers. These services are focused on remote 24/7 threat monitoring, detection and targeted response activities. MDR providers may use a combination of host and network-layer technologies, as well as advanced analytics, threat intelligence, forensic data and human expertise for investigation, threat hunting and response to detected threats (see Table 3).
Security and risk management leaders must:
- Use MDR services to add 24/7 threat detection, incident investigation and response capabilities, when unavailable or immature in-house. Internal resources are still needed for some response activities, and upfront incident response retainers may be necessary for additional support.
- Embrace threat disruption and containment as an incident response (IR) feature of MDR service providers when there are no 24/7 in-house teams to respond to threats needing immediate attention.
MSSPs are slowly adding MDR-type offerings that supplement their existing services. There are some MSSPs with credible offerings that include their own proprietary host and network technologies, supported by threat intelligence and advanced analytics capabilities (see “Magic Quadrant for Managed Security Services, Worldwide” and “Market Guide for Managed Detection and Response Services”).
Table 3: Sample Vendors
EDR Vendors With Combined Network Analytics and Threat Intelligence
The analysis of increasingly complex IOCs has resulted in solutions integrating threat intelligence data to attempt to attribute attacks to threat actors. As this integration matures, further guided threat-hunting capabilities will evolve, allowing operations teams to carry out complex analysis of events. Many of these tools will be driven by vendors’ own MDR services.
As threats and attacks become more sophisticated and targeted, security and risk management leaders must:
- Ensure EDR solutions include prioritized vulnerability assessment capabilities to identify where attacks may start and to take preventative measures.
- Seek solutions that can automatically integrate threat intelligence data feeds to quickly differentiate between attacks and false positives.
- Consider an integrated approach to perimeter, network and endpoint security where integration and shared telemetry can offer improved visibility across these previously siloed capabilities.
As can be seen from 2019 consolidation and acquisition activity (see the following section), several well-known network security vendors have made considerable investments into EDR and endpoint technologies and have combined them into an integrated threat protection platform (see Table 4).
Table 4: Sample Vendors
EDR Vendors With MITRE ATT&CK Categorized Controls
The MITRE ATT&CK framework has become a common and unifying language for security vendors and solution providers to categorize the attack methods used by advanced persistent threat (APT) groups and identifiable techniques used by state-sponsored actors. The resultant categories of controls that illustrate the kill chain stages and the wide range of exploits and how these can be remediated are publicly available, along with a methodology for testing security tools’ ability to detect and respond to these.
Similarly, security and risk management leaders can now also utilize the MITRE framework to assess the capabilities in their own tools, processes and skills to meet all the categories and kill chain stages that are covered. This is necessary to understand where gaps exist and where tools, skills and resources are inadequate to protect.
Security and risk management leaders should:
- Perform their own threat modelling and assessment of applicable controls and methods from the MITRE ATT&CK framework. Produce a heatmap of gaps and threats with MITRE terminology.
- Engage vendors, infosec teams and process owners using the MITRE derived gap analysis and identify areas for improvement for all the gaps in tools, processes and skills.
- Prefer vendors who have submitted their tools for Phase 1 or 2 MITRE evaluations, review the results against the gap analysis already captured, and shortlist vendors who can plug the gaps.
Prior to 2019, only 12 vendors had submitted their products for MITRE evaluation. Since then, a further 21 vendors have completed Phase 2 testing. Many of these vendors have also categorized the detection routines and controls in their software to match the MITRE ATT&CK framework and to use common MITRE terminology in the alerting and reporting of their products (see Table 5).
Table 5: Sample Vendors
EDR Vendors Providing SIEM and SOAR Integration
SOAR solutions are gaining visibility and real-world use, to improve the maturity of security operations centers (see Table 6). The SOAR technology market converges security orchestration and automation (SOA), security incident response (SIR) and threat intelligence platform (TIP) capabilities into single solutions. SOC analysts are often working with multiple tools and having to alternate between these, including:
- A variety of SIEM console alerts.
- Threat intelligence (TI) service portals for information about the entities involved.
- EDR for context on what is happening on the affected endpoint.
They may even be using workflow tools to orchestrate the triage and investigation processes. Security and risk management leaders should:
- Evaluate how these solutions can support and optimize broader security operations capabilities.
- Integrate EDR as part of the overall SOAR architecture, as this will act as a productivity multiplier.
Table 6: Sample Vendors
Vendors Providing Unified Endpoint Security Platforms
Security and risk management leaders have been gravitating toward a more unified approach to EDR. Less well-resourced organizations typically view technology as an expense or operational necessity. Investment in these companies is being made in a unified endpoint security platform versus prioritizing just EDR.
Security and risk management leaders in these organizations must:
- Evaluate what type of endpoint security capabilities are essential and consider not only the cost of the tools and hosting, but also the skills and resources needed for each.
- Consider the pros and cons of investing in a best-of-breed solution versus a total cost of ownership approach where multiple solutions are purchased together to minimize management overheads.
As the cost of security solutions continues to rise, strains on staffing become more difficult and the threat landscape becomes more complex, security and risk management leaders will move more toward a unified solution (see Table 7).
Table 7: Sample Vendors
EDR for Incident Response and Forensics
Attacks and exploits affect systems, whether they are servers, workstations, mobile devices or cloud workloads. If deployed across many enterprise endpoints, EDR tools allow security operations staff to answer questions like “Which of our systems have been exposed to the executable file that we have recently identified as a threat?” and “Does this process run on any of our critical servers?” Ideally, EDR would be operational at the time of an incident, thus providing valuable historical information, though EDR is still an important part of an incident responder’s toolkit, even if not present when an incident begins. It can also provide containment of an incident as part of the response by defenders or IR teams.
Increasingly, EDR vendors can offer an alternative or complementary capability to traditional e-discovery and forensic tools because they are deployed to all managed devices (see Table 8). They also provide a large database of historic data for analysis as well as a controlled and audited ability to extract files and information from the devices themselves. Controlling risk and cost remain the primary business drivers for seeking comprehensive and more effective e-discovery solutions. Forensic data collection capabilities need to extend to the collection of information from various data sources (email, document, application, website content) to endpoints and host systems and storage media (server, hard drive, cloud, mobile devices). During the data collection process, data must be secured and data integrity protected to ensure no tampering or interference is possible. This process must be extremely accurate and auditable, especially when collecting device images/files, which can be intrusive, time-consuming and costly.
Security and risk management leaders must:
- Prioritize solutions that have built-in continuous monitoring and automation capabilities.
- Integrate EDR as part of an e-discovery and/or forensic service to greatly reduce identification, collection and analysis time as well as provide the initial steps to associated processes.
- Utilize EDR to speed up IR activities. Have it in place before an incident occurs and have an incident response retainer (IRR) in place to greatly reduce dwell time.
- Use EDR to provide faster understanding of threat context, allow for real-time remote investigations and provide a facility to examine historical information gathered from devices.
Tighter integration between regular MDR and active IR processes is needed in the future, as organizations will need to seamlessly elevate their activity state from normal to incident level when more frequent attacks are experienced.
Table 8: Sample Vendors
Combined Mobile Device and Desktop/Laptop EDR
As the use of mobile and smartphone technology continues to grow, these devices will increasingly become a target for attackers to gain entry into an organization. Given that most users read email on mobile devices and the limitations of the email clients, this makes it potentially harder to spot phishing emails. Adding endpoint protection and security capabilities to mobile devices is increasingly important.
“Market Guide for Mobile Threat Defense” describes the current state of the market, but at present most deployments use MTD as a security add-on to unified endpoint management (UEM); however, there are emerging use cases for mobile EDR. Given the current maturity of the market, security and risk management leaders should include mobile devices in their long-term EDR strategy, but not necessarily make it a hard requirement in their evaluation of solutions.
See “Magic Quadrant for Unified Endpoint Management Tools” and “The Long-Term Evolution of Endpoints Will Reshape Enterprise Security.”
Some EDR vendors are already looking to integrate mobile into their solutions, but at present these are relatively limited (see Table 9).
Table 9: Sample Vendors
Security Protection of Operational Technology
Devices that reside in manufacturing, operations and other isolated environments often require an alternative approach to endpoint protection because these devices may not be visible from internet or campus network management consoles and they may not have agents installed.
Gartner maintains a separate Market Guide covering solutions and vendors in this space (see “Market Guide for Operational Technology Security”).
Market Recommendations
Traditional EPP products and modern EDR solutions have converged, and now nearly every vendor not only includes EDR capabilities such as isolation, root cause analysis and threat hunting but also uses a variety of protection and detection capabilities. Most vendors now include machine learning (ML) detection of files to reduce the reliance on traditional signatures and combine this with reputation services in the cloud to identify known malware as well as known good applications.
The result of the merging of EPP and EDR capabilities allows security and risk management leaders to select a single vendor solution for both purposes and negates the need to deploy two solutions. EDR should be deployed to all PC endpoints and to servers where these reside on shared networks and/or are internet facing.
In addition, the core functionality of EDR tools is now more focused on the detection of and response to advanced threats, fileless exploits and “living off the land” style attacks, with decreased emphasis on older definition-based antivirus/anti-malware and blacklist/whitelist-based application control.
The sophistication of EDR tools has been raised to meet the wave of more advanced threats and stealthy attackers. Equally, the fact that detection is tuned to identify more suspect events, means the skills and resources required to configure and operate these capabilities has also increased significantly. This will require many organizations to resort to MSSP or MDR services to provide the alerting, monitoring and proactive threat-hunting capabilities they lack.
This market is currently in a period of consolidation activity with many new acquisitions, mergers and other destabilizing factors. This makes it essential for security and risk management leaders to keep their strategy and investment plans as flexible as possible and to opt for shorter license terms to match.
While it is not practical to switch vendors on an annual basis due to the large amount of project effort associated with this, the trend toward cloud hosting of all infrastructure will, nonetheless, allow for more frequent changing of vendors. This allows companies to take advantage of the consolidation of vendors and affords the opportunity to deploy a single capability that provides multiple integrated capabilities with unified management and reporting. All businesses will appreciate the savings in management overhead and deployment time.
With the need for increasingly sophisticated detection and response features, organizations will stipulate more detailed and exacting specifications for vendors to meet. This will require more precise and focused testing with a matching need for the proving of the capabilities. More use of the MITRE ATT&CK framework will be made, to permit the alignment and verification of detection and remediation capabilities.
Acronym Key and Glossary Terms
AI
Artificial Intelligence (especially when used to identify and alert on unknown threats)
API
Application Programming Interface (used to integrate separate services)
C2
Command and Control (a server or website used to direct malware on devices)
EPP
Endpoint Protection Platform (provides prevention of malware and exploits)
EDR
Endpoint Detection and Response (for postinfection stages of an attack or exploit)
MDR
Managed Detection and Response (a managed service for EDR tools)
ML
Machine Learning (e.g., where agents use mathematical determination of threats)
MSSP
Managed Security Service Provider
SIEM
Security Information and Event Management (gathers and analyses device logs)
SOAR
Security Orchestration, Automation and Response (joins solutions with workflow)
SOC
Security Operations Center (or also the team that works in it)
Evidence
The Market Guide team referenced data from the following sources to complete this iteration:
- Gartner analysts responded to more than 1,200 endpoint-security-related client inquiries since 2 January 2019.
- More than 5,000 Peer Insights reviews and related search data on Gartner.com was referenced.
- Data from a 260-question survey and one-hour demonstrations provided by 24 EPP/EDR vendors conducted in 2Q19.
Note 1
Representative Vendor Selection
The sample vendors listed in each subsection of the Market Analysis section are representative only, and each list is not intended to be exhaustive. The vendors and solutions provided are those that most closely illustrate the marketplace trends described and provide the individual capabilities described in each section. Vendors are listed in alphabetical order only, and the overall list of representative vendors has been validated using Gartner.com search statistics as well as data from Gartner’s Peer Insights website to ensure that the most frequently mentioned vendors/solutions are represented.
Note 2
Kaspersky
In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky’s software from their systems. Several media reports, citing unnamed intelligence sources, made additional claims. Gartner is unaware of any evidence brought forward in this matter. At the same time, Kaspersky’s initial complaints have been dismissed by a U.S. District of Columbia court. Kaspersky has launched a transparency center in Zurich where trusted stakeholders can inspect and evaluate product internals. Kaspersky has also committed to store and process customer data in Zurich, Switzerland. Gartner clients, especially those who work closely with U.S. federal agencies, should consider this information in their risk analysis and continue to monitor this situation for updates.