GigaOm Radar for Endpoint Detection and Response (EDR)v2.01

Table of Contents

  1. Summary
  2. Market Categories and Deployment Types
  3. Key Criteria Comparison
  4. GigaOm Radar
  5. Vendor Insights
  6. Analyst’s Take
  7. About Chris Ray

1. Summary

The endpoint is, in some ways, an unusual problem forced upon organizations and security teams. Endpoints are portals through which sensitive data is accessed and manipulated by staff. They are often mobile devices, moving from location to location, sometimes operated by multiple users. In addition, endpoint telemetry can be cryptic or completely absent, compounding potential security issues.

Endpoint detection and response (EDR) addresses the risks specific to endpoints through enhanced visibility of the endpoint landscape and by correlating individual anomalous events into a unified series and prioritizing potential security threats. Once anomalous events are detected, EDR solutions deploy automated responses to mitigate risks. These automated response features, not found in legacy antivirus (AV) tools, include the ability to remotely isolate an endpoint until security staff can address the risk, collection of forensic data, automated response workflows, and correlation of cross-device events.

EDR is often delivered as part of a managed solution wherein a trusted third party handles some or all of the investigation and triage work. This is a popular service model for organizations with small security teams or for business units responsible for their own security operations. EDR is also sold standalone as a technology-only solution, which is often a more popular choice for larger organizations with mature security operations.

With the emergence of advanced persistent threats, the burden of regulatory compliance requirements, staff and skills shortages, and the proliferation of highly distributed work-from-home environments, EDR has evolved to address new challenges.

This shift in capabilities and priorities can be viewed in terms of the fracture between two groups of vendors in the space. On one side, there are vendors that see a future in which EDR transforms into extended detection and response (XDR), which supports telemetry from the endpoint as well as from software as a service (SaaS), identity providers, firewalls, VPNs, and so forth. Vendors on the other side see EDR as a separate discipline, one that will stand the test of time much the same way legacy antivirus tools did for decades.

This GigaOm Radar report highlights key EDR vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating EDR Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our second year evaluating the EDR space in the context of our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Real-time threat detection
  • Automated investigation and response
  • Event correlation
  • Broad device support
  • Anomalous event identification
  • Compliance-ready data output

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.