Key Criteria for Evaluating Endpoint Detection and Response (EDR) Solutionsv2.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. EDR Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Chris Ray

1. Summary

The endpoint presents an unusual problem forced on organizations and security teams. Endpoints are portals through which sensitive data is accessed and manipulated by staff. They’re often mobile, moving from location to location, and sometimes operated by multiple users. Compounding the problem, endpoint telemetry can be cryptic or completely absent.

Endpoint detection and response (EDR) addresses these risks through enhanced visibility of the endpoint landscape and by correlating individual anomalous events into a unified series, helping security teams to prioritize potential threats. Once anomalous events are detected, EDR solutions deploy automated responses to mitigate risks.

Automated response features available in EDR solutions that aren’t found in legacy antivirus (AV) solutions include: the ability to isolate an endpoint remotely until security staff can address the risk, forensic data collection, automated response workflows, and cross-device event correlation.

EDR is often delivered as part of a managed solution, wherein a trusted third party handles some or all of the investigation and triage work. This is a popular service model for organizations with small security teams or business units responsible for their own security operations. EDR is also sold as a standalone, technology-only solution, which is often a more popular choice for larger organizations with mature security operations.

Given the emergence of advanced persistent threats, the burden of regulatory compliance requirements, shortages of staff and skills, and the proliferation of highly distributed work-from-home environments, EDR has evolved to address new challenges.

This evolution is evident from the fracturing of vendors in the space. On one side are vendors that see a future in which EDR transforms into extended detection and response (XDR), which supports telemetry from the endpoint as well as from SaaS, identity providers, firewalls, VPNs, and so forth. On the other side are vendors that see EDR as a separate discipline, one that will stand the test of time on its own, much as legacy AV did for decades.

This is the second year that GigaOm has reported on the EDR space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report details the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective EDR solution. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading EDR offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Full content available to GigaOm Subscribers.

Sign Up For Free