Key Criteria for Evaluating Endpoint Detection and Response Solutionsv1.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. Endpoint Detection and Response Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Chris Ray

1. Summary

The endpoint presents, in some ways, an unusual problem forced upon organizations and security teams. Endpoints are portals through which sensitive data is accessed and manipulated by staff. They’re often mobile, moving from location to location, and sometimes operated by multiple users. Compounding the problem, endpoint telemetry can also be cryptic or completely absent.

Endpoint detection and response (EDR) addresses these risks through enhanced visibility of the endpoint landscape and by correlating individual anomalous events into a unified series, helping security teams prioritize potential threats. Once anomalous events are detected, EDR solutions deploy automated responses to mitigate risks.

Automated response features available in EDR solutions that aren’t found in legacy antivirus (AV) solutions include the ability to isolate an endpoint remotely until security staff can address the risk, forensic data collection, automated response workflows, and cross-device event correlation.

EDR is often delivered as part of a managed solution, wherein a trusted third party handles some or all of the investigation and triage work. This is a popular service model for organizations with small security teams or business units responsible for their own security operations. EDR is also sold as a standalone, technology-only solution, which is often a more popular choice for larger organizations with mature security operations.

With the emergence of advanced persistent threats, the burden of regulatory compliance requirements, staff and skills shortages, and the proliferation of highly distributed work-from-home environments, EDR has evolved to address new challenges.

This evolution is evident by the fracturing of vendors in the space. On one side, there are vendors that see a future in which EDR transforms into extended detection and response (XDR), which supports telemetry from the endpoint as well as from software as a service (SaaS), identity providers, firewalls, VPNs, and so forth. On the other side are vendors that see EDR as a separate discipline, one that will stand the test of time on its own, much the same way legacy AV did for decades.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective EDR platform. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading EDR offerings, and help decision-makers evaluate these platforms so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

Full content available to GigaOm Subscribers.

Sign Up For Free