EDR Test Methodology v1.1

EDR Test Methodology v1.1

Publish Date: April 17, 2017

Cybercriminals have become adept at technical and social engineering and contemporary threat actors are capable of carrying out sophisticated attacks that consistently breach modern network defenses. Oftentimes, these breaches lead to end user systems being infected and subsequently used as a stage for further compromise.
Strong anti-threat protection technologies on the endpoint are the best chance enterprises have at defeating these many incursions, but current products and techniques often cannot stop even the least capable of the advanced threats, let alone the truly determined advanced persistent threat.
This creates considerable challenges for the security analyst who must also be a forensics expert in order to determine what occurred on the endpoint; whether any threat remnants exist; and what remediation is required. Endpoint detection and response (EDR) products address these challenges. They provide comprehensive visibility into the behaviors of threats that are not blocked so incident response investigations can focus less on how other security controls were bypassed and more on what the threat did and whether any data was compromised or lost.

EDR products are responsible for capturing all of the relevant threat detail on an endpoint in order to assist with remediation and to determine whether compromises occurred as a result of the threat. At its core, an EDR product is both a cybercrime scene investigation toolkit and a means to improve the efficiency of incident response.

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.