An EDR provides visibility into the behavior of endpoints so forensic security analysts and forensic teams have the information they need to investigate suspicious activity. Continuous monitoring of the endpoint, detection of anomalous activity, and supplying forensic detail to empower incident response are core features of an EDR product. In theory, an endpoint protection platform (EPP)/antivirus (AV) product blocks attacks while an EDR detects the attacks that were not blocked. Using this approach, incident response investigations can focus on what happened and whether any data was compromised or lost.

This test introduced real-world cyberattack scenarios to determine how effective products were at detecting, logging, and reporting on the following threats:

• Socially engineered malware (i.e., binary attachments sent through email, executable downloads from website)
• Blended threats, which leverage exploiting multiple vulnerabilities, such as spear phishing, infected peripherals, and sophisticated antivirus evasion techniques, to infect the endpoint device
• Techniques and tactics from common APTs

NSS Labs developed an opex model to determine the relative security and relative cost of EDR systems. The model assumes that enterprises that do not deploy EDR systems, or that deploy EDR systems with low detection and reporting capabilities, will incur less security savings.

As with all NSS Labs group tests, there was no fee for participation. The Test Methodology is available in the public domain to provide transparency and to help enterprises understand the factors behind test results.