When the endpoint detection and response (EDR, which was also referred to as endpoint threat detection and response, or ETDR, at the time) market was getting started, there was a lot of pushback, ranging from privacy concerns to what the acceptance of a second security agent on endpoints would be (apparently, it was never going to happen). Then something incredible happened . . . Cylance burst onto the scene, disparaging signature-based malware detection and ushering in the age of AI/machine-learning marketing.

As I like to tell the story, every one of the traditional vendors pivoted against the threat to their current business model and largely left the EDR vendors to do the impossible: establish themselves as a second endpoint agent.

A Nascent Market With Multiple Perspectives

I’ve segmented this market a number of times in the past and seem to always go back to the primary differentiation between EDR strategies: what’s done with the telemetry. Endpoint-architected EDR solutions collect telemetry, do local detection, and store the telemetry locally in a ring buffer of some sort. Meanwhile, cloud-architected EDR solutions collect and burst the telemetry up to the cloud for detection and storage.

There’s always been a camp that said EDR and endpoint (EP) solutions would have to converge, and the reasoning for this was sound: Eventually, the gap in the market that had allowed the development of a second endpoint agent would be corrected. Meanwhile, I’ve done my best to provide a dissenting opinion toward this approach; many of you have even heard me proclaim, “EDR is the mini-fridge of security information and event management!” But who’s right? It seems, everyone.

Where Are We Today?

The market is evolving in three specific ways that must be recognized:

  • The endpoint market has converged, and buyers should be expecting to invest in a combined EDR/EP solution from a single vendor. I would argue that the purchasing decision should be made based on EDR capabilities, as there’s little to no differentiation in the efficacy of EP products based on the results of countless antivirus tests.
  • The endpoint-architected EDR solutions have shown the wisdom of their approach that “If you can prevent something, you must,” and we’re seeing more and more detection capabilities getting pushed down to the endpoint by all the players in the space.
  • Extended detection and response (XDR) capabilities require centralization of these new sources of telemetry, which requires a cloud-architected EDR solution. The mini-fridge is becoming a full-fledged security analytics platform.

At this point in the market, XDR is still a dream that will take the next couple years to reach a level of maturity where it should be driving purchasing decisions, but the shift is happening now.

Upcoming Research

I’ve just published a report, “Now Tech: Enterprise Detection And Response, Q1 2020,” that breaks the market out by revenue and core functionality to help you understand where these vendors align from a strategy perspective. Some vendors are closer to realizing the complete solution than others, but the upcoming Forrester Wave™ evaluation will provide further context into individual performance.

In mid-March, I’ll be publishing “The Forrester Wave™: Enterprise Detection And Response, Q1 2020,” which will explore the functional capabilities of who I think are the 12 most relevant products in the space.

Looking ahead, in Q2 2020, I’ll be performing an analysis of the efficacy of the 21 vendors that are participating in round two of the MITRE ATT&CK evaluation.