Endpoint/Device Security, Endpoint/Device Security

How EDR was supposed to help with alert overload

Google’s Anton Chuvakin said he’s a little disturbed when he hears about alert overload because EDR — endpoint detection and response — was introduced in 2013 to address that issue.

“So EDR, in that sense, was a helper with alert overload in another tool,” Chuvakin, who does security solutions strategies for Google Cloud, told SC Media VP of Content Jill Aitoro during an eSummit

Alert overload wasn’t supposed to happen because of the high-quality telemetry on the endpoint, which delivers more context, Chuvakin said. “That’s actually a bit puzzling because EDR has the crispest, cleanest telemetry on threats compared to other tech.”

Click here to access SC Media eSummits on demand.

And yet, the issue is omnipresent. Chuvakin said he’s written about alert overload over the years, and could copy and paste a paragraph from a whitepaper on the subject from 2003 and it would still ring true. Why? He believes that the overload comes when people are tempted to alert for more, in fear of missing something. 

Looking to the future, Chuvakin said the mission of observing the endpoint, whether it’s called EDR or some other technology, will remain critical, even if the approaches evolve with the transition to a zero trust model.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.