You have to protect your endpoints from being a hackers gateway into you corporate environments, but you don’t want to create additional work maintaining signatures, definitions and updates. Luckily, there are many solutions in the marketplace to help us protect these assets and automate the constantly changing threat intel and response process. The endpoint space has become very crowded as of late, and each vendor has their own “proprietary” tech or answer to the endpoint security problem. The two leading categories of technology in the advanced endpoint security space are EDR and EPP, according to Gartner. So what are EDR and EPP, how can I use them to help secure my endpoints, and which one do I need? Or do I need both?
Endpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware. Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other security tools did not catch. Many modern endpoint security platforms combine these two approaches, but you can also choose one type of security instead of both.
In this article, you will learn what is EDR, what is EPP, how they differ, and how to choose the security type that suits your systems and network.
What is EDR?
Endpoint detection and response is a type of security solution that provides real-time visibility into endpoint activities. This is done by detecting malicious behavior, monitoring and recording endpoint data, and responding to threats. Security teams proactively prevent threats by manually analyzing endpoint data they receive from EDR solutions.
Threats like advanced persistent threats (APT) and fileless attacks threaten to damage organizational networks. An EPP solution alone cannot deal with these advanced attacks. There are commercial and open source options available for EDR deployment, like those offered by Cynet, Symantec, and RSA. You can find a detailed review of these EDR tools here.
Most EDR solutions provide four main capabilities:
- Security incident containment—EDR solutions block security incidents at network endpoints to prevent attacks from spreading across the entire network.
- Threat detection—the ability to detect malicious activity and anomalies on endpoints instead of just looking for file-based malware.
- Incident response —EDR solutions offer incident response capabilities like security incidents prioritization to help security teams respond to attacks faster.
- Incident investigation—EDR simplifies the forensic investigation of incidents by building a central repository of endpoint data and preparing it for analysis.
What Is EPP?
Endpoint protection platforms aim to prevent traditional threats like known malware and advanced threats like fileless attacks, ransomware, and zero-day vulnerabilities.
Some EPP solutions include EDR capabilities. This article focuses on pure EPP security capabilities without EDR.
An EPP detects malicious activity using several methods:
- Signature matching—detecting threats using known malware signatures.
- Sandboxing—testing for malicious behavior of files by executing them in a virtual environment before allowing them to run.
- Behavioral analysis—EPP solutions can determine the baseline of endpoint behavior and identify behavioral anomalies, although there is no known threat signature.
- Static analysis—analyzing binaries and searching for malicious characteristics before execution using machine learning algorithms.
- Whitelisting and blacklisting—blocking access or only permitting access to specific IP addresses, URLs and applications.
EPPs typically provide passive endpoint protection using the following tools:
- Data encryption, potentially with some data loss prevention capabilities
- Antivirus and Next-Generation Antivirus (NGAV)
- Personal firewall protecting the endpoint
EDR vs EPP: What’s the Difference?
Many vendors combine EPP and EDR into one system, however, there are still a few differences between these capabilities.
|Does not require active supervision||Active threat detection|
|Prevent known threats and some unknown threats||Enables immediate response to incidents that EPP could not detect|
|Passive threat prevention||Helps investigate and contain breaches that have already occurred.|
|Does not provide visibility into activity on the endpoint||Helps security staff aggregate event data from endpoints across the enterprise|
|First-line threat prevention solution||Used actively by security teams to respond to incidents|
|Protects each endpoint by isolation||Provides context and data for attacks spanning multiple endpoints|
Comparing EPP and EDR Solutions
EPP solutions detect signatures and other attributes that indicate an intrusion of known threats. EDR solutions add an extra layer of defense by using threat hunting tools for behavior-based endpoint threat detection.
EDR does not make EPP a redundant security tool, even though EDR might sound like a more powerful solution. Organizations that need robust endpoint security measures should take the holistic approach that covers traditional and advanced security threats.
Both EPP and EDR require aspects of each other’s functionality to be considered a holistic endpoint security solution. As a result, the endpoint protection market has become somewhat vague. This has led to EPP vendors adding EDR capabilities to their product and vice versa.
EDR requires active investigation and analysis by security experts to properly respond to threats. In contrast, EPP software runs with minimal supervision needed after its initial installation and configuration.
These two types of endpoint protection systems complement and not replace each other. Modern organizations and enterprises should combine both in their cybersecurity strategy.
EPP vs EDR: Which Should You Choose?
Security experts recommend using a combination of EDR and pure EPP for endpoint protection. EDR is based on “the assumption of breach”, while EPP can prevent threats before they hit the endpoint. You should not assume that your organization is completely protected. You must always have the means to effectively respond to an attack.
But which one would you choose if you were forced to choose between them?
- EPP does not prevent attacks—but makes it much more difficult for hackers to penetrate your perimeter. Hackers prefer to attack easier targets and avoid the major effort involved in overcoming EPP protection.
- EDR provides visibility and operational tools—that enable security teams to react to an attack. Advanced attacks like APTs focus on endpoints as a weak link of the security perimeter. EDR can significantly reduce the time required for successful endpoint attack detection by identifying them and containing the full kill chain.
Traditional EPP tools provide basic security capabilities like anti-malware scanning, while EDR tools provide more advanced features such as security incident detection and investigation. EDR solutions are also able to revert endpoints to pre-infected state. Organizations can combine both tools to provide a more holistic security solution.