researchHQ’s Key Takeaways:
- Endpoint Protection Platforms (EPP) and Endpoint Detection & Response (EDR) solutions are both of significant use to modern organisations, making the choice between the two a daunting one.
- ‘Pure’ EPPs act as a first-line defence in detecting and remediating malicious activity or any range of security issues.
- EDRs allow automatic incident response through the collection, detection, and analysis of data in real-time.
- The pros and cons of each solution, such as active vs passive threat detection, should be considered by businesses before making a purchase decision.
- A mix of threat prevention and detection is ideal, with a perfect balance between the two enabling organisations as they move towards their own unique goals.
If you were the mayor of a major city, what would you value more? Police cars that can identify issues in traffic and prevent accidents, or ambulances that can race to the scene of an accident, respond to a crisis and save lives?
Endpoint Protection Platforms (EPP) help prevent security threats, including known and unknown malware, on your endpoint devices. Endpoint Detection and Response (EDR) solutions help you detect and respond to incidents that managed to bypass your EPP or other security measures. Which is more important? Can you do without one or the other?
Many modern EPP platforms combine the two approaches, offering both threat prevention and EDR. Still, you can choose which components to deploy on which endpoints and there may be separate pricing for different parts of the EPP package. So the question of prevention vs. response is still a relevant one.
In this article:
- What is EPP
- What is EDR
- What’s the difference
- Which matters more
- How can Cynet360 help
What is EPP
Endpoint Protection Platforms are designed to prevent attacks from traditional threats such as known malware and advanced threats such as ransomware, zero-day vulnerabilities and fileless attacks.
As mentioned, many EPP platforms include EDR, but in this discussion we focus on “pure” EPP security capabilities excluding EDR.
An EPP detects malicious activity using several methods:
- Signature matching – identifying threats using known malware signature.
- ML static analysis – analyzing binaries prior to execution using machine learning algorithms and searching for malicious attributes.
- Sandboxing – executing files in a virtual environment to inspect for malicious behavior before allowing them to run.
- Blacklisting and whitelisting – blocking access or only permitting access to specific applications, IP addresses, URLs or ports.
- Behavioral analysis – modern EPP can establish a behavioral baseline of endpoint behavior and identify processes or users that are behaving abnormally, even though there is no known threat signature.
EPPs commonmly provide the following tools, which provide passive protection for an endpoint:
- Antivirus and Next-Generation Antivirus (NGAV)
- Personal firewall protecting the endpoint
- Data encryption, possibly with some data loss prevention capabilities
What is EDR
Endpoint Detection and Response (EDR) was defined by Gartner in 2013 as a new type of security technology. If helps detect attacks on endpoint devices and provides fast access to information about the attack. This is difficult to achieve without EDR technology because security staff typically have low visibility and little to no control over remote endpoints.
Beyond providing access to information, a key role of EDR software is to help security staff respond to attacks by quarantining an endpoint, blocking processes or running automatic incident response playbooks.
EDR solutions have three main components:
- Data collection—software agents on endpoint devices collect data about process execution, communication and logins.
- Detection engine—analyzes typical endpoint activity, discovers anomalies and reports anomalies that may represent a security incident on the endpoint.
- Data analysis engine—aggregates data from endpoints and provides real-time analytics about security incidents from across the enterprise.
Most EDR solutions also provide:
- Threat intelligence—identifying Indicators of Compromise (IoCs) on the endpoint and identifying the likely threat actor and the attack technique they are using.
- Alerts and forensics—notifying security staff in real time about security incidents and giving them easy access to context that will help fully investigate the incident.