In a crowded endpoint security market, it can be challenging to differentiate between the many technology solutions on offer.
Endpoint Protection Platforms (EPP) and Endpoint Detection and Response Solutions (EDR) are the two main forms of advanced endpoint security. EPP helps prevent security threats, including known and unknown malware, while EDR solutions focus on detecting and responding to incidents that bypass other security measures. In this blog post, we outline the key differences between the two, how they work and how to get the most out of them.
What is EPP?
Gartner defines EPP as “a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”
An EPP is an integrated security solution that is designed to detect and block threats at device level. Typically, this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP).
Traditional EPP is inherently preventative, and most of its approaches are signature-based which means that they identify threats based on known file signatures for newly discovered threats. The latest EPP solutions have evolved to utilise a broader range of detection techniques.
How does EPP work?
EPPs identify attackers able to bypass traditional endpoint security. They also help to bring together complex security stacks, enhancing data sharing and improving the analytics that can support the detection of suspicious behaviour. A key development in EPP is evolution in the cloud. This is because cloud-native EPPs can harness one lightweight agent to monitor all endpoints, providing global shared data on attacker approaches which can be used to enhance how effectively attacker behaviours are detected.
What is EDR?
Gartner defines the Endpoint Detection and Response Solutions (EDR) market as “solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.”
Endpoint Detection and Response (EDR) platforms are cyber security monitoring systems that combine elements of next-gen antivirus with additional tools to provide real-time anomaly detection and alerting, forensic analysis and endpoint remediation capabilities.
How does EDR work?
Effective EDR solutions provide the following primary capabilities:
- Detect security incidents
- Contain incidents at the endpoint
- Contextualise security incidents
- Provide remediation guidance
EDR solutions record the activities and events that take place on endpoints and all workloads, providing a continuous and comprehensive level of visibility into events on endpoints in real-time. By recording every file execution and modification, registry change, network connection and binary execution across an organisation’s endpoints, EDR enhances threat visibility in a way that goes far beyond the scope of EPPs.
What are the differences between EPP and EDR?
The main differences between EPP and EDR solutions are outlined in the table below:
|Focus on prevention
|Focus on detection
|Passive threat detection
|Active threat detection
|Blocks known threats and some unknown threats
|Facilitates fast response to indicators of compromise
|Limited visibility of endpoint activity
|Aggregates event data from endpoints
|Provides first level threat prevention
|Enables active response and containment
|Protects endpoints through isolation
|Provides context across multiple endpoints
Epp and EDR: combining capabilities
As we have outlined, there are several clear differences between EPP and EDR. While EPP is a first-line defence mechanism, effective at blocking known threats, EDR is the next layer of security, providing additional tools to hunt for threats, forensically analyse intrusions and respond swiftly and effectively to attacks.
The increasing convergence of the two markets can complicate the decision-making process for organisations seeking to enhance their cyber resilience. EDR was initially positioned as a solution for large enterprises with dedicated Cyber Security Operations Centres. However, there is a growing acceptance that additional threat detection, investigation and response capabilities are a necessity for organisations of all sizes.
There is a growing drive among organisations to identify all-in-one solutions capable of providing both active and passive endpoint protection. This has led EDR providers to incorporate aspects of EPPs into their offerings, and conversely, for EPP providers to integrate basic EDR functionality in theirs too.
This means that many traditional EDR use cases, focused around searching across endpoints for indicators of compromise (IOCs), are now addressed by the mainstream EPP market.
Getting the most from EPP and EDR
While small and mid-market organisations are increasingly turning to EDR technology for more advanced endpoint protection, many lack the resources to maximise its benefits. Utilising advanced EDR features such as forensic analysis, behavioural monitoring and artificial intelligence (AI) is labour and resource-intensive, demanding the attention of dedicated security professionals.
A managed endpoint security service combines the latest technology, an round-the-clock team of certified CSOC experts and up-to-the-minute threat intelligence for a cost-effective monthly subscription. Managed services can help reduce the day-to-day burden of monitoring and responding to alerts, enhance security orchestration and automation (SOAR) and improve threat hunting and incident response.
We recommend that organisations currently utilising an EPP solution and aiming to improve threat hunting and incident response consult with their chosen vendor for insight into new planned features, as well as reviewing their in-house capabilities. This will ensure they can fully maximise the benefits of advanced EDR-type functionality.
Why choose Kroll for endpoint security?
Managed endpoint protection is a core function of Kroll Responder, our outcome-focused Managed Detection and Response (MDR) service that provides the frontline intelligence, high-fidelity detections and incident response support required to shut down threats across your organisation’s environments before they cause damage and disruption.
Our expert team of SOC analysts, engineers and researchers possess a deep understanding of attacker tradecraft and utilise this insight, alongside the latest EPP and EDR technologies to hunt for, detect and respond to attacks, 24/7. We conduct over 3,000 incident response investigations a year, so we know what to look for and how to mitigate the risk of cyber-attacks.
For enhanced cloud security and wider threat visibility, Kroll Responder can also include network and cloud security monitoring as part of the service. This includes management of SIEM, vulnerability scanning, behavioural monitoring and other advanced security technologies, across the Microsoft cloud ecosystem, AWS or GCP. Furthermore, reporting can be customised to meet the needs of compliance standards like the GDPR, DPA 2018, ISO 27001, NIS Directive and PCI DSS.