EPP vs. EDR

Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solutions both provide security for endpoints, from workstations and mobile devices to servers and Internet of Things (IoT) and operational technology (OT) sensors. They target the security challenges of continued, explosive growth in the number and type of endpoints and the appeal of these devices–often lacking the latest protections–to cybercriminals.

Leading vendors of EPPs and EDR tools include Microsoft, Crowdstrike, SentinelOne, Palo Alto Networks, Trend Micro and VMWare Carbon Black.

Currently, EPPs and EDR solutions are popular tools for tackling endpoint security, although EPPs preceded EDR products by about five years. In the spirit of tech bake-offs, you might want to find out which one is superior or preferable. The answer is: neither.

Because EPP and EDR target different endpoint security use cases, they complement, rather than compete with, each other. They are not substitutes for each other, either, so both can be useful to an organization’s security posture.

As you can imagine, this situation leads to misconceptions. Let’s dive into the details on EPP and EDR to see how they fit into the big picture of endpoint protection.

Hint: a clue can be found in the difference between a platform and a solution.

Endpoints represent a significant security weakness and are frequently the vector for phishing, malware, DDoS, fileless, and botnet attacks. Preventing these attacks is the goal of an EPP.

Endpoint protection platforms act as a first line of defense to keep enterprise endpoints safe. To monitor these endpoints, EPPs use software agents, which are usually paired with a cloud-based management component that collects and analyzes data and provides access from a central interface.

Traditional EPPs are essentially reactive, confined to monitoring endpoints, examining large amounts of data for suspicious activity, and flagging it for analysis and response by security teams. To do this, an EPP brings together multiple endpoint security technologies, such as:

• web browser security
• threat signature scanning to block malware, viruses, and other file-based threats
• data encryption to secure sensitive data stored on endpoints
• whitelisting and blacklisting of access to IP addresses, URLs, and applications
• behavioral analysis of endpoint behavior patterns
• static analysis of binary files
• sandboxing to quarantine suspicious files in a secure environment

Advanced EPPs leverage cutting-edge technologies like AI and machine learning, and offer additional prevention and remediation features such as threat hunting and vulnerability management. Importantly, advanced EPP solutions are commonly packaged together with EDR solutions.

To summarize, EPPs use passive technologies to prevent cyber attacks by blocking threats before they can compromise endpoints. In addition to monitoring endpoints for malicious activity, EPPs address security vulnerabilities and protect against breaches by implementing custom controls for devices and users, such as locking down systems and restricting changes to locked devices.

These platforms can be deployed on premises, in the cloud, or in a hybrid configuration. However, according to Gartner, “Desirable EPP solutions” are managed in the cloud. Further, they use cloud data assistance, which avoids the need for endpoint agents to maintain a local database of all known indicators of compromise.

If an EPP is considered a suite of technologies, EDR is a single solution, although it can be included in a platform. Together, they support an overall endpoint security strategy.

As mentioned above, an EPP is used primarily for passive protection, while an EDR solution is proactive in its threat detection and response capabilities.

Endpoint detection and response solutions use an array of technologies to proactively examine endpoint data for suspicious activity that could indicate a threat or incident. These technologies may include machine learning, advanced analytics, behavioral analysis, and threat intelligence.

Capabilities of an EDR tool typically comprise:

• continuous monitoring of endpoints by collecting and aggregating data, analyzing it to reveal potential threats, and sending notifications to security teams
• alert prioritizing to help security teams respond appropriately and minimize alert fatigue
• active protection of endpoints by automatically responding to a threat, such as by deleting malware or isolating the endpoint from the system
• making recommendations for remediation

In general, EDR tools look for indicators of compromise (IOCs) and indicators of attack (IOAs). An IOC is digital evidence that a network or system has been infiltrated by a cyber threat. In contrast, an IOA points to the intentions of a threat actor and the techniques they use.

To identify IOCs and IOAs, EDR solutions correlate endpoint data with threat intelligence feeds in real time, and may also map endpoint data to the MITRE ATT&CK framework, a knowledge base that helps organizations understand and mitigate cyber threats.

The EDR solution summarizes important data and analytical results in a central management console, which provides security teams with visibility into every endpoint in the environment, and its security status.

This brings us back to the original bake-off question. In reality, there is no need to choose between EPP and EDR. In fact, both are valuable additions to a comprehensive cybersecurity strategy.

• EPP and EDR should be used interchangeably.
• Deploying one product does not remove the need for the other.
• While advanced EPPs include EDR, the two perform distinct functions.
• EPPs passively protect against known threats with minimal supervision, while EDR solutions perform active monitoring, analysis, and investigation with assistance from security experts.
• While EPP aims to prevent known threats to endpoints, EDR solutions assume a breach has taken place and remediate attacks that bypass prevention capabilities, especially unknown and sophisticated attacks.

Bottom line, these two technologies complement one another and should be used together for effective endpoint security.

Understandably, there are misconceptions about EPPs and EDR solutions. Here is the reality regarding common myths.

Myth 1: Prevention (EPP) is more important than detection and response (EDR)

In the complex and fast-changing endpoint security environment, it’s important to prevent known threats—but equally essential to uncover unknown or highly sophisticated attacks that slip past traditional prevention technologies.

Myth 2: EDR is more powerful than EPP

Although passive, EPP’s protection makes it just as important for endpoint security as EDR’s proactive approach. Further, EPPs require very little human intervention, while an EDR solution must be paired with a good IT security team or partner–such as a managed security service provider (MSSP), managed service provider (MSP), or managed detection and response (MDR) service–which can leverage its capabilities for insights and action.

Myth 3: EDR can anticipate future threats

Let’s qualify this by saying EDR tools can help plan for future threats using machine learning and behavioral analysis to draw inferences and patterns from historical data, but they cannot, for instance, anticipate zero-day attacks.

Myth 4: EDR tools reduce the workload for security operations center (SOC) analysts

While providing automation that can help lighten the burden on SOC analysts, EDR solutions add to it by generating large numbers of alerts without context, forcing analysts to rely on other tools to evaluate these alerts.

Myth 5: EDR provides capabilities for full response and remediation

Although EDR solutions enable incident response, the operative word is “automated.” The tool incorporates rules designed by the IT team to identify threats and then trigger an automatic response such as isolating the endpoint or issuing an alert. However, security teams must intervene to investigate, respond to, and remediate the threat.