I work at a tech services company with 5,000 - 10,000+ employees.
We are currently researching EPP and EDR solutions. What are the main differences between EPP and EDR?
Thanks! I appreciate the help.
I think most of the comments cover all the key points.
EDR-End point Detection and Response.
Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats.
Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates.
Its Capabilities: 1. Continuous endpoint data collection.
2. Detection engine
3. Data recording.
It is considered as next layer of security
No in depth visibility
IR team needs to deal with false alarm and have to handle restoring process.
Struggle to find the attackers who infiltrated for the damanage caused.
Not an holistic approach
EPP-End point protection platform.
Its functionality covers:
It works mainly on signature based approach and more broader detection techniques.
It is considered as first line defence.
Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP.
Examples of such products or tools
Symantec and Cynet.
I hope the above points cover the difference between EDR & EPP.
Endpoint Detection and Response (EDR) is a category of security tools that are designed to monitor and record activity on endpoints, detect suspicious behavior, security risks, and respond to internal and external threats.
EDR tools consist of three main mechanisms to fulfill this function:
• Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins. This involves continually monitoring all events at the endpoints.
• Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints. This step is crucial for sifting through events to identify genuine security incidents.
• Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes. This can help inform endpoint protection strategies.
Incident Report teams still need to deal with multiple platforms and false alarms and to handle the restoration process themselves. IR teams often struggle to find the attackers that infiltrated the protection layers before they cause damage. To deal with all potential risks, a more holistic approach is needed, a platform which can be a solution to all types of threats. EPP (Endpoint Protection Platform) is the platform to achieve this goal.
Endpoint protection platform provides essential security for many types of endpoints, from smart phones to printers. An endpoint protection platform (EPP) is an integrated suite of endpoint protection technologies, such as antivirus, data encryption, intrusion prevention, and data loss prevention, that detects and stops a variety of threats at the endpoint.
An endpoint protection platform provides a framework for data sharing between endpoint protection technologies.
It might seem like the distinction between EPP and EDR is straightforward, but it is not that simple. Traditionally, EPP is defined as a first-line defense mechanism, effective at blocking known threats. While EDR is defined as the next layer of security, providing additional tools to detect threats, analyze intrusions, and respond to attacks.
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning. EPP is typically designed to reactively detect and block threats at device level e.g. antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP) whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state e.g. EDR contains many security tools like firewall, whitelisting tools, monitoring tools, etc. to provide comprehensive protection against digital threats and allows for preparing an appropriate incident response. EDR is the endpoint which is responsible for proactive detection and response processes.
Endpoint protection (EPP) usually means anti-malware, anti-spam, anti-phishing, etc. These are features prevent attacks without a detailed explanation of why EPP stops an action and how the attack is.
Endpoint detection and response (EDR) usually means how to record the attack in detail and provide certain remediation methods to recover the affected machines or files.
In other words. EPP shows “what and when”. EDR shows “why and how”.
An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.
Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system.
EPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect.
EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.
The biggest difference is time frames. EPP is meant to PREVENT infection. EDR is meant to deal with endpoints once they ARE infected.
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state.
Traditional EPP solutions cover more basic features such as anti-malware & integrated security solutions designed to detect and block threats at a device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP)
Whereas EDR solutions covered more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints to pre-infection state.
EPP Endpoint Protection Platform like McAfee EPO contains most things like antivirus, DLP, and IPS.
EDR is a combination of next-gen antivirus and behavior analysis solution.
Great question, and one that is confusing even to many experts.
Traditionally, an Endpoint Protection Platform (EPP) is a first-line defense mechanism, effective at blocking known threats. Endpoint Detection and Response (EDR) is the next layer of security, providing additional tools to search or hunt for threats<https://www.redscan.com/services/managed-detection-and-response/cyber-threat-hunting/> or respond to incidents.
There is an increasing alignment or “convergence” of the two markets. While EDR was initially positioned as a solution for large enterprises with dedicated Cyber Security Operations Center or capability, other groups are also implementing EDRs for support to incident response. The vendors on both the EPP and EDR side are adding customer-requested features to have an “all in one” solution that is converging the tools.
One issue is that sometimes it is better to have those capabilities in place but to engage an outside forensics firm for enterprise-level incident response. Having the internal security team investigate enterprise-level breaches, internal employee investigations that may involve executives or anything around corporate litigation may not be the appropriate separation of duties. Specifically engaging trusted third party incident response and investigative teams provides independence from the internal team that designed the security also investigate any potential failures, or having to investigate the emails of your own leadership.
I 2nd Jehyun's response! Another way of looking at it is that EPP (End Point Protection) is your traditional Antivirus/AntiMalware solution on the endpoint (Symantec, McAfee, etc.) whereas EDR (Endpoint Detection and Response) has been represented by companies such as Carbon Black.
My vision is very simple. EPP (Endpoint Protection Platform) is working based on predefined rules and definitions (virus definitions/signatures, black/white lists and etc.). EDR works based on models for abnormal activities (registry change, network connection, binary execution). EPP is focused over end-point as a standalone device, EDR is working on the company (group of workstations from the same domain) level and correlates information from all endpoints into the network (possibility to identify the lateral movement of the threats).
EDR solutions easily communicate with other security solutions (SIEMs, tools for forensic analysis), but most probably this not something remarkable or big differentiator, because this can change.
EPP is your favorite Anti-Malware and Anti-Virus Solution. EDR (Endpoint Detection and Response) most commonly use for APT solution amd ideal for small bussiness Security Incident response team.
In simple terms:- An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.
Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system
I have used McAfee endpoint security with EDR functionality in my previous organization and I can confidently say that the money was well spent. - You may remember the May Day attack which as highly publicized? Well, I'm proud to say McAfee's defense system with EDR stopped the assault in its tracks with zero loss!
I'm not pushing McAfee here because other manufacturers too have equally matching capability
So in summation, please bear in mind the following points - this is my personal bible so to say.
1. McAfee/Symantec/TRendMicro/Sophos/ CrowdStrike/Carbon Black to name a few - all are equally good. There will be a few key features which you may need or not need -please concentrate effort on that
2. - VERY IMPORTANT - whoever you choose as the solution, please ensure that you have local support from the OEM in your country; talk to your account manager from the OEM.
3. All-around security - select a product that can integrate all the way up to your gateway firewall or can share data mutually
4. Run a full feature deployment in 3 parts - normal users( who use day to day apps), laptop users who are always on travel and the trouble-making systems and the most important part - management users.
5. Choose a reseller who has good tech support capabilities.
6. Ensure your admin guys are suitably trained on it.
EPP: Endpoint Protection Platform (Typically AV for Endpoint/servers, it may also includes features like Host Firewall, Host IPS, Device Control, web reputation etc etc)
EPP will protect the endpoint/servers from malware.
EDR: Endpoint Detect & Response
EDR solution doesn't provide any protection such as EPP, it works on top of EPP solution which will provide visibility of the all the activities done on the endpoints.
EDR solution help to find suspicious activity and re-mediate the same.
In a layman terms, If you're protecting a gate, your gatekeeper is EPP and Security Camera is EDR.
Please use below link for more details.
Please find some good explanation through the following link:
EPP is based on signature and EDR on behavior, allowing EDR to stop malware on day 0.