EPP / EDR

In a crowded endpoint security market, it can be challenging to differentiate between the many technology solutions on offer.

Endpoint Protection Platforms (EPP) and Endpoint Detection and Response Solutions (EDR) are the two main forms of advanced endpoint security. EPP helps prevent security threats, including known and unknown malware, while EDR solutions focus on detecting and responding to incidents that bypass other security measures. In this blog post, we outline the key differences between the two, how they work and how to get the most out of them.

What is EPP?

Gartner defines EPP as “a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”

An EPP is an integrated security solution that is designed to detect and block threats at device level. Typically, this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP).

Traditional EPP is inherently preventative, and most of its approaches are signature-based which means that they identify threats based on known file signatures for newly discovered threats. The latest EPP solutions have evolved to utilise a broader range of detection techniques.

How does EPP work?

EPPs identify attackers able to bypass traditional endpoint security. They also help to bring together complex security stacks, enhancing data sharing and improving the analytics that can support the detection of suspicious behaviour. A key development in EPP is evolution in the cloud. This is because cloud-native EPPs can harness one lightweight agent to monitor all endpoints, providing global shared data on attacker approaches which can be used to enhance how effectively attacker behaviours are detected.

What is EDR?

Gartner defines the Endpoint Detection and Response Solutions (EDR) market as “solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.”

Endpoint Detection and Response (EDR) platforms are cyber security monitoring systems that combine elements of next-gen antivirus with additional tools to provide real-time anomaly detection and alerting, forensic analysis and endpoint remediation capabilities.

How does EDR work?

Effective EDR solutions provide the following primary capabilities:

• Detect security incidents
• Contain incidents at the endpoint
• Contextualise security incidents
• Provide remediation guidance

EDR solutions record the activities and events that take place on endpoints and all workloads, providing a continuous and comprehensive level of visibility into events on endpoints in real-time. By recording every file execution and modification, registry change, network connection and binary execution across an organisation’s endpoints, EDR enhances threat visibility in a way that goes far beyond the scope of EPPs.