EDR vs Antivirus: Understanding Endpoint Protection Options
What is EDR?
What is Antivirus?
Endpoint detection and response (EDR) collects data from endpoints, and provides advanced measures for detecting threats, with the ability to identify where an attack originated from and how it is spreading. It is often a component of an endpoint protection platform (EPP)
EDR helps security analysts understand that attackers have already breached an endpoint, and help them stop attacks by performing automated or manual actions, such as isolating an endpoint from the network, wiping and reimaging it, or identifying and stopping malicious processes.
While an EPP provides security measures to prevent attacks, EDR can proactively address threats after they have penetrated an organization’s endpoints, before they cause damage.
Antivirus software, also known as legacy AV, is the “lowest common denominator” of endpoint security. Antivirus scans an operating system and file system for known malware such as trojans, worms, and ransomware, and upon detecting them, removes them from the system.
Legacy AV typically detects malware by comparing binaries to known signatures, performing heuristic analysis to see if running processes or installed software have suspicious properties, and integrity checking, which checks if malware has tampered with existing files on a machine.
The evolution of legacy AV is next generation antivirus (NGAV), which provides more advanced detection based on machine learning and artificial intelligence (AI). This makes it possible to detect unknown and zero-day malware, and advanced threats like fileless attacks.
Antivirus uses several types of scans to identify malware on a computer system:
Signature scan—detects new programs on the machine, reads their hash and compares it to known malware signatures.
Heuristic scan—detects programs which, even though they do not match a malware signature, exhibits abnormal behavior. The antivirus program may launch the suspicious program in a sandbox and see if it has malicious activity, such as deleting or encrypting files, or launching a large number of processes.
Integrity scan—detects changes to files on the machine, especially system files, which may indicate a malicious process.
Behavioral analysis—advanced antivirus software analyzes process behavior using machine learning and artificial intelligence (ML/AI) techniques, and identifies processes that are behaving unusually compared to normal process behavior on the system, or compared to known malicious behavior, such as ransomware. This can help identify unknown, zero-day, or evasive malware that uses obfuscation techniques.
Although antivirus is an essential component of endpoint security, it is limited in its ability to prevent sophisticated threats. Zero day or unknown threats may evade even advanced antivirus software. New types of attacks may be invisible to antivirus—for example, fileless attacks that execute in memory without creating binaries in the file system, cannot be stopped by many antivirus programs.
EDR was designed under the assumption that the endpoint will, at some point, be breached. Antivirus may provide excellent protection, but if it fails, the organization does not have any visibility into what is happening on the endpoint, and security teams cannot immediately access the endpoint to address a breach.
An EDR system starts operating where antivirus fails—as soon as a threat manages to penetrate and infect the endpoint, an EDR system will:
Alert that the endpoint has been compromised
Perform immediate automated action like isolating the endpoint
Provide forensic information to help security teams investigate the incident
Provide tools to help security staff remotely control groups of endpoints to contain and mitigate the threat
Does EDR Include Antivirus?
Yes, EDR solutions may include antivirus. In other cases, EDR is sold as a component of an Endpoint Protection Platform (EPP); the EPP solution typically provides antivirus protection and other security measures.
What is the Relation Between Endpoint Protection Platforms (EPP) and Antivirus?
An EPP is designed to prevent attacks from conventional threats such as malware, zero-day vulnerabilities and memory-based attacks. A core component of an EPP solution is antivirus. Most EPPs provide advanced NGAV to ensure they can block known and unknown malware on the endpoint.
What Additional Protection Does EPP Provide Beyond Antivirus?
Blacklisting and whitelisting applications
Hardening devices by closing unused ports and applying secure configurations
Filtering traffic to and from the endpoint using a firewall
Providing a sandbox to test suspicious executables in a safe environment
Encrypting data to make it useless to an attacker
Performing website and email filtering to protect the user from malicious content
What is the Difference Between EPP and EDR?
Endpoint Protection Platforms (EPP) deal with traditional antimalware detection and other controls that can prevent attacks on endpoints. Endpoint Detection and Response (EDR) is an active security solution that can help detect and investigate security incidents, and restore endpoints to their pre-infection state.
Cynet 360 is an autonomous breach protection platform that works in three levels, providing XDR, Response Automation, and 24/7 MDR in one unified solution. Cynet natively integrates these three services into an end to end, fully-automated breach protection platform.
Cynet 360 is a holistic security solution that protects against threats to endpoint security and across your network. Cynet provides tools you can use to centrally manage endpoint security across the enterprise.
Cynet 360 provides cutting edge XDR capabilities:
Advanced endpoint threat detection—full visibility and predicts how an attacker might operate, based on continuous monitoring of endpoints and behavioral analysis.
Investigation and validation—search and review historic or current incident data on endpoints, investigate threats, and validate alerts. This allows you to confirm the threat before responding to it, reducing dwell-time and performing faster remediation.
Rapid deployment and response—deploy across thousands of endpoints within two hours. You can then use it to perform automatic or manual remediation of threats on the endpoints, disrupt malicious activity and minimize damage caused by attacks.
In addition, Cynet 360 provides the following endpoint protection capabilities:
NGAV—providing automated prevention and termination of malware, exploits, Macros, LOLBins, and malicious scripts with machine learning based analysis.