EPP vs. EDR: What Matters More, Prevention or Response?

Share on:

If you were the mayor of a major city, what would you value more? Police cars that can identify issues in traffic and prevent accidents, or ambulances that can race to the scene of an accident, respond to a crisis and save lives?

Endpoint Protection Platforms (EPP) help prevent security threats, including known and unknown malware, on your endpoint devices. Endpoint Detection and Response (EDR) solutions help you detect and respond to incidents that managed to bypass your EPP or other security measures. Which is more important? Can you do without one or the other?

Many modern EPP platforms combine the two approaches, offering both threat prevention and EDR. Still, you can choose which components to deploy on which endpoints and there may be separate pricing for different parts of the EPP package. So the question of prevention vs. response is still a relevant one.

Click here to learn more about Extended Detection and Response (XDR) – the next stage in the evolution of EPP and EDR.

What is EPP

Endpoint Protection Platforms are designed to prevent attacks from traditional threats such as known malware and advanced threats such as ransomware, zero-day vulnerabilities and fileless attacks.

As mentioned, many EPP platforms include EDR, but in this discussion we focus on “pure” EPP security capabilities excluding EDR.

An EPP detects malicious activity using several methods:

Signature matching – identifying threats using known malware signature.
ML static analysis – analyzing binaries prior to execution using machine learning algorithms and searching for malicious attributes.
Sandboxing – executing files in a virtual environment to inspect for malicious behavior before allowing them to run.
Blacklisting and whitelisting – blocking access or only permitting access to specific applications, IP addresses, URLs or ports.
Behavioral analysis – modern EPP can establish a behavioral baseline of endpoint behavior and identify processes or users that are behaving abnormally, even though there is no known threat signature.

EPPs commonmly provide the following tools, which provide passive protection for an endpoint:

Antivirus and Next-Generation Antivirus (NGAV)
Personal firewall protecting the endpoint
Data encryption, possibly with some data loss prevention capabilities

What is EDR

Endpoint Detection and Response (EDR) was defined by Gartner in 2013 as a new type of security technology. If helps detect attacks on endpoint devices and provides fast access to information about the attack. This is difficult to achieve without EDR technology because security staff typically have low visibility and little to no control over remote endpoints.

Beyond providing access to information, a key role of EDR software is to help security staff respond to attacks by quarantining an endpoint, blocking processes or running automatic incident response playbooks.

EDR solutions have three main components:

Data collection—software agents on endpoint devices collect data about process execution, communication and logins.
Detection engine—analyzes typical endpoint activity, discovers anomalies and reports anomalies that may represent a security incident on the endpoint.
Data analysis engine—aggregates data from endpoints and provides real-time analytics about security incidents from across the enterprise.

Most EDR solutions also provide:

Threat intelligence—identifying Indicators of Compromise (IoCs) on the endpoint and identifying the likely threat actor and the attack technique they are using.
Alerts and forensics—notifying security staff in real time about security incidents and giving them easy access to context that will help fully investigate the incident.
Trace back—helps security staff identify which other endpoints or network devices may be affected by the same attack and where the attacker originally penetrated the network.
Automated response—performing actions on the endpoint device such as blocking network access, blocking a process or other actions that can contain and mitigate the attack.

What’s the difference

There are a few key differences between “pure” EPP and EDR, although these differences are blurring as many vendors merge EPP and EDR into one system.

EPP	EDR
First-line defense mechanism that prevents threats	Assumes a breach has already occurred and helps investigate and contain it
Does not require active supervision	Used actively by security staff to respond to incidents
Passive threat prevention	Active threat detection
Does not provide visibility into activity on the endpoint	Helps security teams aggregate event data from endpoints across the enterprise
Able to prevent known threats and some unknown threats	Enables immediate response to threats that EPP could not detect
Focused on protecting each endpoint in isolation	Provides data and context for attacks spanning multiple endpoints

Which matters more

Analysts advise using a combination of “pure” EPP and EDR to protect endpoints. EPP is a first line of defense that can prevent threats before they hit the endpoint, while EDR is based on the “assumption of breach”, the understanding that you can never assume complete protection, and must have the means to effectively respond to a successful attack.

But if you were forced to choose between them, which should you choose?

EPP is critical because it can protect against “commodity” threats and also many advanced threats. Like a sophisticated lock on your door, it doesn’t prevent a burglary but makes it much more difficult for attackers to penetrate your perimeter. In many cases attackers will prefer other, easier targets and avoid the major effort involved in overcoming EPP defenses.
EDR is critical because it provides the visibility and operational tools that allow security teams to react to an attack. Many attacks, especially Advanced Persistent Threats (APTs), focus on endpoints as a weak link of the security perimeter. EDR can dramatically reduce the time needed to detect successful attacks on endpoints, contain them and identify the full kill chain that led the attacker to a specific device.

It’s a dilemma. As a mayor of a city, you wouldn’t want to choose between police cars and ambulances. The absence of each would put citizens at risk and inevitably result in lives lost. Similarly, when building your suite of security solutions, you need to ensure you have a mix of prevention and detection to keep users and enterprise systems safe.

How can Cynet360 help

Cynet 360 is a comprehensive security solution that protects against threats to endpoint security and across your network. Cynet’s intelligent technologies can help you detect attacks by correlating information from endpoints, network analytics and behavioral analytics with almost no false positives.

Cynet’s platform includes:

NGAV—providing automated prevention and termination of malware, exploits, Macros, LOLBins, and malicious scripts with machine learning based analysis.
User Behavior Analytics (UBA)—detecting and preventing attacks using compromised credentials through the use of behavioral baselines and signatures.
Deception technology—planting fake credentials, files and connections to lure and trap attackers, mitigating damage and providing the opportunity to learn from attacker activity.
Network analytics—preventing and detecting network-based attacks through assessment of credential use, lateral movement, and risky connections.
Monitoring and control—providing asset management, vulnerability assessments and application control with continuous monitoring and log collection.
Response orchestration—providing manual and automated remediation for files, users, hosts and networks customized with user-created scripts.

Learn more about the Cynet 360 security platform.