If you were the mayor of a major city, what would you value more? Police cars that can identify issues in traffic and prevent accidents, or ambulances that can race to the scene of an accident, respond to a crisis and save lives?
Endpoint Protection Platforms (EPP) help prevent security threats, including known and unknown malware, on your endpoint devices. Endpoint Detection and Response (EDR) solutions help you detect and respond to incidents that managed to bypass your EPP or other security measures. Which is more important? Can you do without one or the other?
Many modern EPP platforms combine the two approaches, offering both threat prevention and EDR. Still, you can choose which components to deploy on which endpoints and there may be separate pricing for different parts of the EPP package. So the question of prevention vs. response is still a relevant one.
Click here to learn more about Extended Detection and Response (XDR) – the next stage in the evolution of EPP and EDR.
In this article:
Endpoint Protection Platforms are designed to prevent attacks from traditional threats such as known malware and advanced threats such as ransomware, zero-day vulnerabilities and fileless attacks.
As mentioned, many EPP platforms include EDR, but in this discussion we focus on “pure” EPP security capabilities excluding EDR.
An EPP detects malicious activity using several methods:
EPPs commonmly provide the following tools, which provide passive protection for an endpoint:
Endpoint Detection and Response (EDR) was defined by Gartner in 2013 as a new type of security technology. If helps detect attacks on endpoint devices and provides fast access to information about the attack. This is difficult to achieve without EDR technology because security staff typically have low visibility and little to no control over remote endpoints.
Beyond providing access to information, a key role of EDR software is to help security staff respond to attacks by quarantining an endpoint, blocking processes or running automatic incident response playbooks.
EDR solutions have three main components:
Most EDR solutions also provide:
There are a few key differences between “pure” EPP and EDR, although these differences are blurring as many vendors merge EPP and EDR into one system.
|First-line defense mechanism that prevents threats||Assumes a breach has already occurred and helps investigate and contain it|
|Does not require active supervision||Used actively by security staff to respond to incidents|
|Passive threat prevention||Active threat detection|
|Does not provide visibility into activity on the endpoint||Helps security teams aggregate event data from endpoints across the enterprise|
|Able to prevent known threats and some unknown threats||Enables immediate response to threats that EPP could not detect|
|Focused on protecting each endpoint in isolation||Provides data and context for attacks spanning multiple endpoints|
Analysts advise using a combination of “pure” EPP and EDR to protect endpoints. EPP is a first line of defense that can prevent threats before they hit the endpoint, while EDR is based on the “assumption of breach”, the understanding that you can never assume complete protection, and must have the means to effectively respond to a successful attack.
But if you were forced to choose between them, which should you choose?
It’s a dilemma. As a mayor of a city, you wouldn’t want to choose between police cars and ambulances. The absence of each would put citizens at risk and inevitably result in lives lost. Similarly, when building your suite of security solutions, you need to ensure you have a mix of prevention and detection to keep users and enterprise systems safe.
Cynet 360 is a comprehensive security solution that protects against threats to endpoint security and across your network. Cynet’s intelligent technologies can help you detect attacks by correlating information from endpoints, network analytics and behavioral analytics with almost no false positives.
Cynet’s platform includes:
Learn more about the Cynet 360 security platform.