The Differences Between Endpoint Protection (EPP) and Endpoint Detection & Response (EDR)
Endpoint Detection & Response products are capturing a lot of mindshare in cybersecurity. But how do they differ from the more standard Endpoint Protection products? We’ll look at key features of each type of solution below.
1 Executive Summary
Endpoint Protection (EPP) products are still sometimes called Anti-Virus (AV) or NextGen Anti-virus (NGAV). EPP be definition does look for malware and attempts to prevent it from compromising computing assets (mobile as well as laptops and desktops). EPP solutions often roll in other important security features such as application whitelisting, URL filtering, and device-level firewalls. Given the prevalence of malware, just about every device, whether for corporate or personal use, needs EPP today.
The names of these security tools can be confusing because both EPP and EDR are in the business of “detecting” malware. EPP aims to detect malware prior to or during execution to prevent compromise and or damage.
Endpoint Detection & Response (EDR) solutions look for evidence and effects of malware that may have slipped past EPP products. EDR solutions log activities centrally, allow administrators to examine endpoints remotely, and generate reports often complete with attribution theories and confidence levels.
Both types of software generally require agents to be installed on end-user devices. Both also can be managed via enterprise consoles and can interoperate with other security solutions such as SIEM. Many organizations use EPP and EDR products, often by the same vendor. In these cases, both EPP and EDR functionality is usually bundled in the same package and can be enabled by licensing. Some organizations choose to outsource EDR, in which case it is referred to as Managed Detection & Response (MDR).