Cybersecurity is rife with acronyms and confusing, overlapping terminology. It can be not easy to pinpoint exactly what you need to keep your users’ endpoints safe.
AV, NGAV, EPP, EDR - What Does It All Mean?
What does it all do? Here, we’ll break it down and explain some fundamental differences and similarities.
Firstly, let’s spell out the acronyms:
Endpoint Protection Platform (EPP)
An endpoint is any device on a network that is usually (but not always) internet-facing. A smartphone, laptop, tablet, or desktop computer all fall under this umbrella.
An Endpoint Protection Platform (EPP) describes any security program that aims to protect these devices from cyber threats, typically by scanning for different types of malware.
Antivirus into ‘NextGen’ AV
Initially, security protection started with good’ ol Antivirus, which then progressed to “Next-Generation Antivirus.
As security technology improved, the umbrella's size grew as technology companies adopted a more holistic approach to endpoint security; hence, the term “Endpoint Protection” (EPP) was born.
NextGen” Endpoint Protection (NGEP)
What comes next? You guessed,” NextGen” Endpoint Protection (NGEP)!
Confusingly, IT professionals still talk about AV as it’s entirely separate from EPe.
Antivirus is the original endpoint protection. But there’s a good reason to differentiate NGAV and EPP (or NGEP) from " legacy’' AV:
Traditional AV can no longer cope with today's cyber threats.
NGAV or NGEP (these terms are pretty much interchangeable) has therefore been developed as a step up from the original “legacy” AV to protect against the advanced malware threats we see.
Phew, that is a confusing number of acronyms!
Why Do We Need a New Generation of AV?
Traditional AV programs rely on an up-to-date list (database) of virus definitions to recognise“known” threats in malicious files. So firstly, a suspect file needs to be known.” It also presumes that all threats will be file-based.
Unfortunately, neither of these things can be relied upon any longer.
Millions of new pieces of malware are created every week – too many to keep track of – and increasingly, attacks are fileless, making traditional AV largely redundant.
Signature-Based vs Behaviour-Based Detection
Instead of relying on signature-based detection, the leading Next-Generation Endpoint Protection Platforms use behaviour-based monitoring to look for suspicious behaviour— whether in a file, or via an advanced“fileless” attack.
If anything behaves like malware, NGEP responds accordingly and isolates the device.
It’s a much more effective means of protection because it doesn’t count on the specific malware code having ever been seen before – it can be an entirely new type of attack. Still, the NGEP will recognise that this code carries out unwanted/illegitimate actions that must be prevented.
OK, So What is EDR?
ED, or Endpoint Detection & Response, is a different technology based on the premise that an infection will eventually occur.
Gartner defines EDR solutions as having four primary capabilities:
- Detect security incidents.
- Contain the incident at the endpoint, such that network traffic or process execution can be remotely controlled.
- Investigate security incidents.
- Remediate endpoints to a pre-infection state.
Endpoint Detection & Remediation
Firstly, remember that” endpoint” is a primary attack vector— a common cyber security attack method.
If and when an endpoint gets infected, you need to be able to find it and respond to it, to minimise and even reverse the damage caused.
Endpoint Detection & Response (EDR) programs look for Indicators of Compromise (or IoCs – another acronym for you!) that reveal an attack has taken place.
Detect, Respond, Recover
EDR will limit the scope of the infection, then use remediation technologies to remove and/or fix files in the infected system.
Crucially, EDR technologies gather much data around incidents to learn more about attack behaviour. That data strengthens the EDR offering and pays off in the wider cyber security field.
The EPP & EDR Crossover
To Summarise:
EPP aims to prevent attacks. And EDR performs damage control/reversal when something slips through the net.
These are two separate functions, but that’s not to say there isn’t some crossover.
Some true NGEP solutions will offer some EDR-like functionality, such as EDR-lite, if you like. There are also dedicated EDR programs, but of course, this is an additional cost on top of your “antivirus.”
Combining EPP & EDR
When choosing an NGEP program, look for one that can detect and respond to threats, so you have built-in remediation in case of an attack.
In all likelihood, technologies will continue to evolve and merge, and in another few years, we’ll have yet another acronym to decode!
An important take away is the fact that traditional AV is no longer an effective means of protection.
Whether you call it Endpoint Protection,” next generation” EPP or whatever, to give you more effective malware prevention, you first need to move away from signature-based detection (antivirus) and start using behaviour-based monitoring. Ideally, you should throw in some ability to detect and respond to attacks with EDR—simple!
About SentinelOne
Autonomous Endpoint Protection
SentinelOne’s Endpoint Protection Platform (EPP) provides organisations with real-time, unified endpoint protection, unifying prevention, detection, and response on one platform.
SentinelOne EPP leverages advanced machine learning and intelligent automation to prevent and detect attacks across all major vectors, with rapid elimination of threats, fully automated policy-driven response, and complete visibility into the endpoint with real-time forensics.
Certified AV Replacement
The independent antivirus research institute (AV-TEST) has awarded SentinelOne EPP the Approved Corporate Endpoint Protection certification for both Windows and OS X, which validates its effectiveness for detecting both advanced malware and blocking known threats - the only next-generation endpoint protection vendor to obtain this certification on both platforms.