Home / Blog / General / Endpoint Protection EPP vs EDR: What’s the difference?

October 5, 2019

Cyber security is rife with acronyms and confusing overlapping terminology. It makes it difficult to pinpoint exactly what you need to keep your user ‘endpoints’ safe.

AV, NGAV, EPP, EDR – what does it all mean?

What does it all do? Here, we’re going to break it down and explain some of the fundamental differences and similarities for you.

Firstly, let’s spell out the acronyms:

Endpoint Protection EPP vs EDR:  What's the difference?

Endpoint Protection Platform (EPP)

An endpoint is any device on a network, usually (but not always) internet-facing. A smartphone, laptop, tablet, or desktop computer – all fall under this umbrella.

An Endpoint Protection Platform (EPP) therefore describes any security program that aims to protect these devices from cyber threats – typically by scanning for different types of malware.

Antivirus morphs into ‘Next Gen’ AV

Initially, security protection started with good ‘ol Antivirus (AV), which then progressed onto ‘Next-Generation’ Antivirus (NGAV).

As security technology improved, the size of the umbrella grew – as technology companies adopted a more holistic approach to endpoint security – and hence Endpoint Protection (EPP) terminology was born.

Next Gen’ Endpoint Protection (NGEP)

What comes next? You guessed, ‘Next Gen’ Endpoint Protection (NGEP)!

Confusingly, IT professionals will still talk about AV as though it’s something entirely separate to EPP. That’s not the case.

Antivirus software is the original endpoint protection. But there’s good reason to differentiate NGAV and EPP (or NGEP) from ‘legacy’ AV:

Traditional AV can no longer cope with today’s cyber threats.

NGAV or NGEP (these terms are pretty much interchangeable) has therefore been developed as a step up from the original ‘legacy’ AV to provide the protection from the advanced malware threats we see to.

Phew, that really is a confusing number of acronyms!

Types of malware

Why do we need a new generation of AV?

Traditional AV programs rely on an up-to-date list (database) of virus definitions from which it can recognise “known” threats in malicious files. So firstly, a suspect file needs to be “known” – it also presumes that all threats will be file-based.

Unfortunately, neither of these things can be relied upon any longer.

There are literally millions of new pieces of malware created every week – too many to keep track of – and increasingly, attacks are fileless, making traditional AV largely redundant.

Signature-based vs Behaviour-based detection

Instead of relying on just signature-based detection, the leading Next Gen Endpoint Protection Platforms use behaviour-based monitoring to look for suspicious behaviour – whether in a file, or via an advanced “fileless” attack.

If anything behaves like malware, NGEP responds accordingly and isolates the device.

It’s a much more effective means of protection because it doesn’t count on the specific malware code having ever been seen before – it can be an entirely new type of attack and still NGEP will recognise that this code is carrying out unwanted/illegitimate actions that must be prevented.

Ok, so what is EDR?

EDR – or Endpoint Detection & Response, is based on the premise that at some point an infection is going to occur. EDR is a different kind of technology.

Gartner defines EDR solutions as having four primary capabilities:

  1. Detect security incidents.
  2. Contain the incident at the endpoint, such that network traffic or process execution can be remotely controlled.
  3. Investigate security incidents.
  4. Remediate endpoints to a pre-infection state.

Endpoint detection & remediation

Firstly, remind yourself that ‘endpoints’ are a primary attack vector – one of the common methods of cyber attack.

If and when an endpoint gets infected, you need to be able to find it and respond to it, to minimise and even reverse the damage caused.

Endpoint Detection & Response (EDR) programs look for Indicators of Compromise (or IoCs – another acronym for you!) that reveal an attack has taken place.

Detect, respond, recover

EDR will limit the scope of the infection, then use remediation technologies to remove and/or fix files in the infected system.

Crucially, EDR technologies do a lot of data gathering around incidents to learn more about attack behaviour. That data obviously strengthens the EDR offering, but also pays off in the wider cyber security field.

The EPP and EDR crossover

To summarise:

EPP aims to prevent attacks. And EDR performs damage control/reversal when something slips through the net.

These are two separate functions, but that’s not to say there isn’t some crossover.

Some true NGEP solutions will offer some EDR-like functionality – EDR-lite, if you like. There are also dedicated EDR programs, but of course this is an additional cost, on top of your “antivirus” solution.

Combining EPP and EDR

When choosing a NGEP program, look for one that includes the ability to detect and respond to threats, so that you have built-in remediation in case of an attack.

In all likelihood, technologies will continue to evolve and merge – and in another few years we’ll have yet another acronym to decode!

An important take away is the fact that traditional AV is no longer an effective means of protection.

Whether you call it Endpoint Protection, ‘next generation’ EPP or whatever, to give you more effective malware prevention, you firstly need to move away from signature-based detection (antivirus) and start using behaviour-based monitoring – and ideally throw in some ability to detect and respond to attacks with EDR – simple!

SentinelOne logo

About SentinelOne

› Autonomous Endpoint Protection

SentinelOne’s Endpoint Protection Platform (EPP) provides organisations real-time, unified endpoint protection, unifying prevention, detection and response – in one platform.

SentinelOne EPP leverages advanced machine learning and intelligent automation to prevent and detect attacks across all major vectors, with rapid elimination of threats, fully automated policy-driven response, and complete visibility into the endpoint with real-time forensics.

› Certified AV replacement

The independent anti-virus research institute (AV-TEST) has awarded SentinelOne EPP the Approved Corporate Endpoint Protection certification for both Windows and OS X, which validates its effectiveness for detecting both advanced malware and blocking known threats – the only next generation endpoint protection vendor to obtain this certification on both platforms.

Related articles:

Comtact's UK Security Operation Centre (SOC)

About Comtact Ltd.

Comtact Ltd. is a specialist Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.