2020-01-19T12:17:00Z
FY
Sales Director at a tech services company with 5,001-10,000 employees
  • 20
  • 3251

What is the biggest difference between EPP and EDR products?

I work at a tech services company with 5,000 - 10,000+ employees. 

We are currently researching EPP and EDR solutions. What are the main differences between EPP and EDR? 

Thanks! I appreciate the help. 

24
PeerSpot user
24 Answers
TM
Senior Cybersecurity Consultant at CIA Botswana
Real User
Top 5Leaderboard
2020-01-20T14:15:56Z
Jan 20, 2020

EPP (Endpoint Protection Platform) covers traditional anti-malware scanning. EPP is typically designed to reactively detect and block threats at device level e.g. antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP) whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state e.g. EDR contains many security tools like firewall, whitelisting tools, monitoring tools, etc. to provide comprehensive protection against digital threats and allows for preparing an appropriate incident response. EDR is the endpoint which is responsible for proactive detection and response processes.

Search for a product comparison in EPP (Endpoint Protection for Business)
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Consultant
Top 5
2023-01-24T09:34:39Z
Jan 24, 2023

EPP (Endpoint Protection Platforms) and EDR (Endpoint Detection & Response) products are both critical elements of enterprise security, with each type offering different value. The primary difference between the two is that EPP products focus on prevention while EDR focuses on the detection.


EPP solutions provide proactive defense against known threats such as anti-virus, firewall, application control, and patch management. They are designed to protect endpoints from the onslaught of malicious attacks which can affect an organization's connected devices or users directly. By detecting malicious code or suspicious activity through a combination of measures such as heuristics, sandboxing, and behavioral analysis in real-time, these tools help organizations mitigate potential risks resulting from known threats quickly while strengthening their overall cyber defense posture.


On the other hand,  Endpoint Detection and Response Solutions provide visibility into endpoint activities across the wider organizational environment – including cloud infrastructure – to rapidly identify potential threat actors before they can cause damage to an organization’s systems or data assets. Powered by machine learning algorithms as well as traditional approaches for anomaly detection like static signatures, behavior monitoring, and user access reviews; these tools help detect advanced persistent threats (APTs), insider threats, and zero-day attacks in order to prevent any unauthorized use of sensitive information by untrusted parties.



In short: EPP protects systems proactively from known threats while EDR detects malicious activities after initial infiltration in order to neutralize them quickly in real-time before significant damage occurs. Thus, forming a strong defense line for any modern business looking for full coverage against today's cyber threats' landscape.

OS
Digital Forensics Analyst at a security firm with 11-50 employees
Real User
2020-01-20T09:56:52Z
Jan 20, 2020

I think most of the comments cover all the key points.

EDR-End point Detection and Response.
Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats.
Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates.

Its Capabilities: 1. Continuous endpoint data collection.
2. Detection engine
3. Data recording.

It is considered as next layer of security

Its limitation:
No in depth visibility
IR team needs to deal with false alarm and have to handle restoring process.
Struggle to find the attackers who infiltrated for the damanage caused.
Not an holistic approach

EPP-End point protection platform.

Its functionality covers:
Antivirus
Anti-malware
Data encryption
Personal firewalls
IPS
DLP
It works mainly on signature based approach and more broader detection techniques.
It is considered as first line defence.

Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP.

Examples of such products or tools
Symantec and Cynet.

I hope the above points cover the difference between EDR & EPP.

OY
Solution Architect Security at a tech services company with 201-500 employees
Reseller
2020-01-20T19:55:21Z
Jan 20, 2020

Endpoint Detection and Response (EDR) is a category of security tools that are designed to monitor and record activity on endpoints, detect suspicious behavior, security risks, and respond to internal and external threats.

EDR tools consist of three main mechanisms to fulfill this function:
• Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins. This involves continually monitoring all events at the endpoints.
• Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints. This step is crucial for sifting through events to identify genuine security incidents.
• Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes. This can help inform endpoint protection strategies.

Incident Report teams still need to deal with multiple platforms and false alarms and to handle the restoration process themselves. IR teams often struggle to find the attackers that infiltrated the protection layers before they cause damage. To deal with all potential risks, a more holistic approach is needed, a platform which can be a solution to all types of threats. EPP (Endpoint Protection Platform) is the platform to achieve this goal.

Endpoint protection platform provides essential security for many types of endpoints, from smart phones to printers. An endpoint protection platform (EPP) is an integrated suite of endpoint protection technologies, such as antivirus, data encryption, intrusion prevention, and data loss prevention, that detects and stops a variety of threats at the endpoint.
An endpoint protection platform provides a framework for data sharing between endpoint protection technologies.

It might seem like the distinction between EPP and EDR is straightforward, but it is not that simple. Traditionally, EPP is defined as a first-line defense mechanism, effective at blocking known threats. While EDR is defined as the next layer of security, providing additional tools to detect threats, analyze intrusions, and respond to attacks.

RW
Regional Technical Manager at a retailer with 201-500 employees
Real User
2020-01-20T07:07:43Z
Jan 20, 2020

Endpoint protection (EPP) usually means anti-malware, anti-spam, anti-phishing, etc. These are features prevent attacks without a detailed explanation of why EPP stops an action and how the attack is.

Endpoint detection and response (EDR) usually means how to record the attack in detail and provide certain remediation methods to recover the affected machines or files.

In other words. EPP shows “what and when”. EDR shows “why and how”.

MN
Tech consultant at select softwares
Real User
Top 10
2020-01-20T05:41:33Z
Jan 20, 2020

An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.

An EDR, on the other hand, is specifically built to handle this situation.

Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system.

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
672,785 professionals have used our research since 2012.
JS
Product Manager at a security firm with 201-500 employees
User
2020-01-20T00:47:38Z
Jan 20, 2020

EPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect.

EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.

NR
President and Chief Architect with 11-50 employees
User
2020-01-19T21:02:14Z
Jan 19, 2020

The biggest difference is time frames. EPP is meant to PREVENT infection. EDR is meant to deal with endpoints once they ARE infected.

NH
Product Specialist - Darktrace (Cyber AI/Threat Defense) at a tech services company with 51-200 employees
User
2020-03-06T19:22:09Z
Mar 6, 2020

I believe the biggest difference between EPP and EDR solutions is directly in the names, and both are crucial to security. EPP sits on the device and works to repel attacks from various sectors based on known threats (malware, phishing, etc. – all external); EDR monitors the endpoint to detect when something is wrong either because EPP failed to thwart the attack/didn’t know the threat or the enterprise user/device user does something malicious (insider threat) and EDR is able to respond autonomously at lockdown the malware/behavior.

Does that make sense?

DS
Owner at David Strom Inc.
2020-03-05T21:27:58Z
Mar 5, 2020

I think the difference is more marketing-speak than technical features, and the terms are used inconsistently by the security vendors. The featured answer has some additional insight.

DK
Managing Director at a tech vendor with 1-10 employees
User
2020-02-27T15:49:09Z
Feb 27, 2020

The answers already provided are succinct but accurate. To explain the difference to a non-technical audience, think of EPP as a wall to keep bad things out, and EDR as a sensor to identify when bad things are happening and raise an alarm (think motion sensor). The wall will stop some things but you don’t know what and when and how many. The sensor tells you when something is happening but can’t actually stop the bad thing.

In practice, the two technologies are converging; given the size of your organization, you probably need both.

SP
Sr. Engineer at a tech services company with 501-1,000 employees
Real User
2020-01-21T10:39:39Z
Jan 21, 2020

EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state.

VK
Area Sales Manager with 1,001-5,000 employees
User
2020-01-21T05:47:36Z
Jan 21, 2020

Traditional EPP solutions cover more basic features such as anti-malware & integrated security solutions designed to detect and block threats at a device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP)

Whereas EDR solutions covered more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints to pre-infection state.

MF
PS & Technical Manager at a integrator with 11-50 employees
Real User
Top 10
2020-01-21T01:20:10Z
Jan 21, 2020

EPP Endpoint Protection Platform like McAfee EPO contains most things like antivirus, DLP, and IPS.

EDR is a combination of next-gen antivirus and behavior analysis solution.

BH
Vice President at a security firm with 10,001+ employees
Real User
2020-01-21T01:15:13Z
Jan 21, 2020

Great question, and one that is confusing even to many experts.

Traditionally, an Endpoint Protection Platform (EPP) is a first-line defense mechanism, effective at blocking known threats. Endpoint Detection and Response (EDR) is the next layer of security, providing additional tools to search or hunt for threats or respond to incidents.

There is an increasing alignment or “convergence” of the two markets. While EDR was initially positioned as a solution for large enterprises with dedicated Cyber Security Operations Center or capability, other groups are also implementing EDRs for support to incident response. The vendors on both the EPP and EDR side are adding customer-requested features to have an “all in one” solution that is converging the tools.

One issue is that sometimes it is better to have those capabilities in place but to engage an outside forensics firm for enterprise-level incident response. Having the internal security team investigate enterprise-level breaches, internal employee investigations that may involve executives or anything around corporate litigation may not be the appropriate separation of duties. Specifically engaging trusted third party incident response and investigative teams provides independence from the internal team that designed the security also investigate any potential failures, or having to investigate the emails of your own leadership.

JP
Prinicipal Security Sales Engineer at a computer software company with 501-1,000 employees
Real User
2020-01-21T00:17:56Z
Jan 21, 2020

I 2nd Jehyun's response! Another way of looking at it is that EPP (End Point Protection) is your traditional Antivirus/AntiMalware solution on the endpoint (Symantec, McAfee, etc.) whereas EDR (Endpoint Detection and Response) has been represented by companies such as Carbon Black.

PT
Product Manager at a comms service provider with 501-1,000 employees
Reseller
Top 10
2020-01-20T12:36:49Z
Jan 20, 2020

My vision is very simple. EPP (Endpoint Protection Platform) is working based on predefined rules and definitions (virus definitions/signatures, black/white lists and etc.). EDR works based on models for abnormal activities (registry change, network connection, binary execution). EPP is focused over end-point as a standalone device, EDR is working on the company (group of workstations from the same domain) level and correlates information from all endpoints into the network (possibility to identify the lateral movement of the threats).

EDR solutions easily communicate with other security solutions (SIEMs, tools for forensic analysis), but most probably this not something remarkable or big differentiator, because this can change.

KG
Information Security Analyst at Detecon Al Saudia Co. Ltd.
Real User
2020-01-20T12:28:12Z
Jan 20, 2020

EPP is your favorite Anti-Malware and Anti-Virus Solution. EDR (Endpoint Detection and Response) most commonly use for APT solution amd ideal for small bussiness Security Incident response team.

MN
Tech consultant at select softwares
Real User
Top 10
2020-01-20T07:23:18Z
Jan 20, 2020

In simple terms:- An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.

Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system

I have used McAfee endpoint security with EDR functionality in my previous organization and I can confidently say that the money was well spent. - You may remember the May Day attack which as highly publicized? Well, I'm proud to say McAfee's defense system with EDR stopped the assault in its tracks with zero loss!

I'm not pushing McAfee here because other manufacturers too have equally matching capability

So in summation, please bear in mind the following points - this is my personal bible so to say.

1. McAfee/Symantec/TRendMicro/Sophos/ CrowdStrike/Carbon Black to name a few - all are equally good. There will be a few key features which you may need or not need -please concentrate effort on that
2. - VERY IMPORTANT - whoever you choose as the solution, please ensure that you have local support from the OEM in your country; talk to your account manager from the OEM.
3. All-around security - select a product that can integrate all the way up to your gateway firewall or can share data mutually
4. Run a full feature deployment in 3 parts - normal users( who use day to day apps), laptop users who are always on travel and the trouble-making systems and the most important part - management users.
5. Choose a reseller who has good tech support capabilities.
6. Ensure your admin guys are suitably trained on it.

DP
Senior Cyber Security Consultant at Infosec Ventures
Reseller
2020-01-20T07:21:31Z
Jan 20, 2020

EPP: Endpoint Protection Platform (Typically AV for Endpoint/servers, it may also includes features like Host Firewall, Host IPS, Device Control, web reputation etc etc)
EPP will protect the endpoint/servers from malware.

EDR: Endpoint Detect & Response
EDR solution doesn't provide any protection such as EPP, it works on top of EPP solution which will provide visibility of the all the activities done on the endpoints.
EDR solution help to find suspicious activity and re-mediate the same.

In a layman terms, If you're protecting a gate, your gatekeeper is EPP and Security Camera is EDR.

Please use below link for more details.
https://www.cybrary.it/0p3n/epp-vs-edr-whats-the-difference-and-why-you-may-need-both/

SN
Chief Executive Officer at Vincacyber
Real User
2020-03-22T17:46:31Z
Mar 22, 2020

Try www.cynet.com it has both EPP & EDR plus NBA, UBA, Deception, VM,, Sandboxing, 24*7 SOC.

NS
CEO at Haniya Technologies
Real User
Top 5Leaderboard
2020-03-11T12:05:35Z
Mar 11, 2020

Well as far as I know EPP is a protection for End Point User and it is mostly regarding Anti Virus, worm , trojan etc. Where as EDR is end Point Detection which mostly consist of sand boxing and mostly deployed at server or gateway. Most of EDR required same companies end point protection to work with. For example if you are using trendmicro end point protection than you must use trend Micro EDR.. so forth and so on.

Heritier Daya - PeerSpot reviewer
Network Administrator at a financial services firm with 1,001-5,000 employees
Real User
Top 5
2020-01-25T12:53:38Z
Jan 25, 2020

Please find some good explanation through the following link:

https://www.cisco.com/c/en/us/products/security/what-is-endpoint-protection-platform.html

CR
Especialista em Segurança da Informação at a tech services company with 5,001-10,000 employees
MSP
2020-01-20T15:18:53Z
Jan 20, 2020

EPP is based on signature and EDR on behavior, allowing EDR to stop malware on day 0.

Related Questions
Sep 19, 2022
Hi community professionals, I am looking for your advice on whether it makes sense to use both an endpoint antivirus and an EDR solution simultaneously? What are the pros and cons of using each one or both simultaneously? *In terms of products, I've been looking at CrowdStrike Falcon, Microsoft Defender for Endpoint, and ESET Endpoint Security. Thanks for the help!
2 out of 9 answers
CP
Partner Account Manager 🔆 at SEC DataCom A/S
Apr 26, 2022
If you look at a product like SentinelOne, it is both EPP and EDR (and much more...). In that case you only need this single product.You could take a look at this short explanaition on YouTube: EDR? EPP? Both?!? See how to explain SentinelOne in just 2 minutes
AS
Principal Consultant at 1net
Apr 27, 2022
The “Antivirus” protection technology is replaced by EDR which does include a modern version of “antivirus” along with other ways of device protection.  Multiple vendors provide EDR: Trend Micro, Cisco, etc. The more current technology is XDR.
PJ
CIO & Information manager at a leisure / travel company with 501-1,000 employees
Jan 24, 2023
Hi peers,   I work as the CIO & Information Manager in the gaming and gambling industry. The company has 650 employees and >30.000 customers. I'm not able to find a study where Darktrace is compared against Crowdstrike Falcon (or other solutions for endpoint security, e.g. Sentinel One).  Can anyone help and share their insights?  Thanks, Regards from the Netherlands
2 out of 3 answers
HF
Consultant at a computer software company with 51-200 employees
Mar 31, 2022
Hi @reviewer1799568, Most of these comparisons are opinions and some tests are done in specific conditions that might not suit or reflect your organization's needs and roadmap. Ultimately, the cost of a mistake is a data breach and not just an audit finding or operational discomfort. I mention this because there are no viable shortcuts. I suggest you test the solutions thoroughly in your own environment to see what works for you. The gaming floor is hopefully "air-gapped" and the solution should respect that segregation and still provide great security and visibility. One of the challenges is security updates. For such an environment you would need comprehensive AI and machine learning. I suggest you look at the difference between IOC and IOA. IOA vs IOC: Defining & Understanding The Differences | CrowdStrike. (Please also check other sources). Good luck and stay safe!  
CP
Partner Account Manager 🔆 at SEC DataCom A/S
Apr 26, 2022
Hi. I am told that Darktrace is a complimentary product that doesn't do any endpoint protection.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
SB
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Aug 9, 2022
If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important. 1) Does the solution employ Foundational Tech...
EB
Director of Community at PeerSpot (formerly IT Central Station)
Feb 4, 2022
Hi dear community members, This is our latest community digest. It helps you catch up on recent contributions by community members. Comment below with your feedback and suggestions! Trending What are the Top 5 cybersecurity trends in 2022? What are the main benefits of modern IT Asset Discovery tools? Tip Post an educational article from your Home feed and receive 20 point...
See 1 comment
reviewer1577907 - PeerSpot reviewer
Manager at PeerSpot
Feb 4, 2022
Thank you, these community Spotlights are very handy!
EB
Director of Community at PeerSpot (formerly IT Central Station)
Nov 19, 2021
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback! Trending What are the pros and cons of internal SOC vs SOC-as-a-Service? Join The Moderator Team at IT Central Station (soon to be PeerSpot)! Questions Share your experience with other peers by ans...
Moderator
DS
Owner at David Strom Inc.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
SB
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Aug 9, 2022
8 Questions to Ask While Selecting an Endpoint Security Solution for Your Business
If you’re weighing your options for endpoint security solutions, there are many options out there...
Download Free Report
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
DOWNLOAD NOW
672,785 professionals have used our research since 2012.