Coming October 25: PeerSpot Awards will be announced! Learn more
2020-01-19T12:17:00Z
FY
Sales Director at a tech services company with 5,001-10,000 employees
  • 19
  • 2528

What is the biggest difference between EPP and EDR products?

I work at a tech services company with 5,000 - 10,000+ employees. 

We are currently researching EPP and EDR solutions. What are the main differences between EPP and EDR? 

Thanks! I appreciate the help. 

23
PeerSpot user
23 Answers
Om Salamkayala - PeerSpot reviewer
Digital Forensics Analyst at a security firm with 11-50 employees
Real User
2020-01-20T09:56:52Z
20 January 20

I think most of the comments cover all the key points.

EDR-End point Detection and Response.
Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats.
Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates.

Its Capabilities: 1. Continuous endpoint data collection.
2. Detection engine
3. Data recording.

It is considered as next layer of security

Its limitation:
No in depth visibility
IR team needs to deal with false alarm and have to handle restoring process.
Struggle to find the attackers who infiltrated for the damanage caused.
Not an holistic approach

EPP-End point protection platform.

Its functionality covers:
Antivirus
Anti-malware
Data encryption
Personal firewalls
IPS
DLP
It works mainly on signature based approach and more broader detection techniques.
It is considered as first line defence.

Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP.

Examples of such products or tools
Symantec and Cynet.

I hope the above points cover the difference between EDR & EPP.

Owais Yousuf - PeerSpot reviewer
Solution Architect Security at a tech services company with 201-500 employees
Reseller
2020-01-20T19:55:21Z
20 January 20

Endpoint Detection and Response (EDR) is a category of security tools that are designed to monitor and record activity on endpoints, detect suspicious behavior, security risks, and respond to internal and external threats.

EDR tools consist of three main mechanisms to fulfill this function:
• Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins. This involves continually monitoring all events at the endpoints.
• Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints. This step is crucial for sifting through events to identify genuine security incidents.
• Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes. This can help inform endpoint protection strategies.

Incident Report teams still need to deal with multiple platforms and false alarms and to handle the restoration process themselves. IR teams often struggle to find the attackers that infiltrated the protection layers before they cause damage. To deal with all potential risks, a more holistic approach is needed, a platform which can be a solution to all types of threats. EPP (Endpoint Protection Platform) is the platform to achieve this goal.

Endpoint protection platform provides essential security for many types of endpoints, from smart phones to printers. An endpoint protection platform (EPP) is an integrated suite of endpoint protection technologies, such as antivirus, data encryption, intrusion prevention, and data loss prevention, that detects and stops a variety of threats at the endpoint.
An endpoint protection platform provides a framework for data sharing between endpoint protection technologies.

It might seem like the distinction between EPP and EDR is straightforward, but it is not that simple. Traditionally, EPP is defined as a first-line defense mechanism, effective at blocking known threats. While EDR is defined as the next layer of security, providing additional tools to detect threats, analyze intrusions, and respond to attacks.

RW
Regional Technical Manager at a retailer with 201-500 employees
Real User
2020-01-20T07:07:43Z
20 January 20

Endpoint protection (EPP) usually means anti-malware, anti-spam, anti-phishing, etc. These are features prevent attacks without a detailed explanation of why EPP stops an action and how the attack is.

Endpoint detection and response (EDR) usually means how to record the attack in detail and provide certain remediation methods to recover the affected machines or files.

In other words. EPP shows “what and when”. EDR shows “why and how”.

Manoj Nair - PeerSpot reviewer
Tech consultant at select softwares
Real User
Top 5Leaderboard
2020-01-20T05:41:33Z
20 January 20

An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.

An EDR, on the other hand, is specifically built to handle this situation.

Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system.

JS
Product Manager at a security firm with 201-500 employees
User
2020-01-20T00:47:38Z
20 January 20

EPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect.

EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.

Find out what your peers are saying about CrowdStrike, Microsoft, SentinelOne and others in EPP (Endpoint Protection for Business). Updated: September 2022.
635,162 professionals have used our research since 2012.
NR
President and Chief Architect with 11-50 employees
User
2020-01-19T21:02:14Z
19 January 20

The biggest difference is time frames. EPP is meant to PREVENT infection. EDR is meant to deal with endpoints once they ARE infected.

NH
Product Specialist - Darktrace (Cyber AI/Threat Defense) at a tech services company with 51-200 employees
User
2020-03-06T19:22:09Z
06 March 20

I believe the biggest difference between EPP and EDR solutions is directly in the names, and both are crucial to security. EPP sits on the device and works to repel attacks from various sectors based on known threats (malware, phishing, etc. – all external); EDR monitors the endpoint to detect when something is wrong either because EPP failed to thwart the attack/didn’t know the threat or the enterprise user/device user does something malicious (insider threat) and EDR is able to respond autonomously at lockdown the malware/behavior.

Does that make sense?

davidstrom - PeerSpot reviewer
Owner at David Strom Inc.
2020-03-05T21:27:58Z
05 March 20

I think the difference is more marketing-speak than technical features, and the terms are used inconsistently by the security vendors. The featured answer has some additional insight.

DK
Managing Director at a tech vendor with 1-10 employees
User
2020-02-27T15:49:09Z
27 February 20

The answers already provided are succinct but accurate. To explain the difference to a non-technical audience, think of EPP as a wall to keep bad things out, and EDR as a sensor to identify when bad things are happening and raise an alarm (think motion sensor). The wall will stop some things but you don’t know what and when and how many. The sensor tells you when something is happening but can’t actually stop the bad thing.

In practice, the two technologies are converging; given the size of your organization, you probably need both.

SP
Sr. Engineer at a tech services company with 501-1,000 employees
Real User
2020-01-21T10:39:39Z
21 January 20

EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state.

VK
Area Sales Manager with 1,001-5,000 employees
User
2020-01-21T05:47:36Z
21 January 20

Traditional EPP solutions cover more basic features such as anti-malware & integrated security solutions designed to detect and block threats at a device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP)

Whereas EDR solutions covered more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints to pre-infection state.

PeerSpot user
PS & Technical Manager at a integrator with 11-50 employees
Real User
Top 10
2020-01-21T01:20:10Z
21 January 20

EPP Endpoint Protection Platform like McAfee EPO contains most things like antivirus, DLP, and IPS.

EDR is a combination of next-gen antivirus and behavior analysis solution.

BH
Vice President at a security firm with 10,001+ employees
Real User
2020-01-21T01:15:13Z
21 January 20

Great question, and one that is confusing even to many experts.

Traditionally, an Endpoint Protection Platform (EPP) is a first-line defense mechanism, effective at blocking known threats. Endpoint Detection and Response (EDR) is the next layer of security, providing additional tools to search or hunt for threats or respond to incidents.

There is an increasing alignment or “convergence” of the two markets. While EDR was initially positioned as a solution for large enterprises with dedicated Cyber Security Operations Center or capability, other groups are also implementing EDRs for support to incident response. The vendors on both the EPP and EDR side are adding customer-requested features to have an “all in one” solution that is converging the tools.

One issue is that sometimes it is better to have those capabilities in place but to engage an outside forensics firm for enterprise-level incident response. Having the internal security team investigate enterprise-level breaches, internal employee investigations that may involve executives or anything around corporate litigation may not be the appropriate separation of duties. Specifically engaging trusted third party incident response and investigative teams provides independence from the internal team that designed the security also investigate any potential failures, or having to investigate the emails of your own leadership.

JP
Prinicipal Security Sales Engineer at a computer software company with 501-1,000 employees
Real User
2020-01-21T00:17:56Z
21 January 20

I 2nd Jehyun's response! Another way of looking at it is that EPP (End Point Protection) is your traditional Antivirus/AntiMalware solution on the endpoint (Symantec, McAfee, etc.) whereas EDR (Endpoint Detection and Response) has been represented by companies such as Carbon Black.

PT
Product Manager at a comms service provider with 501-1,000 employees
Reseller
Top 5
2020-01-20T12:36:49Z
20 January 20

My vision is very simple. EPP (Endpoint Protection Platform) is working based on predefined rules and definitions (virus definitions/signatures, black/white lists and etc.). EDR works based on models for abnormal activities (registry change, network connection, binary execution). EPP is focused over end-point as a standalone device, EDR is working on the company (group of workstations from the same domain) level and correlates information from all endpoints into the network (possibility to identify the lateral movement of the threats).

EDR solutions easily communicate with other security solutions (SIEMs, tools for forensic analysis), but most probably this not something remarkable or big differentiator, because this can change.

Keith Galleros - PeerSpot reviewer
Information Security Analyst at Detecon Al Saudia Co. Ltd.
Real User
2020-01-20T12:28:12Z
20 January 20

EPP is your favorite Anti-Malware and Anti-Virus Solution. EDR (Endpoint Detection and Response) most commonly use for APT solution amd ideal for small bussiness Security Incident response team.

Manoj Nair - PeerSpot reviewer
Tech consultant at select softwares
Real User
Top 5Leaderboard
2020-01-20T07:23:18Z
20 January 20

In simple terms:- An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.

Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system

I have used McAfee endpoint security with EDR functionality in my previous organization and I can confidently say that the money was well spent. - You may remember the May Day attack which as highly publicized? Well, I'm proud to say McAfee's defense system with EDR stopped the assault in its tracks with zero loss!

I'm not pushing McAfee here because other manufacturers too have equally matching capability

So in summation, please bear in mind the following points - this is my personal bible so to say.

1. McAfee/Symantec/TRendMicro/Sophos/ CrowdStrike/Carbon Black to name a few - all are equally good. There will be a few key features which you may need or not need -please concentrate effort on that
2. - VERY IMPORTANT - whoever you choose as the solution, please ensure that you have local support from the OEM in your country; talk to your account manager from the OEM.
3. All-around security - select a product that can integrate all the way up to your gateway firewall or can share data mutually
4. Run a full feature deployment in 3 parts - normal users( who use day to day apps), laptop users who are always on travel and the trouble-making systems and the most important part - management users.
5. Choose a reseller who has good tech support capabilities.
6. Ensure your admin guys are suitably trained on it.

Divyang P - PeerSpot reviewer
Senior Cyber Security Consultant at Infosec Ventures
Reseller
2020-01-20T07:21:31Z
20 January 20

EPP: Endpoint Protection Platform (Typically AV for Endpoint/servers, it may also includes features like Host Firewall, Host IPS, Device Control, web reputation etc etc)
EPP will protect the endpoint/servers from malware.

EDR: Endpoint Detect & Response
EDR solution doesn't provide any protection such as EPP, it works on top of EPP solution which will provide visibility of the all the activities done on the endpoints.
EDR solution help to find suspicious activity and re-mediate the same.

In a layman terms, If you're protecting a gate, your gatekeeper is EPP and Security Camera is EDR.

Please use below link for more details.
https://www.cybrary.it/0p3n/epp-vs-edr-whats-the-difference-and-why-you-may-need-both/

ShreekumarNair - PeerSpot reviewer
Chief Executive Officer at Vincacyber
Real User
2020-03-22T17:46:31Z
22 March 20

Try www.cynet.com it has both EPP & EDR plus NBA, UBA, Deception, VM,, Sandboxing, 24*7 SOC.

Nadeem Syed - PeerSpot reviewer
CEO at Haniya Technologies
Reseller
Top 5Leaderboard
2020-03-11T12:05:35Z
11 March 20

Well as far as I know EPP is a protection for End Point User and it is mostly regarding Anti Virus, worm , trojan etc. Where as EDR is end Point Detection which mostly consist of sand boxing and mostly deployed at server or gateway. Most of EDR required same companies end point protection to work with. For example if you are using trendmicro end point protection than you must use trend Micro EDR.. so forth and so on.

Heritier Daya - PeerSpot reviewer
Network Administrator at a financial services firm with 1,001-5,000 employees
Real User
Top 10
2020-01-25T12:53:38Z
25 January 20

Please find some good explanation through the following link:

https://www.cisco.com/c/en/us/products/security/what-is-endpoint-protection-platform.html

CR
Especialista em Segurança da Informação at a tech services company with 5,001-10,000 employees
MSP
2020-01-20T15:18:53Z
20 January 20

EPP is based on signature and EDR on behavior, allowing EDR to stop malware on day 0.

Related Questions
Sep 19, 2022
Hi community professionals, I am looking for your advice on whether it makes sense to use both an endpoint antivirus and an EDR solution simultaneously? What are the pros and cons of using each one or both simultaneously? *In terms of products, I've been looking at CrowdStrike Falcon, Microsoft Defender for Endpoint, and ESET Endpoint Security. Thanks for the help!
2 out of 9 answers
CP
Partner Account Manager 🔆 at SEC DataCom A/S
26 April 22
If you look at a product like SentinelOne, it is both EPP and EDR (and much more...). In that case you only need this single product.You could take a look at this short explanaition on YouTube: EDR? EPP? Both?!? See how to explain SentinelOne in just 2 minutes
AS
Principal Consultant at 1net
27 April 22
The “Antivirus” protection technology is replaced by EDR which does include a modern version of “antivirus” along with other ways of device protection.  Multiple vendors provide EDR: Trend Micro, Cisco, etc. The more current technology is XDR.
PJ
CIO & Information manager at a leisure / travel company with 501-1,000 employees
Apr 26, 2022
Hi peers,   I work as the CIO & Information Manager in the gaming and gambling industry. The company has 650 employees and >30.000 customers. I'm not able to find a study where Darktrace is compared against Crowdstrike Falcon (or other solutions for endpoint security, e.g. Sentinel One).  Can anyone help and share their insights?  Thanks, Regards from the Netherlands
See 2 answers
HF
Consultant at a computer software company with 51-200 employees
31 March 22
Hi @reviewer1799568, Most of these comparisons are opinions and some tests are done in specific conditions that might not suit or reflect your organization's needs and roadmap. Ultimately, the cost of a mistake is a data breach and not just an audit finding or operational discomfort. I mention this because there are no viable shortcuts. I suggest you test the solutions thoroughly in your own environment to see what works for you. The gaming floor is hopefully "air-gapped" and the solution should respect that segregation and still provide great security and visibility. One of the challenges is security updates. For such an environment you would need comprehensive AI and machine learning. I suggest you look at the difference between IOC and IOA. IOA vs IOC: Defining & Understanding The Differences | CrowdStrike. (Please also check other sources). Good luck and stay safe!  
CP
Partner Account Manager 🔆 at SEC DataCom A/S
26 April 22
Hi. I am told that Darktrace is a complimentary product that doesn't do any endpoint protection.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Aug 09, 2022
If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important. 1) Does the solution employ Foundational Tech...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Feb 04, 2022
Hi dear community members, This is our latest community digest. It helps you catch up on recent contributions by community members. Comment below with your feedback and suggestions! Trending What are the Top 5 cybersecurity trends in 2022? What are the main benefits of modern IT Asset Discovery tools? Tip Post an educational article from your Home feed and receive 20 point...
See 1 comment
reviewer1577907 - PeerSpot reviewer
Manager at PeerSpot
04 February 22
Thank you, these community Spotlights are very handy!
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Nov 19, 2021
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback! Trending What are the pros and cons of internal SOC vs SOC-as-a-Service? Join The Moderator Team at IT Central Station (soon to be PeerSpot)! Questions Share your experience with other peers by ans...
Moderator
davidstrom - PeerSpot reviewer
Owner at David Strom Inc.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Aug 09, 2022
8 Questions to Ask While Selecting an Endpoint Security Solution for Your Business
If you’re weighing your options for endpoint security solutions, there are many options out there...
Download Free Report
Download our free EPP (Endpoint Protection for Business) Report and find out what your peers are saying about CrowdStrike, Microsoft, SentinelOne, and more! Updated: September 2022.
DOWNLOAD NOW
635,162 professionals have used our research since 2012.