2020-01-19T12:17:00Z

What is the biggest difference between EPP and EDR products?

I work at a tech services company with 5,000 - 10,000+ employees. 

We are currently researching EPP and EDR solutions. What are the main differences between EPP and EDR? 

Thanks! I appreciate the help. 

FY
Sales Director at a tech services company with 5,001-10,000 employees
  • 20
  • 4047
24
PeerSpot user
24 Answers
TM
Senior Cybersecurity Consultant at CIA Botswana
Real User
Top 5Leaderboard
2020-01-20T14:15:56Z
Jan 20, 2020

EPP (Endpoint Protection Platform) covers traditional anti-malware scanning. EPP is typically designed to reactively detect and block threats at device level e.g. antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP) whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state e.g. EDR contains many security tools like firewall, whitelisting tools, monitoring tools, etc. to provide comprehensive protection against digital threats and allows for preparing an appropriate incident response. EDR is the endpoint which is responsible for proactive detection and response processes.

Search for a product comparison in EPP (Endpoint Protection for Business)
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Consultant
Top 5
2023-01-24T09:34:39Z
Jan 24, 2023

EPP (Endpoint Protection Platforms) and EDR (Endpoint Detection & Response) products are both critical elements of enterprise security, with each type offering different value. The primary difference between the two is that EPP products focus on prevention while EDR focuses on the detection.


EPP solutions provide proactive defense against known threats such as anti-virus, firewall, application control, and patch management. They are designed to protect endpoints from the onslaught of malicious attacks which can affect an organization's connected devices or users directly. By detecting malicious code or suspicious activity through a combination of measures such as heuristics, sandboxing, and behavioral analysis in real-time, these tools help organizations mitigate potential risks resulting from known threats quickly while strengthening their overall cyber defense posture.


On the other hand,  Endpoint Detection and Response Solutions provide visibility into endpoint activities across the wider organizational environment – including cloud infrastructure – to rapidly identify potential threat actors before they can cause damage to an organization’s systems or data assets. Powered by machine learning algorithms as well as traditional approaches for anomaly detection like static signatures, behavior monitoring, and user access reviews; these tools help detect advanced persistent threats (APTs), insider threats, and zero-day attacks in order to prevent any unauthorized use of sensitive information by untrusted parties.



In short: EPP protects systems proactively from known threats while EDR detects malicious activities after initial infiltration in order to neutralize them quickly in real-time before significant damage occurs. Thus, forming a strong defense line for any modern business looking for full coverage against today's cyber threats' landscape.

OS
Digital Forensics Analyst at a security firm with 11-50 employees
Real User
2020-01-20T09:56:52Z
Jan 20, 2020

I think most of the comments cover all the key points.

EDR-End point Detection and Response.
Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats.
Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates.

Its Capabilities: 1. Continuous endpoint data collection.
2. Detection engine
3. Data recording.

It is considered as next layer of security

Its limitation:
No in depth visibility
IR team needs to deal with false alarm and have to handle restoring process.
Struggle to find the attackers who infiltrated for the damanage caused.
Not an holistic approach

EPP-End point protection platform.

Its functionality covers:
Antivirus
Anti-malware
Data encryption
Personal firewalls
IPS
DLP
It works mainly on signature based approach and more broader detection techniques.
It is considered as first line defence.

Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP.

Examples of such products or tools
Symantec and Cynet.

I hope the above points cover the difference between EDR & EPP.

OY
Solution Architect Security at a tech services company with 201-500 employees
Reseller
2020-01-20T19:55:21Z
Jan 20, 2020

Endpoint Detection and Response (EDR) is a category of security tools that are designed to monitor and record activity on endpoints, detect suspicious behavior, security risks, and respond to internal and external threats.

EDR tools consist of three main mechanisms to fulfill this function:
• Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins. This involves continually monitoring all events at the endpoints.
• Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints. This step is crucial for sifting through events to identify genuine security incidents.
• Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes. This can help inform endpoint protection strategies.

Incident Report teams still need to deal with multiple platforms and false alarms and to handle the restoration process themselves. IR teams often struggle to find the attackers that infiltrated the protection layers before they cause damage. To deal with all potential risks, a more holistic approach is needed, a platform which can be a solution to all types of threats. EPP (Endpoint Protection Platform) is the platform to achieve this goal.

Endpoint protection platform provides essential security for many types of endpoints, from smart phones to printers. An endpoint protection platform (EPP) is an integrated suite of endpoint protection technologies, such as antivirus, data encryption, intrusion prevention, and data loss prevention, that detects and stops a variety of threats at the endpoint.
An endpoint protection platform provides a framework for data sharing between endpoint protection technologies.

It might seem like the distinction between EPP and EDR is straightforward, but it is not that simple. Traditionally, EPP is defined as a first-line defense mechanism, effective at blocking known threats. While EDR is defined as the next layer of security, providing additional tools to detect threats, analyze intrusions, and respond to attacks.

RW
Regional Technical Manager at a retailer with 201-500 employees
Real User
2020-01-20T07:07:43Z
Jan 20, 2020

Endpoint protection (EPP) usually means anti-malware, anti-spam, anti-phishing, etc. These are features prevent attacks without a detailed explanation of why EPP stops an action and how the attack is.

Endpoint detection and response (EDR) usually means how to record the attack in detail and provide certain remediation methods to recover the affected machines or files.

In other words. EPP shows “what and when”. EDR shows “why and how”.

MN
Tech consultant at select softwares
Real User
Top 10
2020-01-20T05:41:33Z
Jan 20, 2020

An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.

An EDR, on the other hand, is specifically built to handle this situation.

Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system.

Learn what your peers think about Cisco Secure Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
706,951 professionals have used our research since 2012.
JS
Product Manager at a security firm with 201-500 employees
User
2020-01-20T00:47:38Z
Jan 20, 2020

EPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect.

EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.

NR
President and Chief Architect with 11-50 employees
User
2020-01-19T21:02:14Z
Jan 19, 2020

The biggest difference is time frames. EPP is meant to PREVENT infection. EDR is meant to deal with endpoints once they ARE infected.

NH
Product Specialist - Darktrace (Cyber AI/Threat Defense) at a tech services company with 51-200 employees
User
2020-03-06T19:22:09Z
Mar 6, 2020

I believe the biggest difference between EPP and EDR solutions is directly in the names, and both are crucial to security. EPP sits on the device and works to repel attacks from various sectors based on known threats (malware, phishing, etc. – all external); EDR monitors the endpoint to detect when something is wrong either because EPP failed to thwart the attack/didn’t know the threat or the enterprise user/device user does something malicious (insider threat) and EDR is able to respond autonomously at lockdown the malware/behavior.

Does that make sense?

DS
Owner at David Strom Inc.
2020-03-05T21:27:58Z
Mar 5, 2020

I think the difference is more marketing-speak than technical features, and the terms are used inconsistently by the security vendors. The featured answer has some additional insight.

DK
Managing Director at a tech vendor with 1-10 employees
User
2020-02-27T15:49:09Z
Feb 27, 2020

The answers already provided are succinct but accurate. To explain the difference to a non-technical audience, think of EPP as a wall to keep bad things out, and EDR as a sensor to identify when bad things are happening and raise an alarm (think motion sensor). The wall will stop some things but you don’t know what and when and how many. The sensor tells you when something is happening but can’t actually stop the bad thing.

In practice, the two technologies are converging; given the size of your organization, you probably need both.

SP
Sr. Engineer at a tech services company with 501-1,000 employees
Real User
2020-01-21T10:39:39Z
Jan 21, 2020

EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state.

VK
Area Sales Manager with 1,001-5,000 employees
User
2020-01-21T05:47:36Z
Jan 21, 2020

Traditional EPP solutions cover more basic features such as anti-malware & integrated security solutions designed to detect and block threats at a device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP)

Whereas EDR solutions covered more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints to pre-infection state.

MF
PS & Technical Manager at a integrator with 11-50 employees
Real User
Top 10
2020-01-21T01:20:10Z
Jan 21, 2020

EPP Endpoint Protection Platform like McAfee EPO contains most things like antivirus, DLP, and IPS.

EDR is a combination of next-gen antivirus and behavior analysis solution.

BH
Vice President at a security firm with 10,001+ employees
Real User
2020-01-21T01:15:13Z
Jan 21, 2020

Great question, and one that is confusing even to many experts.

Traditionally, an Endpoint Protection Platform (EPP) is a first-line defense mechanism, effective at blocking known threats. Endpoint Detection and Response (EDR) is the next layer of security, providing additional tools to search or hunt for threats or respond to incidents.

There is an increasing alignment or “convergence” of the two markets. While EDR was initially positioned as a solution for large enterprises with dedicated Cyber Security Operations Center or capability, other groups are also implementing EDRs for support to incident response. The vendors on both the EPP and EDR side are adding customer-requested features to have an “all in one” solution that is converging the tools.

One issue is that sometimes it is better to have those capabilities in place but to engage an outside forensics firm for enterprise-level incident response. Having the internal security team investigate enterprise-level breaches, internal employee investigations that may involve executives or anything around corporate litigation may not be the appropriate separation of duties. Specifically engaging trusted third party incident response and investigative teams provides independence from the internal team that designed the security also investigate any potential failures, or having to investigate the emails of your own leadership.

JP
Prinicipal Security Sales Engineer at a computer software company with 501-1,000 employees
Real User
2020-01-21T00:17:56Z
Jan 21, 2020

I 2nd Jehyun's response! Another way of looking at it is that EPP (End Point Protection) is your traditional Antivirus/AntiMalware solution on the endpoint (Symantec, McAfee, etc.) whereas EDR (Endpoint Detection and Response) has been represented by companies such as Carbon Black.

PT
Product Manager at a comms service provider with 501-1,000 employees
Reseller
2020-01-20T12:36:49Z
Jan 20, 2020

My vision is very simple. EPP (Endpoint Protection Platform) is working based on predefined rules and definitions (virus definitions/signatures, black/white lists and etc.). EDR works based on models for abnormal activities (registry change, network connection, binary execution). EPP is focused over end-point as a standalone device, EDR is working on the company (group of workstations from the same domain) level and correlates information from all endpoints into the network (possibility to identify the lateral movement of the threats).

EDR solutions easily communicate with other security solutions (SIEMs, tools for forensic analysis), but most probably this not something remarkable or big differentiator, because this can change.

KG
Information Security Analyst at Detecon Al Saudia Co. Ltd.
Real User
2020-01-20T12:28:12Z
Jan 20, 2020

EPP is your favorite Anti-Malware and Anti-Virus Solution. EDR (Endpoint Detection and Response) most commonly use for APT solution amd ideal for small bussiness Security Incident response team.

MN
Tech consultant at select softwares
Real User
Top 10
2020-01-20T07:23:18Z
Jan 20, 2020

In simple terms:- An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.

Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system

I have used McAfee endpoint security with EDR functionality in my previous organization and I can confidently say that the money was well spent. - You may remember the May Day attack which as highly publicized? Well, I'm proud to say McAfee's defense system with EDR stopped the assault in its tracks with zero loss!

I'm not pushing McAfee here because other manufacturers too have equally matching capability

So in summation, please bear in mind the following points - this is my personal bible so to say.

1. McAfee/Symantec/TRendMicro/Sophos/ CrowdStrike/Carbon Black to name a few - all are equally good. There will be a few key features which you may need or not need -please concentrate effort on that
2. - VERY IMPORTANT - whoever you choose as the solution, please ensure that you have local support from the OEM in your country; talk to your account manager from the OEM.
3. All-around security - select a product that can integrate all the way up to your gateway firewall or can share data mutually
4. Run a full feature deployment in 3 parts - normal users( who use day to day apps), laptop users who are always on travel and the trouble-making systems and the most important part - management users.
5. Choose a reseller who has good tech support capabilities.
6. Ensure your admin guys are suitably trained on it.

DP
Senior Cyber Security Consultant at Infosec Ventures
Reseller
2020-01-20T07:21:31Z
Jan 20, 2020

EPP: Endpoint Protection Platform (Typically AV for Endpoint/servers, it may also includes features like Host Firewall, Host IPS, Device Control, web reputation etc etc)
EPP will protect the endpoint/servers from malware.

EDR: Endpoint Detect & Response
EDR solution doesn't provide any protection such as EPP, it works on top of EPP solution which will provide visibility of the all the activities done on the endpoints.
EDR solution help to find suspicious activity and re-mediate the same.

In a layman terms, If you're protecting a gate, your gatekeeper is EPP and Security Camera is EDR.

Please use below link for more details.
https://www.cybrary.it/0p3n/epp-vs-edr-whats-the-difference-and-why-you-may-need-both/

SN
Chief Executive Officer at Vincacyber
Real User
2020-03-22T17:46:31Z
Mar 22, 2020

Try www.cynet.com it has both EPP & EDR plus NBA, UBA, Deception, VM,, Sandboxing, 24*7 SOC.

Nadeem Syed - PeerSpot reviewer
CEO at Haniya Technologies
Reseller
Top 5Leaderboard
2020-03-11T12:05:35Z
Mar 11, 2020

Well as far as I know EPP is a protection for End Point User and it is mostly regarding Anti Virus, worm , trojan etc. Where as EDR is end Point Detection which mostly consist of sand boxing and mostly deployed at server or gateway. Most of EDR required same companies end point protection to work with. For example if you are using trendmicro end point protection than you must use trend Micro EDR.. so forth and so on.

Heritier Daya - PeerSpot reviewer
Network Administrator at a financial services firm with 1,001-5,000 employees
Real User
Top 5
2020-01-25T12:53:38Z
Jan 25, 2020

Please find some good explanation through the following link:

https://www.cisco.com/c/en/us/products/security/what-is-endpoint-protection-platform.html

CR
Especialista em Segurança da Informação at a tech services company with 5,001-10,000 employees
MSP
2020-01-20T15:18:53Z
Jan 20, 2020

EPP is based on signature and EDR on behavior, allowing EDR to stop malware on day 0.

Related Questions
Avigayil Henderson - PeerSpot reviewer
Content Development Manager at PeerSpot
Mar 15, 2023
Hello community,  Please share with the community what your thoughts are based on your personal experience. Thank you.
See 2 answers
LW
Content Editor at PeerSpot
Mar 14, 2023
Endpoint protection platforms (EPPs) have evolved beyond traditional antivirus software to offer advanced threat detection and response capabilities. Many EPPs also offer threat-hunting or SOC services to provide organizations with real-time visibility into security incidents and remediation recommendations. Among the EPP providers that offer these services are the following, and, obviously, this is just a sample but, hopefully, also a good start: CrowdStrike Falcon Complete Kaspersky Endpoint Security has an Endpoint Detection and Response McAfee (Trellix) Endpoint Security Managed Detection and Response (MDR) Palo Alto Networks Unit 42 MDR Service for Cortex XDR SentinelOneVigilance Respond Sophos MDR Symantec (Broadcom) Endpoint Protection Managed Endpoint Detection and Response Trend Micro Apex One Managed XDR VMware Carbon Black MRDR Sophos MDR is interesting in that it leverages other providers' cybersecurity technologies including telemetry from AWS, Check Point, CrowdStrike, Darktrace, Fortinet, PAN, and others.
Nikki Webb - PeerSpot reviewer
Global Channel Manager at Custodian360
Mar 15, 2023
Yes, there are endpoint protection platforms that offer threat-hunting or SOC (Security Operations Center) services, and Custodian360 is one of them. Endpoint protection platforms (EPPs) are security solutions that are installed on endpoint devices to detect, prevent, and respond to cyber threats. Threat-hunting is a proactive approach to cybersecurity that involves actively searching for threats and vulnerabilities that might have evaded traditional security measures. SOC services involve monitoring and analysing security events to identify and respond to security incidents. Custodian360 is a comprehensive endpoint protection platform that offers both threat-hunting and SOC services. It uses a combination of signature-based and behavior-based detection to detect and respond to cyber threats in real-time. The platform has a built-in threat-hunting engine that continuously scans endpoints for signs of compromise, and it also has a team of expert analysts who perform manual threat-hunting to identify and respond to advanced threats. Custodian360's SOC services include 24/7 monitoring and analysis of security events, incident response, and forensic investigation. The platform also provides detailed reporting and analytics to help organisations understand their security posture and identify areas for improvement. In summary, Custodian360 is an endpoint protection platform that offers threat-hunting and SOC services, making it an ideal solution for organisations that want comprehensive protection against cyber threats.
Avigayil Henderson - PeerSpot reviewer
Content Development Manager at PeerSpot
Mar 13, 2023
Hello peers,  Please share your input and help out fellow peers. Thank you.
See 2 answers
Disha Shah - PeerSpot reviewer
Technical Associate at HTH Global Network
Mar 3, 2023
Cortex XDR from Paloalto have solution for all three and talking about legacy infrastructure can you name some of them??
LW
Content Editor at PeerSpot
Mar 13, 2023
There are several endpoint protection solutions available that can provide protection for endpoints running on Linux, Windows, and MacOS. Among them are Symantec (Broadcom) Endpoint Protection, Trend Micro Apex One, McAfee (Trellix) Endpoint Security, Kaspersky Endpoint Security for Business, ESET Endpoint Security, Palo Alto Networks Cortex XDR and, perhaps surprisingly (but then again, not) Microsoft Defender for Endpoint. (This is not an exhaustive list). However, the devil is in the details regarding which versions of an OS and what kind of hardware requirements a given solution supports. You need to closely check the specifics of the range of devices you have with what a given vendor covers. It's also important to note that for agent-based solutions, the minimum processor requirements may allow you to install the product, but if you're just getting by in that regard, there could be issues with computer performance. Symantec supports a fairly broad range of Linux and Windows Embedded versions, but does not support application control on Mac, Windows Servers, Windows Embedded, Linux, or mobile devices. Trend Micro Apex One's agents support support from macOS High Sierra 10.13 to macOS Monterey 12, on Apple M1, Apple M2, or Intel® Core processors. To protect Linux file, web, and application servers with Trend Micro, you'll need its ServerProtect product. McAfee handles Windows 8.1, 10, and 11, and offers limited customer service if you try running it on Windows 8.0 and 7.x. For macOS it goes as far back as Mac OS X 10.10 and through to macOS 12 (Monterey). For Linux it offers limited coverage: Ubuntu 16.04, Ubuntu 18.04, and Ubuntu 20.4. With Kaspersky Endpoint Security for Business you get Windows, of course, and pretty extensive Linux coverage, with nine 32-bit OSs covered, and literally dozens of 64-bit Linux flavors. Mac coverage is included in the Advanced and Select versions of Kaspersky ESB (and you also get Android and iOS). ESET Endpoint Security will work with Windows 7 - 11 (although some features are not supported on ARM processors) macOS 10.12 and up, and a couple of 64-bit Linux systems: Ubuntu Desktop 18.04 LTS and RHEL Desktop 7. PAN Cortex XDR supports Windows 8 - 11 as well as macOS as far back as 10.13 with its 7.5-CE release. Subsequent 7.x releases cover later macOS versions (with 7.7.3 and later handling macOS 13.x). Cortex XDR only supports 64-bit Linux and you have to install a supported kernel module version, but it does cover a good selection of the main Linux offerings including CentOS, Debian, Oracle, RHEL, openSUSE, and Ubuntu. Microsoft Defender for Endpoint has coverage for macOS 11 (Big Sur), 12 (Monterey), and 13 (Ventura), although Big Sur requires some additional configuration. It also protects more recent versions of RHEL, CentOS, Ubuntu, Debian, and Oracle Linux. Android (6.0 and higher) and iOS (11.0 and higher) are also available. As for legacy systems, it's best to explicitly ask the vendor if they cover the particular hardware/OSs you have. For example, older versions of Symantec Endpoint Protection 14 cover Windows as far back as Vista, and Windows Server as far back as Windows Server 2008 (RTM, SP1, SP2).
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Aug 9, 2022
If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important. 1) Does the solution employ Foundational Tech...
EB
Director of Community at PeerSpot (formerly IT Central Station)
Feb 4, 2022
Hi dear community members, This is our latest community digest. It helps you catch up on recent contributions by community members. Comment below with your feedback and suggestions! Trending What are the Top 5 cybersecurity trends in 2022? What are the main benefits of modern IT Asset Discovery tools? Tip Post an educational article from your Home feed and receive 20 point...
See 1 comment
reviewer1577907 - PeerSpot reviewer
Manager at PeerSpot
Feb 4, 2022
Thank you, these community Spotlights are very handy!
EB
Director of Community at PeerSpot (formerly IT Central Station)
Nov 19, 2021
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback! Trending What are the pros and cons of internal SOC vs SOC-as-a-Service? Join The Moderator Team at IT Central Station (soon to be PeerSpot)! Questions Share your experience with other peers by ans...
Moderator
DS
Owner at David Strom Inc.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Aug 9, 2022
8 Questions to Ask While Selecting an Endpoint Security Solution for Your Business
If you’re weighing your options for endpoint security solutions, there are many options out there...
Download Free Report
Download our free Cisco Secure Endpoint Report and get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
DOWNLOAD NOW
706,951 professionals have used our research since 2012.