EPP (Endpoint Protection Platform) covers traditional anti-malware scanning. EPP is typically designed to reactively detect and block threats at device level e.g. antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP) whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state e.g. EDR contains many security tools like firewall, whitelisting tools, monitoring tools, etc. to provide comprehensive protection against digital threats and allows for preparing an appropriate incident response. EDR is the endpoint which is responsible for proactive detection and response processes.
Search for a product comparison in EPP (Endpoint Protection for Business)
EPP (Endpoint Protection Platforms) and EDR (Endpoint Detection & Response) products are both critical elements of enterprise security, with each type offering different value. The primary difference between the two is that EPP products focus on prevention while EDR focuses on the detection.
EPP solutions provide proactive defense against known threats such as anti-virus, firewall, application control, and patch management. They are designed to protect endpoints from the onslaught of malicious attacks which can affect an organization's connected devices or users directly. By detecting malicious code or suspicious activity through a combination of measures such as heuristics, sandboxing, and behavioral analysis in real-time, these tools help organizations mitigate potential risks resulting from known threats quickly while strengthening their overall cyber defense posture.
On the other hand, Endpoint Detection and Response Solutions provide visibility into endpoint activities across the wider organizational environment – including cloud infrastructure – to rapidly identify potential threat actors before they can cause damage to an organization’s systems or data assets. Powered by machine learning algorithms as well as traditional approaches for anomaly detection like static signatures, behavior monitoring, and user access reviews; these tools help detect advanced persistent threats (APTs), insider threats, and zero-day attacks in order to prevent any unauthorized use of sensitive information by untrusted parties.
In short: EPP protects systems proactively from known threats while EDR detects malicious activities after initial infiltration in order to neutralize them quickly in real-time before significant damage occurs. Thus, forming a strong defense line for any modern business looking for full coverage against today's cyber threats' landscape.
Digital Forensics Analyst at a security firm with 11-50 employees
Real User
2020-01-20T09:56:52Z
Jan 20, 2020
I think most of the comments cover all the key points.
EDR-End point Detection and Response.
Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats.
Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates.
Its Capabilities: 1. Continuous endpoint data collection.
2. Detection engine
3. Data recording.
It is considered as next layer of security
Its limitation:
No in depth visibility
IR team needs to deal with false alarm and have to handle restoring process.
Struggle to find the attackers who infiltrated for the damanage caused.
Not an holistic approach
EPP-End point protection platform.
Its functionality covers:
Antivirus
Anti-malware
Data encryption
Personal firewalls
IPS
DLP
It works mainly on signature based approach and more broader detection techniques.
It is considered as first line defence.
Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP.
Examples of such products or tools
Symantec and Cynet.
I hope the above points cover the difference between EDR & EPP.
Solution Architect Security at a tech services company with 201-500 employees
Reseller
2020-01-20T19:55:21Z
Jan 20, 2020
Endpoint Detection and Response (EDR) is a category of security tools that are designed to monitor and record activity on endpoints, detect suspicious behavior, security risks, and respond to internal and external threats.
EDR tools consist of three main mechanisms to fulfill this function:
• Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins. This involves continually monitoring all events at the endpoints.
• Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints. This step is crucial for sifting through events to identify genuine security incidents.
• Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes. This can help inform endpoint protection strategies.
Incident Report teams still need to deal with multiple platforms and false alarms and to handle the restoration process themselves. IR teams often struggle to find the attackers that infiltrated the protection layers before they cause damage. To deal with all potential risks, a more holistic approach is needed, a platform which can be a solution to all types of threats. EPP (Endpoint Protection Platform) is the platform to achieve this goal.
Endpoint protection platform provides essential security for many types of endpoints, from smart phones to printers. An endpoint protection platform (EPP) is an integrated suite of endpoint protection technologies, such as antivirus, data encryption, intrusion prevention, and data loss prevention, that detects and stops a variety of threats at the endpoint.
An endpoint protection platform provides a framework for data sharing between endpoint protection technologies.
It might seem like the distinction between EPP and EDR is straightforward, but it is not that simple. Traditionally, EPP is defined as a first-line defense mechanism, effective at blocking known threats. While EDR is defined as the next layer of security, providing additional tools to detect threats, analyze intrusions, and respond to attacks.
Regional Technical Manager at a retailer with 201-500 employees
Real User
2020-01-20T07:07:43Z
Jan 20, 2020
Endpoint protection (EPP) usually means anti-malware, anti-spam, anti-phishing, etc. These are features prevent attacks without a detailed explanation of why EPP stops an action and how the attack is.
Endpoint detection and response (EDR) usually means how to record the attack in detail and provide certain remediation methods to recover the affected machines or files.
In other words. EPP shows “what and when”. EDR shows “why and how”.
An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.
Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system.
Product Manager at a security firm with 201-500 employees
User
2020-01-20T00:47:38Z
Jan 20, 2020
EPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect.
EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.
Product Specialist - Darktrace (Cyber AI/Threat Defense) at a tech services company with 51-200 employees
User
2020-03-06T19:22:09Z
Mar 6, 2020
I believe the biggest difference between EPP and EDR solutions is directly in the names, and both are crucial to security. EPP sits on the device and works to repel attacks from various sectors based on known threats (malware, phishing, etc. – all external); EDR monitors the endpoint to detect when something is wrong either because EPP failed to thwart the attack/didn’t know the threat or the enterprise user/device user does something malicious (insider threat) and EDR is able to respond autonomously at lockdown the malware/behavior.
I think the difference is more marketing-speak than technical features, and the terms are used inconsistently by the security vendors. The featured answer has some additional insight.
Managing Director at a tech vendor with 1-10 employees
User
2020-02-27T15:49:09Z
Feb 27, 2020
The answers already provided are succinct but accurate. To explain the difference to a non-technical audience, think of EPP as a wall to keep bad things out, and EDR as a sensor to identify when bad things are happening and raise an alarm (think motion sensor). The wall will stop some things but you don’t know what and when and how many. The sensor tells you when something is happening but can’t actually stop the bad thing.
In practice, the two technologies are converging; given the size of your organization, you probably need both.
Sr. Engineer at a tech services company with 501-1,000 employees
Real User
2020-01-21T10:39:39Z
Jan 21, 2020
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state.
Traditional EPP solutions cover more basic features such as anti-malware & integrated security solutions designed to detect and block threats at a device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP)
Whereas EDR solutions covered more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints to pre-infection state.
Vice President at a security firm with 10,001+ employees
Real User
2020-01-21T01:15:13Z
Jan 21, 2020
Great question, and one that is confusing even to many experts.
Traditionally, an Endpoint Protection Platform (EPP) is a first-line defense mechanism, effective at blocking known threats. Endpoint Detection and Response (EDR) is the next layer of security, providing additional tools to search or hunt for threats or respond to incidents.
There is an increasing alignment or “convergence” of the two markets. While EDR was initially positioned as a solution for large enterprises with dedicated Cyber Security Operations Center or capability, other groups are also implementing EDRs for support to incident response. The vendors on both the EPP and EDR side are adding customer-requested features to have an “all in one” solution that is converging the tools.
One issue is that sometimes it is better to have those capabilities in place but to engage an outside forensics firm for enterprise-level incident response. Having the internal security team investigate enterprise-level breaches, internal employee investigations that may involve executives or anything around corporate litigation may not be the appropriate separation of duties. Specifically engaging trusted third party incident response and investigative teams provides independence from the internal team that designed the security also investigate any potential failures, or having to investigate the emails of your own leadership.
Prinicipal Security Sales Engineer at a computer software company with 501-1,000 employees
Real User
2020-01-21T00:17:56Z
Jan 21, 2020
I 2nd Jehyun's response! Another way of looking at it is that EPP (End Point Protection) is your traditional Antivirus/AntiMalware solution on the endpoint (Symantec, McAfee, etc.) whereas EDR (Endpoint Detection and Response) has been represented by companies such as Carbon Black.
Product Manager at a comms service provider with 501-1,000 employees
Reseller
2020-01-20T12:36:49Z
Jan 20, 2020
My vision is very simple. EPP (Endpoint Protection Platform) is working based on predefined rules and definitions (virus definitions/signatures, black/white lists and etc.). EDR works based on models for abnormal activities (registry change, network connection, binary execution). EPP is focused over end-point as a standalone device, EDR is working on the company (group of workstations from the same domain) level and correlates information from all endpoints into the network (possibility to identify the lateral movement of the threats).
EDR solutions easily communicate with other security solutions (SIEMs, tools for forensic analysis), but most probably this not something remarkable or big differentiator, because this can change.
Information Security Analyst at Detecon Al Saudia Co. Ltd.
Real User
2020-01-20T12:28:12Z
Jan 20, 2020
EPP is your favorite Anti-Malware and Anti-Virus Solution. EDR (Endpoint Detection and Response) most commonly use for APT solution amd ideal for small bussiness Security Incident response team.
In simple terms:- An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.
Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system
I have used McAfee endpoint security with EDR functionality in my previous organization and I can confidently say that the money was well spent. - You may remember the May Day attack which as highly publicized? Well, I'm proud to say McAfee's defense system with EDR stopped the assault in its tracks with zero loss!
I'm not pushing McAfee here because other manufacturers too have equally matching capability
So in summation, please bear in mind the following points - this is my personal bible so to say.
1. McAfee/Symantec/TRendMicro/Sophos/ CrowdStrike/Carbon Black to name a few - all are equally good. There will be a few key features which you may need or not need -please concentrate effort on that
2. - VERY IMPORTANT - whoever you choose as the solution, please ensure that you have local support from the OEM in your country; talk to your account manager from the OEM.
3. All-around security - select a product that can integrate all the way up to your gateway firewall or can share data mutually
4. Run a full feature deployment in 3 parts - normal users( who use day to day apps), laptop users who are always on travel and the trouble-making systems and the most important part - management users.
5. Choose a reseller who has good tech support capabilities.
6. Ensure your admin guys are suitably trained on it.
Senior Cyber Security Consultant at Infosec Ventures
Reseller
2020-01-20T07:21:31Z
Jan 20, 2020
EPP: Endpoint Protection Platform (Typically AV for Endpoint/servers, it may also includes features like Host Firewall, Host IPS, Device Control, web reputation etc etc)
EPP will protect the endpoint/servers from malware.
EDR: Endpoint Detect & Response
EDR solution doesn't provide any protection such as EPP, it works on top of EPP solution which will provide visibility of the all the activities done on the endpoints.
EDR solution help to find suspicious activity and re-mediate the same.
In a layman terms, If you're protecting a gate, your gatekeeper is EPP and Security Camera is EDR.
Please use below link for more details.
https://www.cybrary.it/0p3n/epp-vs-edr-whats-the-difference-and-why-you-may-need-both/
Well as far as I know EPP is a protection for End Point User and it is mostly regarding Anti Virus, worm , trojan etc. Where as EDR is end Point Detection which mostly consist of sand boxing and mostly deployed at server or gateway. Most of EDR required same companies end point protection to work with. For example if you are using trendmicro end point protection than you must use trend Micro EDR.. so forth and so on.
Endpoint protection platforms (EPPs) have evolved beyond traditional antivirus software to offer advanced threat detection and response capabilities. Many EPPs also offer threat-hunting or SOC services to provide organizations with real-time visibility into security incidents and remediation recommendations.
Among the EPP providers that offer these services are the following, and, obviously, this is just a sample but, hopefully, also a good start:
CrowdStrike Falcon Complete
Kaspersky Endpoint Security has an Endpoint Detection and Response
McAfee (Trellix) Endpoint Security Managed Detection and Response (MDR)
Palo Alto Networks Unit 42 MDR Service for Cortex XDR
SentinelOneVigilance Respond
Sophos MDR
Symantec (Broadcom) Endpoint Protection Managed Endpoint Detection and Response
Trend Micro Apex One Managed XDR
VMware Carbon Black MRDR
Sophos MDR is interesting in that it leverages other providers' cybersecurity technologies including telemetry from AWS, Check Point, CrowdStrike, Darktrace, Fortinet, PAN, and others.
Yes, there are endpoint protection platforms that offer threat-hunting or SOC (Security Operations Center) services, and Custodian360 is one of them.
Endpoint protection platforms (EPPs) are security solutions that are installed on endpoint devices to detect, prevent, and respond to cyber threats. Threat-hunting is a proactive approach to cybersecurity that involves actively searching for threats and vulnerabilities that might have evaded traditional security measures. SOC services involve monitoring and analysing security events to identify and respond to security incidents.
Custodian360 is a comprehensive endpoint protection platform that offers both threat-hunting and SOC services. It uses a combination of signature-based and behavior-based detection to detect and respond to cyber threats in real-time. The platform has a built-in threat-hunting engine that continuously scans endpoints for signs of compromise, and it also has a team of expert analysts who perform manual threat-hunting to identify and respond to advanced threats.
Custodian360's SOC services include 24/7 monitoring and analysis of security events, incident response, and forensic investigation. The platform also provides detailed reporting and analytics to help organisations understand their security posture and identify areas for improvement.
In summary, Custodian360 is an endpoint protection platform that offers threat-hunting and SOC services, making it an ideal solution for organisations that want comprehensive protection against cyber threats.
There are several endpoint protection solutions available that can provide protection for endpoints running on Linux, Windows, and MacOS. Among them are Symantec (Broadcom) Endpoint Protection, Trend Micro Apex One, McAfee (Trellix) Endpoint Security, Kaspersky Endpoint Security for Business, ESET Endpoint Security, Palo Alto Networks Cortex XDR and, perhaps surprisingly (but then again, not) Microsoft Defender for Endpoint. (This is not an exhaustive list).
However, the devil is in the details regarding which versions of an OS and what kind of hardware requirements a given solution supports. You need to closely check the specifics of the range of devices you have with what a given vendor covers. It's also important to note that for agent-based solutions, the minimum processor requirements may allow you to install the product, but if you're just getting by in that regard, there could be issues with computer performance.
Symantec supports a fairly broad range of Linux and Windows Embedded versions, but does not support application control on Mac, Windows Servers, Windows Embedded, Linux, or mobile devices.
Trend Micro Apex One's agents support support from macOS High Sierra 10.13 to macOS Monterey 12, on Apple M1, Apple M2, or Intel® Core processors. To protect Linux file, web, and application servers with Trend Micro, you'll need its ServerProtect product.
McAfee handles Windows 8.1, 10, and 11, and offers limited customer service if you try running it on Windows 8.0 and 7.x. For macOS it goes as far back as Mac OS X 10.10 and through to macOS 12 (Monterey). For Linux it offers limited coverage: Ubuntu 16.04, Ubuntu 18.04, and Ubuntu 20.4.
With Kaspersky Endpoint Security for Business you get Windows, of course, and pretty extensive Linux coverage, with nine 32-bit OSs covered, and literally dozens of 64-bit Linux flavors. Mac coverage is included in the Advanced and Select versions of Kaspersky ESB (and you also get Android and iOS).
ESET Endpoint Security will work with Windows 7 - 11 (although some features are not supported on ARM processors) macOS 10.12 and up, and a couple of 64-bit Linux systems: Ubuntu Desktop 18.04 LTS and RHEL Desktop 7.
PAN Cortex XDR supports Windows 8 - 11 as well as macOS as far back as 10.13 with its 7.5-CE release. Subsequent 7.x releases cover later macOS versions (with 7.7.3 and later handling macOS 13.x). Cortex XDR only supports 64-bit Linux and you have to install a supported kernel module version, but it does cover a good selection of the main Linux offerings including CentOS, Debian, Oracle, RHEL, openSUSE, and Ubuntu.
Microsoft Defender for Endpoint has coverage for macOS 11 (Big Sur), 12 (Monterey), and 13 (Ventura), although Big Sur requires some additional configuration. It also protects more recent versions of RHEL, CentOS, Ubuntu, Debian, and Oracle Linux. Android (6.0 and higher) and iOS (11.0 and higher) are also available.
As for legacy systems, it's best to explicitly ask the vendor if they cover the particular hardware/OSs you have. For example, older versions of Symantec Endpoint Protection 14 cover Windows as far back as Vista, and Windows Server as far back as Windows Server 2008 (RTM, SP1, SP2).
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote!
If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too!
...
If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important.
1) Does the solution employ Foundational Tech...
Hi dear community members,
This is our latest community digest. It helps you catch up on recent contributions by community members. Comment below with your feedback and suggestions!
Trending
What are the Top 5 cybersecurity trends in 2022?
What are the main benefits of modern IT Asset Discovery tools?
Tip
Post an educational article from your Home feed and receive 20 point...
Hi community members,
Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback!
Trending
What are the pros and cons of internal SOC vs SOC-as-a-Service?
Join The Moderator Team at IT Central Station (soon to be PeerSpot)!
Questions
Share your experience with other peers by ans...
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning. EPP is typically designed to reactively detect and block threats at device level e.g. antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP) whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state e.g. EDR contains many security tools like firewall, whitelisting tools, monitoring tools, etc. to provide comprehensive protection against digital threats and allows for preparing an appropriate incident response. EDR is the endpoint which is responsible for proactive detection and response processes.
EPP (Endpoint Protection Platforms) and EDR (Endpoint Detection & Response) products are both critical elements of enterprise security, with each type offering different value. The primary difference between the two is that EPP products focus on prevention while EDR focuses on the detection.
EPP solutions provide proactive defense against known threats such as anti-virus, firewall, application control, and patch management. They are designed to protect endpoints from the onslaught of malicious attacks which can affect an organization's connected devices or users directly. By detecting malicious code or suspicious activity through a combination of measures such as heuristics, sandboxing, and behavioral analysis in real-time, these tools help organizations mitigate potential risks resulting from known threats quickly while strengthening their overall cyber defense posture.
On the other hand, Endpoint Detection and Response Solutions provide visibility into endpoint activities across the wider organizational environment – including cloud infrastructure – to rapidly identify potential threat actors before they can cause damage to an organization’s systems or data assets. Powered by machine learning algorithms as well as traditional approaches for anomaly detection like static signatures, behavior monitoring, and user access reviews; these tools help detect advanced persistent threats (APTs), insider threats, and zero-day attacks in order to prevent any unauthorized use of sensitive information by untrusted parties.
In short: EPP protects systems proactively from known threats while EDR detects malicious activities after initial infiltration in order to neutralize them quickly in real-time before significant damage occurs. Thus, forming a strong defense line for any modern business looking for full coverage against today's cyber threats' landscape.
I think most of the comments cover all the key points.
EDR-End point Detection and Response.
Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats.
Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates.
Its Capabilities: 1. Continuous endpoint data collection.
2. Detection engine
3. Data recording.
It is considered as next layer of security
Its limitation:
No in depth visibility
IR team needs to deal with false alarm and have to handle restoring process.
Struggle to find the attackers who infiltrated for the damanage caused.
Not an holistic approach
EPP-End point protection platform.
Its functionality covers:
Antivirus
Anti-malware
Data encryption
Personal firewalls
IPS
DLP
It works mainly on signature based approach and more broader detection techniques.
It is considered as first line defence.
Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP.
Examples of such products or tools
Symantec and Cynet.
I hope the above points cover the difference between EDR & EPP.
Endpoint Detection and Response (EDR) is a category of security tools that are designed to monitor and record activity on endpoints, detect suspicious behavior, security risks, and respond to internal and external threats.
EDR tools consist of three main mechanisms to fulfill this function:
• Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins. This involves continually monitoring all events at the endpoints.
• Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints. This step is crucial for sifting through events to identify genuine security incidents.
• Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes. This can help inform endpoint protection strategies.
Incident Report teams still need to deal with multiple platforms and false alarms and to handle the restoration process themselves. IR teams often struggle to find the attackers that infiltrated the protection layers before they cause damage. To deal with all potential risks, a more holistic approach is needed, a platform which can be a solution to all types of threats. EPP (Endpoint Protection Platform) is the platform to achieve this goal.
Endpoint protection platform provides essential security for many types of endpoints, from smart phones to printers. An endpoint protection platform (EPP) is an integrated suite of endpoint protection technologies, such as antivirus, data encryption, intrusion prevention, and data loss prevention, that detects and stops a variety of threats at the endpoint.
An endpoint protection platform provides a framework for data sharing between endpoint protection technologies.
It might seem like the distinction between EPP and EDR is straightforward, but it is not that simple. Traditionally, EPP is defined as a first-line defense mechanism, effective at blocking known threats. While EDR is defined as the next layer of security, providing additional tools to detect threats, analyze intrusions, and respond to attacks.
Endpoint protection (EPP) usually means anti-malware, anti-spam, anti-phishing, etc. These are features prevent attacks without a detailed explanation of why EPP stops an action and how the attack is.
Endpoint detection and response (EDR) usually means how to record the attack in detail and provide certain remediation methods to recover the affected machines or files.
In other words. EPP shows “what and when”. EDR shows “why and how”.
An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.
Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system.
EPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect.
EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.
The biggest difference is time frames. EPP is meant to PREVENT infection. EDR is meant to deal with endpoints once they ARE infected.
I believe the biggest difference between EPP and EDR solutions is directly in the names, and both are crucial to security. EPP sits on the device and works to repel attacks from various sectors based on known threats (malware, phishing, etc. – all external); EDR monitors the endpoint to detect when something is wrong either because EPP failed to thwart the attack/didn’t know the threat or the enterprise user/device user does something malicious (insider threat) and EDR is able to respond autonomously at lockdown the malware/behavior.
Does that make sense?
I think the difference is more marketing-speak than technical features, and the terms are used inconsistently by the security vendors. The featured answer has some additional insight.
The answers already provided are succinct but accurate. To explain the difference to a non-technical audience, think of EPP as a wall to keep bad things out, and EDR as a sensor to identify when bad things are happening and raise an alarm (think motion sensor). The wall will stop some things but you don’t know what and when and how many. The sensor tells you when something is happening but can’t actually stop the bad thing.
In practice, the two technologies are converging; given the size of your organization, you probably need both.
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and investigating security incidents, and ability to remediate endpoints to pre-infection state.
Traditional EPP solutions cover more basic features such as anti-malware & integrated security solutions designed to detect and block threats at a device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP)
Whereas EDR solutions covered more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints to pre-infection state.
EPP Endpoint Protection Platform like McAfee EPO contains most things like antivirus, DLP, and IPS.
EDR is a combination of next-gen antivirus and behavior analysis solution.
Great question, and one that is confusing even to many experts.
Traditionally, an Endpoint Protection Platform (EPP) is a first-line defense mechanism, effective at blocking known threats. Endpoint Detection and Response (EDR) is the next layer of security, providing additional tools to search or hunt for threats or respond to incidents.
There is an increasing alignment or “convergence” of the two markets. While EDR was initially positioned as a solution for large enterprises with dedicated Cyber Security Operations Center or capability, other groups are also implementing EDRs for support to incident response. The vendors on both the EPP and EDR side are adding customer-requested features to have an “all in one” solution that is converging the tools.
One issue is that sometimes it is better to have those capabilities in place but to engage an outside forensics firm for enterprise-level incident response. Having the internal security team investigate enterprise-level breaches, internal employee investigations that may involve executives or anything around corporate litigation may not be the appropriate separation of duties. Specifically engaging trusted third party incident response and investigative teams provides independence from the internal team that designed the security also investigate any potential failures, or having to investigate the emails of your own leadership.
I 2nd Jehyun's response! Another way of looking at it is that EPP (End Point Protection) is your traditional Antivirus/AntiMalware solution on the endpoint (Symantec, McAfee, etc.) whereas EDR (Endpoint Detection and Response) has been represented by companies such as Carbon Black.
My vision is very simple. EPP (Endpoint Protection Platform) is working based on predefined rules and definitions (virus definitions/signatures, black/white lists and etc.). EDR works based on models for abnormal activities (registry change, network connection, binary execution). EPP is focused over end-point as a standalone device, EDR is working on the company (group of workstations from the same domain) level and correlates information from all endpoints into the network (possibility to identify the lateral movement of the threats).
EDR solutions easily communicate with other security solutions (SIEMs, tools for forensic analysis), but most probably this not something remarkable or big differentiator, because this can change.
EPP is your favorite Anti-Malware and Anti-Virus Solution. EDR (Endpoint Detection and Response) most commonly use for APT solution amd ideal for small bussiness Security Incident response team.
In simple terms:- An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.
An EDR, on the other hand, is specifically built to handle this situation.
Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system
I have used McAfee endpoint security with EDR functionality in my previous organization and I can confidently say that the money was well spent. - You may remember the May Day attack which as highly publicized? Well, I'm proud to say McAfee's defense system with EDR stopped the assault in its tracks with zero loss!
I'm not pushing McAfee here because other manufacturers too have equally matching capability
So in summation, please bear in mind the following points - this is my personal bible so to say.
1. McAfee/Symantec/TRendMicro/Sophos/ CrowdStrike/Carbon Black to name a few - all are equally good. There will be a few key features which you may need or not need -please concentrate effort on that
2. - VERY IMPORTANT - whoever you choose as the solution, please ensure that you have local support from the OEM in your country; talk to your account manager from the OEM.
3. All-around security - select a product that can integrate all the way up to your gateway firewall or can share data mutually
4. Run a full feature deployment in 3 parts - normal users( who use day to day apps), laptop users who are always on travel and the trouble-making systems and the most important part - management users.
5. Choose a reseller who has good tech support capabilities.
6. Ensure your admin guys are suitably trained on it.
EPP: Endpoint Protection Platform (Typically AV for Endpoint/servers, it may also includes features like Host Firewall, Host IPS, Device Control, web reputation etc etc)
EPP will protect the endpoint/servers from malware.
EDR: Endpoint Detect & Response
EDR solution doesn't provide any protection such as EPP, it works on top of EPP solution which will provide visibility of the all the activities done on the endpoints.
EDR solution help to find suspicious activity and re-mediate the same.
In a layman terms, If you're protecting a gate, your gatekeeper is EPP and Security Camera is EDR.
Please use below link for more details.
https://www.cybrary.it/0p3n/epp-vs-edr-whats-the-difference-and-why-you-may-need-both/
Try www.cynet.com it has both EPP & EDR plus NBA, UBA, Deception, VM,, Sandboxing, 24*7 SOC.
Well as far as I know EPP is a protection for End Point User and it is mostly regarding Anti Virus, worm , trojan etc. Where as EDR is end Point Detection which mostly consist of sand boxing and mostly deployed at server or gateway. Most of EDR required same companies end point protection to work with. For example if you are using trendmicro end point protection than you must use trend Micro EDR.. so forth and so on.
Please find some good explanation through the following link:
https://www.cisco.com/c/en/us/products/security/what-is-endpoint-protection-platform.html
EPP is based on signature and EDR on behavior, allowing EDR to stop malware on day 0.