You can use EDR solutions to track, monitor, and analyze data on endpoints to enhance the fortification of your environment. Generally, EDR tools do not replace traditional tools like antivirus and firewalls; they work beside them to provide enhanced security capabilities. It is becoming the preferred technology for enterprises to provide better security for their networks when compared with the traditional antivirus.
EDR solutions have many capabilities and advantages which are not offered by traditional antivirus programs. It comes loaded with different analytical tools that run in the background to ensure the monitoring and reporting of threats. However, all EDR solutions do not perform the same range of functions. Their scope and nature of activities differ depending on the type of EDR solutions that you choose.
Traditional antivirus programs are more simplistic and limited in scope compared to the modern EDR systems. Antivirus is generally a single program which serves basic purposes like scanning, detecting and removing viruses and different types of malware.
Antiviruses are more of a decentralized security system that falls short of providing adequate security to the ever-expanding digital networks. The IT network and perimeter of enterprises have witnessed even faster growth due to the mobile revolution.
Search for a product comparison in EDR (Endpoint Detection and Response)
Antivirus uses traditional method of database signature. It combines malware information such as hashes of the file, name, certain code signature in the virus functionality. It is static.
EDR uses different method such as dynamic behaviour of the virus / malware. It scans the processes and methods a file is interacting with the OS. They will have baseline to see if a behaviour is malicious or not.
Functionality range
Antivirus simply detect and delete the virus. It didn't see the behaviour of the virus/ malware. If it is in the virus signature database, it will be able to clean/remove/quarantine the endpoint.
EDR does much more, it could remediate the actions of the virus/malware because it monitors the endpoint processes and behaviours. Certain techniques could be reversed while not all.
AV is using a negative security model approach. EDR is using a positive security model approach. So unless you cannot tune your security policies to be really strict - to gain an advantage of the positive security model, you might want to still resort to the negative security model approach.
Can EDR replace Antivirus?
Depends. Several EDR vendors incorporate AV detection methods and still combining the use of a static database of virus signature with the modern behaviour detection. So if you are using the EDR which can provide AV functionality - yes you are good to go. Generally, you could choose those vendors who were initially AV vendors and later on evolve their products to become EDR.
Other EDR specifically only function as threat hunting or digital forensic tools, they do complete behaviour monitoring of the systems and will not have AV detection methods. This will be problematic for some users although not all because the EDR will provide much more noise and you will have to really tune the policy so that it will behave according to your organization needs. These types of vendors are not particularly AV vendors, but rather different cybersecurity vendors which complement their capabilities with the EDR proposition.
User at a tech services company with 11-50 employees
Real User
2021-07-15T03:05:29Z
Jul 15, 2021
Some products incorporate AV into the EDR as the basic element.
Considering the budget, some users might choose the AV. EDR is much more powerful than AV when you need forensics. The traditional AV is signature-based and heuristic. EDR leverages more, e.g. Deep Learning, Behavioral Analysis, ...
IT Security Coordinator at a healthcare company with 10,001+ employees
Real User
Top 5
2020-05-27T18:59:38Z
May 27, 2020
So this is what WIKI says about EDR.
EDR systems detect all endpoint threats and provide real-time response to the identified threats. ... EDR systems also collect high-quality forensic data which is needed for incident response and investigations. Overall, EDR security systems are much better equipped at handling cyber threats than traditional antivirus.
But INHO, it depends. It depends on the products you are looking at, it depends on the cost, it depends on what you are trying to cover or prevent from happening and it depends on the tools' capabilities. Some tools are better than others. Some a/v is better then EDR, Some EDR is better than a/v. It's a very active space with a HUGE amount of contenders all vying for your security dollars. You just have to ask them the right questions and bounce their answers against their competitors, your bosses, and your friends opinions to get out of it what you need, for the least cost and most coverage. Do some POCs, RFIs to see what fits for you and your environment and needs first before you decide. Then spend the next 3 yrs extracting every bit of juice out of the tool you can to make it purr like a kitten.
If you don't need it and you can get by on defender as a 80% solution then go with defender. If you need carbon black and mcafee do that. It comes down to your needs and what's good enough for you.
EDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions
IT Project Manager at a tech services company with 51-200 employees
User
2020-05-26T11:35:56Z
May 26, 2020
Hello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware
It can detect ransomware attacks, malware, rogue programs, and viruses, as well as automatically isolate any infected system from your network. It can also detect unknown infections by detecting activities consistent with viruses or encryption. And, in the event anything did get through, you can roll back your infected system for up to 72 hours.
If something got through and infected your network, the response is included, and their techs will come out at no additional charge to assist in restoring your network and data. Of course, even better than EDR or antivirus is a well-trained staff that knows not to click on links or open files in suspicious emails.
Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented. NGAV is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing infrastructure, and updating signature databases is eliminated.
NGAV is the next step in endpoint protection, using a signature-less approach to deliver more complete and effective endpoint security than is possible with legacy AV.
Protects against the entire spectrum without requiring daily and cumbersome updates
Combines the best prevention technologies — machine learning, AI, indicators of attack (IOAs), exploit blocking and more — to stop ransomware and malware-free and fileless attacks
Covers the gaps left by legacy AV and fully protects endpoints online and offline
FULL ATTACK VISIBILITY Unravels an entire attack in one easy-to-grasp process tree enriched with contextual and threat intelligence data
Legacy AV
Legacy AV uses strings of characters called signatures that are associated with specific types of malware to detect and prevent further attacks of similar types. This approach is becoming obsolete as sophisticated attackers have found ways around legacy AV defenses, such as by leveraging fileless attacks that use macros, scripting engines, in-memory, execution, etc.,
Legacy AV leaves organizations locked into a reactive mode, only able to defend against known malware and viruses catalogued in the AV provider’s database. That approach was the best available in the past, but today, when unknown threats need to be addressed with the same rigour as known threats, it is sorely inadequate.
Basically, Legacy AV lacks-
Detection of Unknown Threats: Relies on signatures, which are hard to update and ineffective against file-less attacks
Impact on End Point: Scans and updates consume high percentages of resources and slow down endpoints
Deployment is complex
NGAV eliminates these shortcomings as the integration of more sophisticated prevention methods – such as machine learning, behavioural detection, and artificial intelligence – eliminates the sole reliance on signatures to detect malicious activity. NGAV protects against unknown threats as well as known threats, which is increasingly important as the use of fileless attacks rises among attackers. NGAV enables both types of threats to be exposed in near real-time, and is much more effective at helping organizations block these threats at a far greater speed than in the past.
NGAV solutions are designed to employ a single, lightweight agent that is unobtrusive in nature and has a minimal impact on the endpoint.
Reference: Our successful partnership engagement and experience with Crowdstrike
Yes, EDR replaces traditional Antivirus, as it's one step up from traditional antivirus. It includes all the features of Antivirus as well as has advanced features.
EDR is an add-on for Endpoint Protection. EDR is for detecting post-intrusion threats or persistent advanced threats. EDR enables identification and prevention of reconnaissance attack, lateral movement, command and control channel and data filtering. EDR can also analyze user behavior against a baseline.
IT Security Architect at a computer software company with 51-200 employees
User
2020-05-26T21:15:19Z
May 26, 2020
Yes, EDR will replace traditional A/V with most solutions. Make sure to validate with your vendor but the reputable ones certainly cover A/V. You do not need to have both as this is unnecessary overhead. Any (reputable) EDR will have known bad MD5 already included.
Client Executive at a computer software company with 1,001-5,000 employees
User
2021-07-16T13:39:31Z
Jul 16, 2021
Anti-virus is a signature-based approach that first entered the market almost 39 years ago. Adversaries have learned to have continuous and persistent changes to their code to thwart these systems.
EDR is the next generation of these technologies that looks at behaviors and not signatures. Anti-virus is bad, EDR is good!
A very broad church. EDR has now moved on to XDR (Extended Detection and Response).
Detection is driven by legacy signature methods in most, if not all endpoint products. This is augmented with activity anomaly recognition etc. As with everything - it isn't what you have got, it is what you do with it,
If you have a Microsoft estate, feel free to contact me for sales-free advice.
IT Project Manager at a tech services company with 51-200 employees
User
2020-05-28T20:10:18Z
May 28, 2020
There is never 100% security and I'm warning of using too much end-point-protection on the client, as each one has a little bad impact of performance.
And when using two they will slow down each one.
To replace an Anti-Virus just use a good EDR, which replaces the AV and which does even more.
Yes, it is a good level of protection to have EDR alone, but for better protection I recommend having the two solutions together but with different manufacturers between EDR and AV
Hello peers,
I am a System Administrator at a large tech vendor. I am currently researching EDR tools and wish to learn more about them.
What is your experience with EDR solutions? What is the best way to work with EDR security as a SOC consultant?
Thank you for your help.
Working with Endpoint Detection and Response (EDR) security as a Security Operations Center (SOC) consultant involves a strategic and hands-on approach to effectively manage and respond to potential security threats and incidents. To effectively work with EDR security:
Configure Tools: Set up EDR tools to monitor endpoints efficiently.
Customize Rules: Tailor detection rules for specific threats.
Monitor Continuously: Keep a watchful eye on endpoint activities in real time.
Proactively Hunt: Actively seek hidden threats beyond automated alerts.
Use Threat Intel: Integrate threat intelligence to enhance detection.
Respond Swiftly: Quickly assess, contain, and mitigate incidents.
Automate Tasks: Use automation for faster responses.
Collaborate: Communicate and work with other teams.
Analyze Post-Incident: Review incidents to learn and improve.
Stay Updated: Regularly train and adapt to new threats.
Iterate: Continuously refine strategies for better protection.
Technical Engineer at a tech services company with 1,001-5,000 employees
Aug 9, 2023
Hi, EDR is the emerging technology that will help you to do RCA of any environment, and EDR does have the capabilities to detect unknown, script base or fileless attacks, even some of the EDR vendors have the capabilities to prevent the ongoing attack. It totally works on behaviour base analysis and the EDR agent will monitor everything individual process which are running in your endpoints. I do feel that every organisation should put the EDR to their environment because attacks are very sophisticated nowadays. It has the capability to do Incident Response as well which typically allows users to take remote access to endpoints and run some commands in order to do remote remediation.
Content Editor at a tech company with 51-200 employees
Jul 19, 2023
EDR (Endpoint Detection and Response) is important for companies because:-It provides real-time visibility into endpoint activities, allowing companies to detect and respond to potential threats quickly.-EDR software helps in identifying and investigating security incidents, enabling companies to understand the scope and impact of an attack.-It enhances threat-hunting capabilities by continuously monitoring endpoints for suspicious behavior and indicators of compromise.-EDR solutions offer advanced threat detection and prevention mechanisms, including behavioral analysis and machine learning algorithms.-It helps in reducing the dwell time of threats by quickly identifying and containing malicious activities on endpoints.-EDR software assists in compliance management by providing detailed endpoint activity logs and reports.-It enables companies to proactively protect their endpoints against emerging threats and zero-day vulnerabilities.-EDR solutions can integrate with other security tools and systems, enhancing the overall security posture of the organization.-It aids in incident response and remediation by providing actionable insights and facilitating the isolation and removal of threats.-EDR software helps in improving the overall cybersecurity posture of the company, safeguarding sensitive data, and preventing financial losses.
EDR (Endpoint Detection and Response) is vital for companies due to its ability to quickly detect, respond to, and prevent advanced cyber threats at the endpoint level. It offers real-time visibility, advanced threat detection, proactive threat hunting, swift incident response, and detailed endpoint insights. EDR strengthens security, reduces damage, aids compliance, and adapts well to remote work scenarios.
Hi dear community members,
In this edition of PeerSpot's Community Spotlight, you can find out what your peers are discussing and join in the conversation. Ask and answer questions on the topics that interest you most! Read and respond to articles or contribute your own!
Trending
These are the topics your peers are talking about on PeerSpot this week
How do I estimate the requir...
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Thank you to all the community members who share their knowledge with other peers!
Also, special thanks to the articles' contributors included in this Community Spotlight:
@Janet Staver, @Abhirup Sarkar, @Manoj Narayanan, @Beth Safire and @Shibu Babuchandran.
If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important.
1) Does the solution employ Foundational Tech...
Dear professionals,
Welcome back to PeerSpot's Community Spotlight! Below you can find the latest hot topics posted by your fellow PeerSpot Community members. Read articles, answer questions, and contribute to discussions that are relevant to you and your expertise. Or ask your peers for insight on topics that interest you!
Trending
Here are some topics that your peers are discussi...
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
@Chris Childerhose, @PraveenKambhampati, @Deena Nouril, @Shibu Babuchandran and @reviewer1925439,
Thank you for contributing your articles and sharing your professional knowledge with 618K PeerSpot community members around the globe as well as with a much bigger readers audience!
Hi peers,
We're happy to share our new bi-weekly Community Spotlight with you. Here you'll find recent contributions by PeerSpot community members: questions, articles and trending discussions.
Trending
See what your peers are discussing at the moment!
What to choose: an endpoint antivirus, an EDR solution, or both?
What is your recommended IT Service Management (ITSM) tool in 2022?
W...
Hi dear community members,
This is our latest community digest. It helps you catch up on recent contributions by community members. Comment below with your feedback and suggestions!
Trending
What are the Top 5 cybersecurity trends in 2022?
What are the main benefits of modern IT Asset Discovery tools?
Tip
Post an educational article from your Home feed and receive 20 point...
You can use EDR solutions to track, monitor, and analyze data on endpoints to enhance the fortification of your environment. Generally, EDR tools do not replace traditional tools like antivirus and firewalls; they work beside them to provide enhanced security capabilities. It is becoming the preferred technology for enterprises to provide better security for their networks when compared with the traditional antivirus.
EDR solutions have many capabilities and advantages which are not offered by traditional antivirus programs. It comes loaded with different analytical tools that run in the background to ensure the monitoring and reporting of threats. However, all EDR solutions do not perform the same range of functions. Their scope and nature of activities differ depending on the type of EDR solutions that you choose.
Traditional antivirus programs are more simplistic and limited in scope compared to the modern EDR systems. Antivirus is generally a single program which serves basic purposes like scanning, detecting and removing viruses and different types of malware.
Antiviruses are more of a decentralized security system that falls short of providing adequate security to the ever-expanding digital networks. The IT network and perimeter of enterprises have witnessed even faster growth due to the mobile revolution.
The differences are:
Detection methods standpoint
Antivirus uses traditional method of database signature. It combines malware information such as hashes of the file, name, certain code signature in the virus functionality. It is static.
EDR uses different method such as dynamic behaviour of the virus / malware. It scans the processes and methods a file is interacting with the OS. They will have baseline to see if a behaviour is malicious or not.
Functionality range
Antivirus simply detect and delete the virus. It didn't see the behaviour of the virus/ malware. If it is in the virus signature database, it will be able to clean/remove/quarantine the endpoint.
EDR does much more, it could remediate the actions of the virus/malware because it monitors the endpoint processes and behaviours. Certain techniques could be reversed while not all.
AV is using a negative security model approach. EDR is using a positive security model approach. So unless you cannot tune your security policies to be really strict - to gain an advantage of the positive security model, you might want to still resort to the negative security model approach.
Can EDR replace Antivirus?
Depends. Several EDR vendors incorporate AV detection methods and still combining the use of a static database of virus signature with the modern behaviour detection. So if you are using the EDR which can provide AV functionality - yes you are good to go. Generally, you could choose those vendors who were initially AV vendors and later on evolve their products to become EDR.
Other EDR specifically only function as threat hunting or digital forensic tools, they do complete behaviour monitoring of the systems and will not have AV detection methods. This will be problematic for some users although not all because the EDR will provide much more noise and you will have to really tune the policy so that it will behave according to your organization needs. These types of vendors are not particularly AV vendors, but rather different cybersecurity vendors which complement their capabilities with the EDR proposition.
Some products incorporate AV into the EDR as the basic element.
Considering the budget, some users might choose the AV. EDR is much more powerful than AV when you need forensics. The traditional AV is signature-based and heuristic. EDR leverages more, e.g. Deep Learning, Behavioral Analysis, ...
So this is what WIKI says about EDR.
EDR systems detect all endpoint threats and provide real-time response to the identified threats. ... EDR systems also collect high-quality forensic data which is needed for incident response and investigations. Overall, EDR security systems are much better equipped at handling cyber threats than traditional antivirus.
But INHO, it depends. It depends on the products you are looking at, it depends on the cost, it depends on what you are trying to cover or prevent from happening and it depends on the tools' capabilities. Some tools are better than others. Some a/v is better then EDR, Some EDR is better than a/v. It's a very active space with a HUGE amount of contenders all vying for your security dollars. You just have to ask them the right questions and bounce their answers against their competitors, your bosses, and your friends opinions to get out of it what you need, for the least cost and most coverage. Do some POCs, RFIs to see what fits for you and your environment and needs first before you decide. Then spend the next 3 yrs extracting every bit of juice out of the tool you can to make it purr like a kitten.
If you don't need it and you can get by on defender as a 80% solution then go with defender. If you need carbon black and mcafee do that. It comes down to your needs and what's good enough for you.
EDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions
Hello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware
EDR goes far beyond traditional antivirus.
It can detect ransomware attacks, malware, rogue programs, and viruses, as well as automatically isolate any infected system from your network. It can also detect unknown infections by detecting activities consistent with viruses or encryption. And, in the event anything did get through, you can roll back your infected system for up to 72 hours.
If something got through and infected your network, the response is included, and their techs will come out at no additional charge to assist in restoring your network and data. Of course, even better than EDR or antivirus is a well-trained staff that knows not to click on links or open files in suspicious emails.
Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented. NGAV is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing infrastructure, and updating signature databases is eliminated.
NGAV is the next step in endpoint protection, using a signature-less approach to deliver more complete and effective endpoint security than is possible with legacy AV.
Protects against the entire spectrum without requiring daily and cumbersome updates
Combines the best prevention technologies — machine learning, AI, indicators of attack (IOAs), exploit blocking and more — to stop ransomware and malware-free and fileless attacks
Covers the gaps left by legacy AV and fully protects endpoints online and offline
FULL ATTACK VISIBILITY Unravels an entire attack in one easy-to-grasp process tree enriched with contextual and threat intelligence data
Legacy AV
Legacy AV uses strings of characters called signatures that are associated with specific types of malware to detect and prevent further attacks of similar types. This approach is becoming obsolete as sophisticated attackers have found ways around legacy AV defenses, such as by leveraging fileless attacks that use macros, scripting engines, in-memory, execution, etc.,
Legacy AV leaves organizations locked into a reactive mode, only able to defend against known malware and viruses catalogued in the AV provider’s database. That approach was the best available in the past, but today, when unknown threats need to be addressed with the same rigour as known threats, it is sorely inadequate.
Basically, Legacy AV lacks-
Detection of Unknown Threats: Relies on signatures, which are hard to update and ineffective against file-less attacks
Impact on End Point: Scans and updates consume high percentages of resources and slow down endpoints
Deployment is complex
NGAV eliminates these shortcomings as the integration of more sophisticated prevention methods – such as machine learning, behavioural detection, and artificial intelligence – eliminates the sole reliance on signatures to detect malicious activity. NGAV protects against unknown threats as well as known threats, which is increasingly important as the use of fileless attacks rises among attackers. NGAV enables both types of threats to be exposed in near real-time, and is much more effective at helping organizations block these threats at a far greater speed than in the past.
NGAV solutions are designed to employ a single, lightweight agent that is unobtrusive in nature and has a minimal impact on the endpoint.
Reference: Our successful partnership engagement and experience with Crowdstrike
EDR is a more advanced program that collects data from the nodes and also does analysis and identifies where the threat is originating from.
Antivirus or AV is a single program that is used to scan files and OS for known threats like Trojan, worms, and Malware.
Yes, EDR replaces traditional Antivirus, as it's one step up from traditional antivirus. It includes all the features of Antivirus as well as has advanced features.
EDR is an add-on for Endpoint Protection. EDR is for detecting post-intrusion threats or persistent advanced threats. EDR enables identification and prevention of reconnaissance attack, lateral movement, command and control channel and data filtering. EDR can also analyze user behavior against a baseline.
Yes, EDR will replace traditional A/V with most solutions. Make sure to validate with your vendor but the reputable ones certainly cover A/V. You do not need to have both as this is unnecessary overhead. Any (reputable) EDR will have known bad MD5 already included.
Anti-virus is a signature-based approach that first entered the market almost 39 years ago. Adversaries have learned to have continuous and persistent changes to their code to thwart these systems.
EDR is the next generation of these technologies that looks at behaviors and not signatures. Anti-virus is bad, EDR is good!
EDR is modern technology. Hence it can detect and clear threats, so when using EDR you don't need to use antivirus.
When both are used they will slow the machine and sometimes cause technical issues.
A very broad church. EDR has now moved on to XDR (Extended Detection and Response).
Detection is driven by legacy signature methods in most, if not all endpoint products. This is augmented with activity anomaly recognition etc. As with everything - it isn't what you have got, it is what you do with it,
If you have a Microsoft estate, feel free to contact me for sales-free advice.
EDR simply put is a next gen antivirus with much more capability. Look at Cynet
There is never 100% security and I'm warning of using too much end-point-protection on the client, as each one has a little bad impact of performance.
And when using two they will slow down each one.
To replace an Anti-Virus just use a good EDR, which replaces the AV and which does even more.
Yes, it is a good level of protection to have EDR alone, but for better protection I recommend having the two solutions together but with different manufacturers between EDR and AV