Product

Cybersecurity: why combine EDR and EPP

HarfangLab extends its protection with an EDR + EPP package. What are the technical advantages? What are the benefits for analysts? What features are included?
5 min

Differences between EDR and EPP 

Let’s start by looking at the difference between EDR and EPP. 
 
An EPP (Endpoint Protection Platform) can not only detect and block malicious files (viruses, worms, Trojans…), but it can also manage local firewall, encrypt devices, control USB devices, check file integrity, filter URLs… 

In other words, an EPP offers a range of functions designed to secure endpoints – including antivirus functions.  
In most cases, it doesn’t provide investigation capacities nor suspicious behavior qualitication.  
It is generally designed to detect known threats, and to automatically block them with a very low false positive rate.   
What’s more, it doesn’t require extensive management, nor complex or specific configuration to operate and adapt to day-to-day threats. 

An EDR, on the other hand, analyzes all endpoints activity: presence of files, processes execution, suspicious behavior… It also enables data to be collected for investigation or for remediation, in the event of an alert following a security event.  
To raise these alerts, it relies not only on known threat databases, but also on behavioral detection rules and Indicators of Compromise (IOCs), plus it can learn to detect unknown threats using Artificial Intelligence.

Benefits of combined EDR + EPP  

EDR and EPP: technical advantages 

As already mentioned, an EPP protects endpoints through a range of features. For example:   

  • An antivirus, which automatically scans and blocks malicious files (text documents, PDFs, etc.);  
  • A firewall, to prevent connections coming from or going to areas that present a risk (website, server…);  
  • Device management, to protect against virus vectors or vulnerabilities, such as USB sticks, external disks, etc. 

An EDR, on the other hand, concentrates primarily on analyzing events that occur on an endpoint, for example following the execution of a file. It is also capable of providing a wide range of information beyond alerts.  

Coupling EDR and EPP thus makes it possible to protect against attacks by blocking them upstream, with parallel detection and remediation capabilities, with detailed threat analysis. 

Pro tip 

An EDR is capable of detecting threats as soon as it is deployed on an IT fleet. However, to get the most out of it, it needs to be set up properly (this can be done by in-house security teams, or with the support of a MSSP).   
On the one hand, this ensures that alerts are as relevant as possible, thus optimizing false positives (through the customization of rules and the definition of whitelists), but it also provides access to the data needed to conduct an investigation following a security incident (via telemetry). 
 
In fact, it’s important to remember that human analysis remains indispensable in cybersecurity, and it’s precisely the EDR configuration that will help analysts focus on the really important threats, notably those linked to suspicious behavior, malicious scripts… 

In short, the point of running an EDR and an EPP together is to be able to proactively block known threats with the EPP, and be able to identify more subtle attacks and decypher them with the EDR.  

 And if both EDR and EPP are ringing… it’s probably a sign of a major problem! 

EDR and EPP: the benefits for analysts in a case study 

As you can see, combining EDR and EPP improves working conditions for cyber analysts. How can this be achieved?   

For example, a suspicious connection targeting an endpoint may have been blocked, and then a virus deposited by another vector triggered later.   

When investigating, analysts may realize that this is potentially the sign of an advanced attack which was initially thwarted by the firewall, but which may then have progressed via another vector (possibly another connection which was not blocked, as it was not covered by a firewall rule).   

The EPP has carried out an initial automatic filtering operation, and if the attacker has nevertheless managed to drop a malicious file, analysts can use the data collected by the EDR, and correlate them to investigate and remedy the threat.  

In this way, the Information System is protected regardless of the technique adopted by the attacker. 

EDR and EPP : benefits in terms of deployment and management 

We spoke earlier of configuration, and a package including EPP and EDR is also an asset for Build and Run teams: all solutions can be configured at once, saving time and ensuring optimum consistency of protection strategy.   

What’s more, the agent that does both the EPP and EDR work is installed in a single operation, as close as possible to the threat, to block it as early as possible.  

Another advantage is that the deployment of a single agent also limits resource consumption, thus limiting the impact on endpoint performance, and guaranteeing frictionless operation between the different solutions.  

Last but not least, all security events for all IT assets are accessible from a single point of entry, making it even easier to monitor, clear up and investigate if necessary. 

Discover our Guard package, 
and everything you need to know about our EPP: