Monitoring and reducing cyber risks, as well as detecting incidents and having the means to act on the basis of reliable alerts and data, are essential for any organization. In the panoply of tools designed to secure an Information System, you’re bound to have heard of antivirus, EPP and EDR. But what’s the difference? Here’s how.
Antivirus and EPP: what are the differences?
An antivirus detects the presence of malware (viruses, worms, Trojans…) on a disk or in memory, based on detection signatures and heuristics, in order to block malicious code.
Next-gen antivirus products can also integrate AI engines, sandboxing…
In most cases, antivirus software does not provide the ability to investigate and qualify suspicious behavior. It is generally designed to detect known threats, with a deliberately low false positive rate. This means you need to update your antivirus database as often as possible.
In fact, antivirus software is not suited to the detection of targeted malicious code, developed for specific victims.
An EPP (Endpoint Protection Platform) is an evolution of an antivirus, incorporating :
- local firewall management,
- endpoint encryption management,
- control of USB endpoints,
- file integrity checks,
- URL filtering…
This is a set of functions designed to secure endpoints, which in the past could be separated into several products (including antivirus!).
How does EPP work?
EPP is operated and managed by an organization’s IT department via a centralized console.
It can generate alerts, usually based on file analysis or memory scans.
However, it is unable to detect several types of attack, notably unknown threats, or those based on memory-injected code – hence the emergence of EDRs.
What is an EDR?
An EDR analyzes the behavior of endpoints (workstations and servers) to protect them against attacks (ransomware, zero-day vulnerability exploits, theft of sensitive data, etc.), and can integrate antivirus or EPP functionalities.
It also collects data that analysts can use to respond to incidents (context, propagation, etc.).
Some EDR systems feature self-protection capabilities to prevent them from being deactivated by attackers, and thus maintain visibility of endpoints.
Most EDRs offer detection capabilities on :
- indicators of compromise (IOC systems) such as hashes or file names,
- or IOC networks such as IPs, domain names, URLs…),
- suspicious behavior.
In recent years Artificial Intelligence has been used to provide additional detection capability files and malicious behavior.
In addition to detection and investigation functions, some EDRs even offer features to identify risks on endpoints (obsolete applications, high-privileged user accounts, etc.).
In the event of an incident, EDR generates alerts, and offers the possibility of qualifying the security event and, if necessary, remedying it(blocking threats that have bypassed EPP, isolating infected endpoints …).
The resources and skills required to operate an EDR
An EDR is placed directly on the endpoints.
While an EPP detects and blocks known threats, an EDR can detect more complex and/or unknown threats, thanks to its ability to learn and correlate events.
As a result, it enables you to understand and reconstruct the modus operandi of an attack.
It requires cyber skills to process and analyze data (SOC).
In the past, EDR was the preserve of large organizations able to manage it in-house, but now MSSP partners enable companies of all sizes to access and monitor this technology.
“EDR is not an antivirus, it’s a new-generation tool that can detect unknown threats that don’t appear in antivirus databases.
It optimizes reactivity, visibility and incident response capacity, and covers the entire IT estate, including workstations and servers.”
Antonin Garcia, CISO – Veepee
Find out more about the capabilities of our EDR
and its EPP features: