Cyber SecurityEdTechHacking Protection 101

Endpoint Security Tools: EPP vs EDR

EPP vs EDR – which should you choose? Prey goes through the differences to help you make an informed decision about your endpoint security.

In a recent Gartner study, over 80% of business leaders surveyed stated that their organization will transition to a remote working setup, even after the coronavirus pandemic ends. In this new work from home world, endpoint devices like smartphones and laptops are replacing the PC workstations of old as productivity machines. However, this also gives rise to a whole new concern: endpoint security.

In a nutshell, endpoint security is the practice of protecting all endpoints that connect to the corporate network, from traditional desktops and servers to personal devices like mobile phones, laptops, and even Internet of Things (IoT) devices that have access to the IT network.

Such protection is critical since up to 70% of successful network breaches come from a compromised endpoint, whether due to human error fault (like falling for phishing or malware downloads) to more sophisticated threats like DDoS attacks, macro payloads, or script exploits.

To guard against such threats, endpoint security tools have become an indispensable part of IT security.

What is an Endpoint Security Tool?

An endpoint security tool is software dedicated to tracking, monitoring and managing the myriad endpoint devices used by the organization. While some tools are similar to conventional corporate security software like antivirus and internet security software, endpoint security tools integrate additional features specifically designed for endpoint devices. These can include mobile device management, mobile security, device or memory encryption, intrusion detection, or remote wipe capabilities.

Some of the threats that endpoint security tools are designed to deal with include:

Human error:

  • Phishing attempts
  • Suspicious websites
  • Malware ads
  • Ransomware
  • Drive-by downloads
  • Outdated patches
  • Data loss and theft

Sophisticated attacks:

  • DDoS
  • Macro and script exploits
  • Botnet attacks
  • Memory-based or fileless attacks
  • Advanced persistent threats

Endpoint Security vs Antivirus Software

While both endpoint security and antivirus software have the same goal — namely device protection – each one is a different tool with distinct features and capabilities.

Conventional antivirus software is meant to protect a specific type of device, such as PCs, smartphones or tablets. They were originally designed to protect desktops from computer viruses and were usually OS-specific. Today’s antivirus suites can guard against more threats like ransomware, adware and spyware, and other malicious programs.

On the other hand, endpoint security software is designed to protect the whole network environment, from endpoint devices to the central IT network up to the cloud. In addition to guarding against traditional threats, it includes features like network access control, threat detection and response, and application whitelisting, to name a few.

However, this does not mean that endpoint security on its own can replace antivirus software. Endpoint devices should still have their own antivirus protection, complemented by a good endpoint security solution. An effective corporate IT security strategy combines device-specific antivirus protection with the network-encompassing veil of an endpoint security system.

The 2 Types of Endpoint Security Software

There are two approaches to endpoint security, each with its own strengths and weaknesses.

1. Endpoint protection platform (EPP)

These are designed to prevent attacks from conventional threats such as malware, zero-day vulnerabilities and memory-based attacks. EPPs detect attacks through:

  • Matching threats with known malware signatures
  • Blacklisting and whitelisting applications, URLs, ports, and IP addresses
  • Using a sandbox environment to test executable files
  • Utilizing machine learning and behavioral analysis to establish an operational baseline, then flagging suspicious processes or operations

A good EPP solution is one that is cloud-managed to allow for steady data collection and monitoring, and remote remediation outside of the office environment. A cloud-assisted EPP also relieves endpoint devices from having to store a threat database on the device memory.

2. Endpoint detection and response (EDR)

These are used when a breach has already occurred, in order to contain, investigate and respond to the threat. Whereas EPP is passive software used to block endpoint security issues, EDR is an active tool used by IT to quarantine the breach and initiated automated response and remediation. EDR software works by:

  • Threat intelligence, by pinpointing Indicators of Compromise (IoC)
  • Providing real-time alerts about security incidents
  • Incorporating a forensics and investigation component, to trace affected endpoints and the origin of the attack
  • Automated response and remediation

What’s the Difference between EPP and EDR?

In general, an EPP solution acts as an endpoint’s frontline defense, much in the same manner as an antivirus software does for viruses. 

On the other hand, EDR solutions are designed to deal with threats that the EPP software did not catch. These may include new malware strains, newly discovered zero-day exploits, and other vulnerabilities that are not yet included the EPP’s threat database.

EPPEDR
Prevent conventional threats, as well as some unknown threats (by behavioral or machine learning)Used to respond to threats that make it past the EPP filter
First-line threat preventionSecondary defense: Contain, investigate and respond to breaches
Passive software that guards against known risksActive software used by IT to hunt threats within the system
Endpoint protection is done through device isolationAggregates incident data from several endpoints to provide context for quarantine and remediation

Key Features of an EPP Solution

EPP is all about prevention. As your first line of defense, it should guard against commodity threats like malware, basic phishing and non-targeted attacks.

Here’s what to look for:

  • Signature matching: It should be able to detect threats by matching them with known malware signatures.
  • Sandboxing: The software should be able test for malicious behavior by executing files in a virtual environment, before allowing them to run in production. 
  • Behavioral analysis: A good EPP solution can determine the baseline of endpoint behavior and identify behavioral anomalies, despite having no known threat signature.
  • Static analysis: Using machine learning it should be capable of analyzing binaries and searching for malicious characteristics before execution.
  • Whitelisting and blacklisting: This basic function either blocks or permits access to specific IP addresses, URLs and applications.

Key Features of an EDR Solution

Where EPP fails, EDR serves as the backstop to catch threats that make it past the initial defense. This allows IT security to isolate the endpoints of entry, quarantine affected areas of the system, and initiate automated response and remediation.

  • Threat detection: Just like EPP, it should be able to detect malicious activity and anomalous processes on endpoints, instead of just looking for file-based malware.
  • Security incident containment: Effective EDR solutions block security incidents at network endpoints to isolate attacks and stop them from spreading across the network.
  • Incident response: Flagged incidents should be ranked by threat level to help IT prioritize response, especially in the face of fast-propagating threats.
  • Incident investigation: It should make forensic investigation easier and faster by collecting necessary endpoint and traffic data in a central data for analysis.

Top 7 Endpoint Security Tools for 2020

Not all endpoint security products are created equal. Some EPPs are better than others at detecting threats, while some EDR platforms offer more capabilities either built-in or as optional extras.

Here are the top seven endpoint security tools for 2020, along with their unique features and capabilities:

1.   Crowdstrike Falcon

Type: EDR

One of the most widely used EDR platforms, Crowdstrike boasts unmatched detection abilities compared to other EDR products. It also has a robust cloud-based management interface and excellent Linux and technical support. However, it lacks web content filtering and VPN, while services like automated remediation, threat hunting and vulnerability assessment cost extra.

Pros:

Top-level detection capabilities

Easy cloud-based management

Linux and technical support

Optional services like vulnerability assessment and threat hunting

Cons:

Premium pricing

Automated remediation costs extra

No web content filtering or VPN

2.   F-Secure Rapid Detection & Response

Type: EPP + EDR

Another popular product, F-Secure boasts some of the highest ratings in MITRE [email protected] tests. In addition to advanced features like real-time behavioral, reputational and big data analysis, it uses an intuitive interface to visualize security incidents. It offers strong EPP capabilities, only lacking encryption. For EDR, it uses big data and behavioral analysis, but lacks black/whitelisting and prioritization options.

Pros:

High independent test ratings

Good price

Prioritization of response actions by criticality and risk level

Advanced machine learning for real-time behavioral, reputational and big data analysis 

Cons:

Advanced features like custom rules, rogue device discovery, rollback and VPN cost extra

3.   Palo Alto Networks Cortex XDR

Type: EDR

A contender with F-Secure when it comes to highest independent test scores, Palo Alto’s product is able to stop even handcrafted attacks, with solid machine learning and behavioral monitoring that covers the spectrum, from endpoints to the network to the cloud. However, NSS testing found it lacking when it comes to file-embedded social exploits, with a score of 60%

Pros:

Top marks in MITRE and NSS evaluations

Solid threat tracking across endpoints, networks and the cloud environment

Able to stop targeted handcrafted attacks

Cons:

No web content filtering, vulnerability monitoring, rogue device discovery, and patch management

No rollback ability

Designed for Palo Alto firewalls and security products, so integration and implementation can be complicated

4.   Trend Micro Apex One

Type: EPP + EDR

Apex One is an EPP/EDR combo that manages to offer a lot of value at a relatively low price. It boasts top scores in the recent second round of MITRE evaluations, as well as the best total cost of ownership rating in NSS comparisons. However, the bargain comes at a price, with features like device control, patch management, custom rules and rollback costing extra.

Pros:

EPP and EDR combination + low price make it the best bargain

Office 365 and Google G Suite integration

Lowest total cost of ownership

Cons:

Optional costs for device control, full-disk encryption, patch management and VPN

No custom rules or rollback features

Issues reported with deployment

Some user reports of detected malware requiring manual removal

5.   Kaspersky Endpoint Detection & Response

Type: EDR

Second only to Trend Micro in terms of the lowest price, Kaspersky’s offering features a lot of capabilities at a relatively good price tag. Prioritization, investigation and automated responses are included in the package, with VPN being the only optional extra. However, it scored below average in the second round of MITRE evaluations, and the software tends to eat up a lot of resources.

Pros:  

Good list of features at a low price

Excellent implementation

Good tech support

Cons:

Below average score in MITRE evaluation

Resource-intensive according to user reports

Additional cost for VPN

6.   Symantec Endpoint Security

Type: EPP + EDR

One of the market leaders in EDR, Symantec’s combined product scored a solid 85% in MITRE’s second round of evaluations. The basic offering includes device control and patch management for EPP, and vulnerability assessment, advanced threat hunting, rogue device discovery and custom rules for EDR. Other options include web content filtering, threat intelligence integration, and full-disk encryption. The only missing feature is rollback capability.

Pros:

Good MITRE raw performance

More standard features than other products

Good implementation and ease of use

Cons:

Price tag can be high depending on extras like web content monitoring and encryption

No rollback

Can eat up quite a bit of endpoint resources depending on configuration

7.       Bitdefender GravityZone

Type: EPP + EDR

This unified security offering boasts good NSS and MITRE scores at a relatively low price, making it a good choice for SMEs. Most of the heavy lifting can be outsourced to the cloud thanks to its machine learning, behavioral monitoring and automated remediation features. However, advanced capabilities like patch management, rogue device discovery and encryption cost extra.

Pros:

SME-friendly price tag

Good independent scores

Robust AI and behavioral monitoring

Cons:

Additional cost for patching, full-disk encryption and rogue device discovery

No custom rules or guided investigation

No threat intelligence feed

EPP vs EDR: Which One Should You Use?

To recap, EPP software is designed as the first line of defense: to detect malicious signatures and other signs of device or network intrusion. EDR acts as an additional defense layer – it catches threats that make it past the EPP filter through threat hunting and other active measures.

While EDR might sound like the more powerful option of the two, EPP’s passive protection makes it a critical component of good endpoint security, especially for smaller organizations that don’t possess the resources or in-house IT. EDR is only useful when paired with a good IT security team that can make use of its attributes.

Finally, both solutions are not the end-all be-all components of endpoint security. They should be used in tandem with other endpoint security tools such as a device management and tracking solution to guard against other threats like social engineering tactics, device loss, or physical theft. Holistic endpoint security should take into account all endpoint risks, and not just the ones behind the screen.

About the author

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.