Follow Ministry of Security on

EPP vs EDR
EPP EDR
(ENDPOINT PROTECTION PLATFORM) (ENDPOINT DETECTION & RESPONSE)
Prevents a wide variety of known Used to respond to threat that have
and unknown threat already affected the endpoint
First line of defense – scan, identify Second line of defense – contain,
and block investigate and respond
Active – used to counter evasive
Passive – protect against known and threats that gets past security
easily identifiable against threat threats defenses or for proactive
threat hunting
Protect endpoint but does not Aggregate data from multiple
provide in-depth data about the endpoints to enable forensic
threat on the endpoint investigations
EDR is focused on detection and
EPP is focused on prevention
response
EPP relies on signatures and EDR uses behavioral analytics to
heuristics detect threats
EPP only provides visibility into the EDR can provide visibility into all
activity that is related to malware activity on a device
EPP cannot investigate security EDR can be used to investigate and
incidents contain security incidents
Machine learning to support
behavioural analysis
Traditional threat monitoring
Prevent unknown attacks, verifies
indicators of compromise (IoC),
memory consumption and
vulnerabilities
Antivirus is generally a single
program that serves basic purposes
like scanning, detecting and
removing viruses and different types
of malware

2|Page
 Follow Ministry of Security on

EDR vs XDR
EDR XDR
(ENDPOINT DETECTION & RESPONSE) (EXTENDED DETECTION & RESPONSE)
Limited to one security layer Crosses multiple security layers –
endpoints, networks traffics,
identity management, cloud
workloads, email, virtual containers,
sensors (from operational
technology, or OT)
Completed by NTA tools but not Provides both endpoints and
strongly integrated with them network security in one platform
Separate tools that needs to be Unified platform that provides a
managed alongside other security single point of reference for security
tools analyst
EDR is a new generation of anti- Provider improved detection and
malware response to day-to-day security
incidents
EDR no longer relying solely on
Increased overall productivity of
signature systems to perform
security personnel
malicious behavior detection
EDR adds behavioral process
Lowered the total cost of ownership
analysis capabilities to determine
(TCO) of the security stack
deviance.
EDR does support Forensic Forensic - Investigate incidents
swiftly with comprehensive
forensics evidence
EDR does support Forensic Host Insight - Find vulnerabilities
and sweep across endpoints to
eradicate threats
EDR does support Host base
Host inventory
inventory
Pinpoint attacks identify behavioral Pinpoint attacks with AI-driven
deviations analytics and coordinate response
File Search and Destroy

3|Page
 Follow Ministry of Security on

Introduction
From day of evolution of computer era, endpoint is the simplest route for the
security threats which is rapidly evolving.
Though organizations have transitioned from simple antivirus software to full
endpoint protection platforms (EPPs) that provide well-rounded, preventive
security capabilities for endpoints to endpoint detection and response (EDR)
solutions that complement EPP by adding the ability to actively respond to
endpoint security breaches.
Today, all these security technologies are overshadowed by a new model called
XDR or Extended Detection and Response. Since, endpoints have long been a
major target for attackers. Whether located in a user’s pocket, in the cloud, on
IoT devices, or in an organization’s server room, the data needs to be protected
both inside and outside the traditional security perimeter.

Antivirus Product Capability Support

Windows Operating System
Linux - Ubuntu 16.04 to 22.4 and
upcoming versions
Cloud workloads, Containers,
Platform Supports
Kubernetes
Android - All version
MacOS - All version and upcoming
versions
Desktop, Laptop, Server, Cloud, VM’s,
Hardware Platform
VDI

4|Page
 Follow Ministry of Security on

Antivirus Portfolio/Baseline

Features Description
Solution should have capability
NBA monitoring the network behavior
analysis
Solution should have capability
UBA monitoring the user behavior
analysis
Solution to stop attackers from
Deception breaching your system and causing
damage
Reliably protects your PC against
Web Security viruses, spyware, trojans and other
malware
Faster, More Complete Investigation MITRE ATT&CK Evaluation 100%
& Response threat prevention
Live Terminal
Endpoint isolation
External Dymanic list (EDL)
Response Action Script Execution
Remediation analysis
Incident Scoring Rules
Featured Alert Fields
Standard category wise application
Allow/Block
Application Control
Custom extension-based application
Allow/Block
Mass storage allow/block, read only
MTP/PTP- block/allow
Bluetooth - allow / block
Device Control
Thunderbolt - allow / block
(Should work on all OS windows,
Camera - allow / block
MacOS and Linux)
Card reader - allow /block
USB Printer- allow / block
Wi-Fi printer - allow / block
Firewall Host Firewall

5|Page
 Follow Ministry of Security on

Host-based IDS and IPS

Email Protection Antispam, Anti Phishing
File integrity monitoring File integrity monitoring
Real time malware detection,
protection and prevention
Behavioural analysis
Signature based analysis
Real time threat analysis and
advanced threat detection
Malicious traffic detection
Anti-Ransomware - Recognized &
Unrecognized Ransomware
EDR/XDR Protection
Detect suspicious activities and
blocks them before any breach
occurs
Policy/ Rule based Host isolation
Manual Host isolation
isolated host accessibility and
integration from management
console without physical
intervention with client machine
Deep Alert Analysis
Threat Hunting, Suspicious Behavior
Managed Threat Response (MTR)
Detection, Investigation and
Remediation
File-less Attacks
Malware-Free Attacks
Exploit Prevention Zero Day Attacks
Exploit-based Attacks
Toolkit blocking
Proactive techniques to detect
malicious traffic as well as protect
Artificial Intelligence & Machine
from attracters
learning
Malicious traffic detection and
prevention

6|Page
 Follow Ministry of Security on

Patch and Vulnerability Assessment,

Real time monitoring and rapid
mitigation of detected threats
Deep analytics on what, when, where
Root Cause Analysis
and how incident happened.
Real time log synchronization
between endpoint and server
Log Retention period (Min 90 days)
Logs
and policy
Possibility of log retention period
extension
Real time event alert and
Event alert and notification
notification
Should work on windows, MacOS and
Temper Protection
Linux
Agent Deployment, Update (installer
and bundled package)
Central management with single Asset Inventory
console Policy Configuration and
Enforcement
Dashboard
Custom report
Drill down analysis report
Report
Schedule report
Management report with charts
Low CPU Utilization
Host Performance Low Hard Disk Utilization
Low RAM Utilization
integration with security information
Integration
and event management (SIEM )tools
24x7 technical support - on call,
Subject Matter Expert Availability
email, chat
Data loss prevention
Drive encryption
Others
No confliction with other antivirus
installed in system

7|Page
 Follow Ministry of Security on

Ability to be managed by central

Deployment
management on-cloud and on-prem
The solution shall be able to prevent
Password Exposure
corporate password reuse
Ability to prevent browser-based
attacks by installing thin client on
Browsing protection
web browser to provide full SSL
inspection
Ability to extract malicious content
Document security from document and deliver safe file
to user immediately
Solution should support Bitlocker
Disk Encryption
encryption
Website browsing protection and
Web Control
content filtering

Evolution of Antivirus to Next-Gen AV

Antivirus - Antivirus (AV) protection is the most common type of endpoint
security, especially among consumer electronics.

Endpoint protection platform - Endpoint protection platform (EPP) is

advance antivirus tools with a key feature called machine learning to support
behavioural analysis, extending traditional threat monitoring beyond known
threats, prevent unknown attacks, verifies indicators of compromise (IoC),
monitors a device’s memory to identify irregular patterns in memory
consumption.
EPP is advance than antivirus protection for widespread endpoint
management and threat prevention in large companies, but some
sophisticated attacks are still able to evade detection. EPP is useful for
identifying vulnerabilities and preventing attacks.
Endpoint Detection and Response - Endpoint Detection and Response (EDR)
represent the newest and most advanced layer of endpoint protection
platform.

8|Page
 Follow Ministry of Security on

Typically, it expands EPP support for AI, machine learning, threat intelligence,
and behavioral analysis to create a collation that neutralizes attacks.
For e.g.: EPP is a shield, EDR is a sword
An EDR system collects and analyzes data from endpoints across a network so
it can stop an attack in its tracks. Once the threat has been removed, EDR can
then be used to trace the exact source of the attack so similar events can be
prevented in the future.
EDR functions as a centralized management hub for an organization’s
endpoints network-wide. It acts to stop an attack at the earliest signs of
detection, even before a human administrator learns that a threat exists.
Whereas EPP is a first line of defense that provides passive threat prevention,
EDR actively works to mitigate network attacks before they can cause
significant damage.
Extended Detection and Response - XDR solutions are a compelling
alternative to EDR and traditional EPP. They provide improved threat
intelligence, AI/ML analysis, applied to combined data from across the IT
environment. They allow organizations to derive more value from existing
investments in EDR, SIEM and security orchestration and automation (SOAR).
Limitations of XDR - XDR solutions are expected to provide a deeper
understanding of the data generated by many other security technologies, but
this can be a double-edged sword. While these solutions may have good
knowledge of security technologies from the same vendor ecosystem, they
may not have the same analytics capabilities for data generated from systems
by other vendors.
Therefore, the deployment of XDR technology could lock you into a specific
security technology ecosystem. If your organization is already pursuing a
single vendor strategy, this may not be an issue. However, this can be an
obstacle if you are taking a best-of-breed approach. Companies should
consider whether the enhanced analytical value provided by the XDR solution
is sufficient to justify a closer dependence on a specific security vendor.

9|Page
 Follow Ministry of Security on

Antivirus Uses
Advantages Disadvantages
Antivirus can’t protect against
Signature similarity
everything
Heuristic analysis It can slow down your computer
Integrity checking It can be expensive to maintain.
It can generate false positives
Prevents a wide variety of known
(warnings about threats that aren’t
and unknown threat
present).
First line of defense – scan, It can miss new threats that haven’t
identify and block been identified yet.
Passive – protect against known
It can be difficult to configure and
and easily identifiable against
manage.
threat
Protect endpoint but does not
It can create security holes if not
provide in-depth data about the
properly configured.
threat on the endpoint
Machine learning to support It requires regular updates to stay
behavioural analysis effective.
It can be disabled or bypassed by
Traditional threat monitoring
malware.
Prevent unknown attacks, verifies
indicators of compromise (IoC),
It can give you a false sense of security.
memory consumption and
vulnerabilities
Antivirus is generally a single
program that serves basic
purposes like scanning, detecting antivirus will only catch known threats
and removing viruses and different
types of malware
One limitation of antivirus programs is
that they can often cause false
positives.
insufficient to protect such a large-
scale and continuously expanding
digital perimeter.

10 | P a g e
 Follow Ministry of Security on

Conclusion
In this endpoint security article, we introduced multiple technologies like AV,
EPP, EDR, and XDR solutions, and explained the basic differences between
these solutions. In reality, these solution categories are not separate or
alternative. Traditional AV, EPP and EDR is an essential component of modern
security strategies. XDR is widely considered to be the future of endpoint
security, but it does not replace AV/EPP/EDR. Rather, it leverages them and
consolidates them with other parts of the security stack, to deliver improved
security.

Author
Vikas Vasant Upade

11 | P a g e
 Follow Ministry of Security on

12 | P a g e