EPP, EDR and XDR

EPP (Endpoint Protection Platform)

The Endpoint Protection Platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.

EDR (Endpoint Detection and Response Solutions)

The Endpoint Detection and Response Solutions (EDR) is defined as solutions that record and store endpoint-system-level behaviors in a centralized database. EDR solutions must provide the following four primary capabilities:

  • Detect security incidents
  • Contain the incident at the endpoint
  • Investigate security incidents
  • Provide remediation guidance

XDR (Extended Detection and Response)

XDR (Extended Detection and Response) is a more evolved, holistic, cross-platform approach to endpoint detection and response. While EDR collects and correlates activities across multiple endpoints, XDR broadens the scope of detection beyond endpoints and analyses data across endpoints, networks, servers, cloud workloads, SIEM and much more. This provides a unified, single pane of glass view across multiple tools and attack vectors.

EDR Features

  • Security incident containment — EDR solutions block security incidents at network endpoints to prevent attacks from spreading across the entire network.
  • Threat detection — the ability to detect malicious activity and anomalies on endpoints instead of just looking for file-based malware.
  • Incident response — EDR solutions offer incident response capabilities like security incidents prioritization to help security teams respond to attacks faster.
  • Incident investigation — EDR simplifies the forensic investigation of incidents by building a central repository of endpoint data and preparing it for analysis.

EPP: Endpoint protection platforms aim to prevent traditional threats like known malware and advanced threats like file-less attacks, ransomware, and zero-day vulnerabilities.

EPP Capabilities

  • Signature matching — Detecting threats using known malware signatures.
  • Sandboxing — Testing for malicious behavior of files by executing them in a virtual environment before allowing them to run.
  • Behavioral analysis — EPP solutions can determine the baseline of endpoint behavior and identify behavioral anomalies, although there is no known threat signature.
  • Static analysis — analyzing binaries and searching for malicious characteristics before execution using machine learning algorithms.
  • Whitelisting and blacklisting — blocking access or only permitting access to specific IP addresses, URLs and applications.