EPP & EDR: A Guide

What is EPP?
Endpoint Protection Platforms (EPP) are analogous to a digital security guard for each device or endpoint connected to the organizations network. Just as door security ensures those entering and exiting are authorized and engaging in safe activity, EPP ensure the digital safety of each device connected to the network. These checks are an early stage of defense against potential threats. EPP is passive, and doesn't require active monitoring by your team.

Why EPP matters.
EPP works to detect and prevent cyber threats. EPP is a form of data monitoring that scans and identifies anything suspicious that tries to reach the end device. Similar to locks on doors, EPP ensure that only authorized activities happen on your device. EPPs often have built in features such as anti-virus, malware protection, firewalls, and centralized management of device security. These features are why EPP is considered the foundation of a strong endpoint defense.

EPP & Assessment.
A variety of assessments will ask you to identify an EPP system because it is considered a significant barrier against cyber threats like viruses, malware, and other malicious software. Because it is so foundational to your endpoint defenses, not having EPP in place is likely to have a very detrimental impact on a variety of assessments, such as compliance audits, funding eligibility, or insurance. If you do not have EPP in place, you will need to evidence to assessors alternative ways of mitigating the risk.

What is EDR?
EDR stands for Endpoint Detection and Response. It provides you with ongoing comprehensive visibility of what is happening on your endpoints (such as laptops or any device connected to the internet) in real-time and it should allow you to contain and investigate any incidents that may occur. It is used actively by your network team in the identification of a possible network intrusion, and provides them with the tools and data they need to isolate the incident or take down the intruder.

Why EDR matters.
In cyber security, the emphasis is on layers of security. Like an ancient castle, one wall is not enough to guard your network against potential attacks. You need multiple walls, trenches, and traps to be sufficiently protected. EDR is the safety net that lies behind your other defenses, such as EPP, and works in concert with other defensive elements. It acts when a breach has occurred to catch anything that makes it past your castle wall.

EDR and Assessment.
EDR has started to increase in significance for demonstrating to assessors that you have a robust cyber security posture. This is because having EDR demonstrates your organization is thinking beyond just the frontline of defense. If you are undergoing any sort of assessment for cybersecurity posture, such as funding eligibility, insurance coverage, or certificate of compliance, ensure that you can articulate how EDR has been deployed. If you have not deployed EDR, ensure you can demonstrate how you are defending against the particular risk scenarios it is used in.

EPP vs EDR: Which matters more?
The answer is easy: neither. EPP and EDR perform different actions under different circumstances. They are designed to work in concert with one another and with other elements of you security system. Like our castle analogy above, the goal is to have multiple layers of defense. A wall is good, but useless if your enemies fire arrows over it, send sappers underneath it, or manage to sneak a spy inside. Similarly - without each other, both of these solutions are less useful.

Checklist
When implementing these protections, consider the following:

1. Ensure any EPP and EDR products are compatible with your existing security technologies.
2. Review whether EPP, EDR, or both are included in any existing software in place.
3. Check which devices and systems the protection will cover. Make sure this is documented.
4. Ensure that the EPP and EDR is tested regularly to ensure it is working as expected.
5. Regularly review and incidents detected by EPP and EDR data at cyber security review meetings.