Table of Contents
- Introduction
- What is Antivirus Endpoint Protection?
- How does AV software work to secure endpoints?
- What are the pros and cons of AV software in endpoint protection?
- Examples of AV software
- What Is EDR?
- How does EDR software work?
- What are the pros and cons of EDR software in endpoint protection?
- EDR Software Vendors
- EDR vs Antivirus
- FAQ
- Summary
Zero Trust Security: EDR vs Antivirus – Which one is better for your organization’s endpoint security?
With cyber-attacks becoming more sophisticated and frequent, it is essential to have a robust security strategy to protect your organization’s digital assets. Endpoint security is an essential aspect of this strategy, and AV (anti-virus) and EDR (Endpoint Detection & Response) software are two popular options for securing endpoints such as desktops, laptops, and servers.
In this blog post, we will explain the features, strengths, and weaknesses of these two endpoint security solutions and explain why one is the better option over the other.
What is endpoint security or protection?
Endpoint security or protection refers to securing and protecting endpoints, which are network connected computer systems and mobile devices. It is keeping those devices secure and compliant. Historically Antivirus (AV) software is the first thing that comes to mind for this, but today Endpoint Detection and Response (EDR) software is becoming more popular and better meets the needs for today’s security protection.
There are many ways to provide endpoint protection, and deploying multiple ways is the best method. For example, next generation firewalls (NGFW) are used to protect all endpoints behind it, but we recommend having both the firewall and the software on the endpoints as best, plus other things like a solid patch management and verification process.
Other related more advanced solutions are Managed Detection and Response (MDR) and Extended Detection and Response (XDR) which provide more threat hunting across all resources and extends the capabilities.
What is Antivirus Endpoint Protection?
Antivirus is the older endpoint protection software which has been around for over 40 years. It is considered the lowest common denominator of endpoint security.
How does AV software work to secure endpoints?
Antivirus software is designed to identify malicious software or code that has infected a computer and uses various methods to identify potential malware infections. AV traditionally relies very heavily on something called signature matching to determine threats to the device. AV software compares files against a known database of “bad” files. When a match is found, the file is recognized as a threat. As AV has evolved, it has provided more advanced detection based on machine learning and artificial intelligence (AI). This makes it possible to detect unknown and zero-day malware, and advanced threats.
What are the pros and cons of AV software in endpoint protection?
AV is better than having no protection, but it is not the best solution today. It can and will find and isolate known malware on a device, but it does not do as well on finding and isolating unknown malware. And threats are too numerous today to be able to keep compiling them in a database.
AV does cost less than more advanced endpoint protection solutions.
Examples of AV software
There are many different brands and types of AV software. Some types are anti-malware, anti-spyware, browser security, and even next generation firewalls provide network AV. Anti-malware protects against malicious programs like trojans and worms. Anti-spyware is designed to detect and block programs that invade privacy. Browser security helps ensure that only safe websites are being accessed. Network AV scans traffic for embedded malware in a network packet to and from an endpoint.
What Is EDR?
Endpoint detection and response (EDR) software flips the model from traditional AV.
How does EDR software work?
Instead of relying on signature matching, EDR relies more on behavioral analysis. For example, if a computer application or file spawns off an unknown or unexpected script, it will be flagged and quarantined until the process can be confirmed good or bad. This provides real time monitoring and detection of threats.
What are the pros and cons of EDR software in endpoint protection?
Because of not relying on signature files, EDR reacts better to new and advanced threats including some that may not be easily recognized as threats by a traditional AV. And EDR is behavior based allowing it to detect unknown threats based on abnormal behavior. Also, EDR is not limited to file base malware but also protects against malicious code that does not require using an executable file, for example, malware that is injected in a running process and executes only in RAM.
A disadvantage of EDR is the cost, which is higher than AV.
EDR Software Vendors
Many of the same vendors that produced AV also produce EDR. Examples would be Trend Micro, Kaspersky, ESET and others. SentinelOne is one of the best and most known EDR producers. Another well-known vendor is CrowdStrike. But there are many others. Many of the NGFW vendors also provide an EDR solution, such as Check Point, Fortinet, and Palo Alto.
EDR vs Antivirus
EDR | AV | |
Detection Method | More behavioral analysis | More signature matching |
Threat Types Detected | Known and unknown | Mostly known |
Effect on Endpoint Performance | Less, does not rely on file scans | More, relies on file scans |
Importance of Ongoing Updates | Less important because it monitors behavior | More important as regular updates are needed for effectiveness |
Protection Against Fileless Threats | Yes, protects against injected RAM only malware | No, does not protect against injected RAM only malware |
Rollback | Yes, can rollback device to pre-infected state | No, cannot rollback device to pre-infected state |
Auto Isolate | Yes, can isolate infected device | No, can isolate a file but not the machine |
FAQs
Here are answers to some frequently asked questions about EDR.
Do you need both EDR and AV? Is EDR enough?
While you can run both together, we do not feel it is necessary and recommend removing AV when installing EDR.
Does EDR prevent attacks?
Yes, EDR can stop an attack before it becomes a breach.
Does EDR include firewall?
Yes, EDR typically includes a software firewall.
Does EDR Include Antivirus?
Yes, EDR is an advancement on AV thus can include many of the AV features, but it includes more advanced new features.
What are the chances of AV and EDR failing?
Like hardware, software can fail, but it is not highly likely. And AV is more likely to fail in catching a threat than EDR.
Is EDR a replacement for antivirus?
Yes, EDR is a replacement for AV, and it is recommended that the replacement be made considering today’s threat landscape.
Can XDR replace EDR?
Yes, XDR is more than EDR and includes EDR.
How Does EDR Complement Antivirus?
Because EDR is an evolvement or advancement of AV necessitated by more advanced threats, it is an improvement over AV.
Is CrowdStrike an antivirus or EDR?
CrowdStrike is an EDR.
Is SentinelOne an antivirus or EDR?
SentinelOne is an EDR.
Summary
EDR is an advancement or improvement on AV that was necessary to combat more advanced and crafty threats. It is no longer enough for businesses to rely on AV only to protect their network and digital assets. Even more so than AV, the benefits of EDR are better realized when managed properly and by a competent staff. Make sure you deploy and set it up properly for maximum effect, or call on a qualified security centric managed IT service provider like IntegriCom.
At IntegriCom we are very experienced with EDR and security in general. We have a CISSP on staff and a team of well-qualified engineers to assist you. Please contact us for a complementary consultation and ask for a full network security scan to see where you are vulnerable.