We help IT Professionals succeed at work.

EDR vs EPP vs Threat Hunting

infiniti7181
infiniti7181 asked
on
Gurus,

Could you please explain the difference between

1. End Point Protection / Anti Virus
2. End Point Detection and Response
3. Threat Hunting

Are these three related in terms of end point protection

SID
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
EDR can actually monitor and response to abnormal activity, plus provide tracking data. For example, I went to a website, downloaded an Excel file, opened it, and there are dangerous macros in it. An EDR client like CrowdStrike Falcon or Cisco AMP for Endpoints could log the activity and delete the file. An EPP product would simply scan and (hopefully) detect/eliminate the threat. EPP products are traditionally more signature based with some heuristics, even though that has been improving. EDR will actually track things happening on the system, detect things that appear strange, alert, and react.
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
1. EPP would cover like the SEP which has Host intrusion prevention, Firewall, and AV. This is the basic protection and minimally AV is installed.

2. EDR is beyond EPP as it tends to detect potential breach attempt on the machine and provide remote forensic capability such as memory dump and hash check on indicator of compromise (IOC).

3. Threat hunting is yet another capability but it is more about chasing down IOC through scanning for its existence and related vulnerability. It is done separately and not installed in the endpoint like 1 and 2.  It can be also be done by professional as part of the threat assessment and response due to breach suspected.