Choosing Between EDR, EPP, and NGAV
Key Points
- Next‑Generation Antivirus (NGAV) builds on traditional signature‑based AV by adding AI‑driven behavioral analysis to block both known and unknown threats, but it mainly offers prevention without deep telemetry.
- Endpoint Protection Platforms (EPP) focus on stopping known threats using signatures, heuristics, and behavior, and they also handle basic IT hygiene tasks like policy enforcement, USB blocking, and patching.
- Endpoint Detection and Response (EDR) goes beyond prevention by providing continuous monitoring, real‑time threat detection, extensive telemetry collection, and incident‑response capabilities that enable threat hunting and automated remediation.
- Selecting the right solution depends on an organization’s specific risk sources, environment size, regulatory requirements, and available staffing or budget to manage the tools effectively.
- Because most firms need both detection and response for known and unknown threats, many are adopting EDR directly or via managed MDR/XDR services to achieve broader, automated protection.
Full Transcript
# Choosing Between EDR, EPP, and NGAV **Source:** [https://www.youtube.com/watch?v=8ZlHOZlNIKk](https://www.youtube.com/watch?v=8ZlHOZlNIKk) **Duration:** 00:03:37 ## Summary - Next‑Generation Antivirus (NGAV) builds on traditional signature‑based AV by adding AI‑driven behavioral analysis to block both known and unknown threats, but it mainly offers prevention without deep telemetry. - Endpoint Protection Platforms (EPP) focus on stopping known threats using signatures, heuristics, and behavior, and they also handle basic IT hygiene tasks like policy enforcement, USB blocking, and patching. - Endpoint Detection and Response (EDR) goes beyond prevention by providing continuous monitoring, real‑time threat detection, extensive telemetry collection, and incident‑response capabilities that enable threat hunting and automated remediation. - Selecting the right solution depends on an organization’s specific risk sources, environment size, regulatory requirements, and available staffing or budget to manage the tools effectively. - Because most firms need both detection and response for known and unknown threats, many are adopting EDR directly or via managed MDR/XDR services to achieve broader, automated protection. ## Sections - [00:00:00](https://www.youtube.com/watch?v=8ZlHOZlNIKk&t=0s) **Comparing EDR, EPP, and NGAV** - The speaker contrasts NGAV’s AI‑driven detection of known and unknown threats with EPP’s focus on basic hygiene and policy enforcement, framing the three main endpoint security categories (EDR, EPP, NGAV) for teams deciding where to start. ## Full Transcript
endpoints like phones laptops and
servers are the first line of defense
for security teams today but with so
many overlapping tools on the market
where should you start
let's take a look at the differences
between the main three product
categories that firms are turning to EDR
Epp and ngav
let's start with Next Generation
antivirus or rather just antivirus
because traditional AV Solutions work
through signature based detection so
they identify and block known threats by
comparing the fingerprint of a file to a
database of known malicious ones Next
Generation antivirus improves on this by
using Ai and behavioral analysis to
block both known threats and unknown
threats including zero day attacks and
more sophisticated malware that may
evade signature-based detection
however the scope of these Solutions is
limited to prevention and they don't
necessarily give security teams the rich
Telemetry needed to address the rapidly
evolving threat landscape so now let's
look at endpoint protection platforms
these primarily focus on preventing
known threats using a combination of
signature-based detection heuristics and
behavioral analysis
while they can be effective against many
common threats they can struggle to
detect new and sophisticated attacks and
due to this in my experience teams rely
on Epps to perform the basic I.T hygiene
and maintenance tasks like enforcing
policies that ban USB access patching
applications and launching scripts to
perform tasks at boot time
finally let's look at endpoint detection
and response because EDR goes beyond
prevention by being proactive supporting
continuous monitoring and real-time
threat detection plus incident response
EDR tools are often better at serving
security teams useful intelligence by
collecting and analyzing large volumes
of telemetry across the total endpoint
landscape EDR can help identify patterns
and anomalies on mass that can indicate
the presence of threats even apt's zero
days or end-day attacks plus it allows
organizations to perform threat hunting
activities to proactively defend against
new threats
ibms can even learn from previous
threats and the remediation actions your
security teams took to better respond to
similar threats in the future
okay so which one is the best for your
organization there's no
one-size-fits-all answer and it'll
really depend heavily on what you're
trying to achieve you should consider
the sources of risk that you're exposed
to the size of your it environment any
applicable regulatory requirements and
the resources that you have available to
manage optimize and make these tools
effective
however at the very least you should be
able to detect and respond to both known
and unknown threats and be able to
proactively search for the presence of
indicators of compromise across all of
your endpoints
and it's for this reason that many
organizations are adopting EDR Solutions
or Outsourcing it to a trusted partner
with MDR or considering xdr to address
further Automation and specific use
cases
to find out more about IBM's EDR
solution click the links in the
description and subscribe to see more
security videos from IBM