Protecting your company with an antivirus or an EDR? Not a trivial question.
Faced with the complexity and increase in attacks, it is essential to have the means to secure the information system of each company. Antivirus protection is essential.
Endpoint Detection and Response and antivirus are part of this arsenal, necessary for every company.
Who has not heard of antivirus (AV) and Endpoint Detection and Response (EDR)?
Two types of solutions for endpoint security: your computers and servers, in the first place.
What’s the difference? Let’s look at a not-so-new concept.
The Larousse defines anti-virus as “Software utility that detects and destroys computer viruses attacking the memory of a computer.“
The anti-virus has been around for many years, it protects against malicious software.
Antivirus software is a computer program whose purpose is to detect and remove viruses and malware from the computer.
An antivirus scans data, web pages, files, software and applications that pass through the network to the devices. It scans any incoming file to determine if it is potentially malicious. Depending on whether the file is potentially malicious, it will block or quarantine it.
An antivirus program triggers the scan when malware or ransomware explodes. It relies on a kind of malware dictionary: if the malware is referenced then it blocks it, quarantines it or can even delete it.
However, the signature databases must be updated regularly, in order to deal with the new threats that appear daily.
What is its scope? Anti-Virus is limited to viruses and malware, which is a problem because attackers could bypass signature detection by using evasion techniques and so-called polymorphic software.
It therefore only attacks known threats. If the antivirus is not up to date or the threat is not yet known, it will not be detected immediately, thus increasing the risk of cyberattack.
- Its cost, the price per user is often minimal for an antivirus.
- Its effectiveness against internal threats. It is impossible to force the installation of an update or to uninstall the AV without having the authorizations.
EDR (Endpoint Detection & Response)
The acronym EDR was first used in 2013 by Anton Chuvakin (Gartner) and stands for Endpoint Detection and Response.
EDR provides endpoint protection and detects threats that go beyond malware.
The EDR identifies certain operating patterns and detects anomalies. It collects telemetric and behavioral data from the terminals and sends it to a centralized database for correlation and analysis.
It relies on AI. Thanks to its built-in machine learning and advanced artificial intelligence, it can identify abnormal behaviors and treat them.
- Greater security, EDR allows for the management of a large number of endpoints.
- Advanced threat detection. EDR fights emerging, unknown threats.
- More visibility. EDR provides context, information about the process of the attack, and information about its propagation. It provides the information needed to investigate forensic teams.
- Enables proactive detection. EDR is not limited to detection, it also looks for abnormal, suspicious patterns of activity. It thus contributes to a better security strategy.
- Automation: The EDR is highly automated and operates in real time. As we know, the faster the system, the more effective it is. EDR agents are installed on all terminals, allowing investigations to be launched quickly.
- The agent is lighter, and thus becomes less resource-intensive.
In short, the EDR detects, investigates, and remedies.
EDR or Anti-virus, which one to choose?
Pro activity: AV requires updating when EDR is proactive in detecting potential threats.
Wider protection surface: AV protects against malware when EDR detects viruses, malware, monitors suspicious traffic and fileless attacks.
Speed: EDR acts in real time.
Unknown threat: EDR also addresses unknown threats unlike anti-virus. EDR is designed to protect against all types of cyber-attacks.
You will have understood, where the choice of an antivirus can be quite judicious if you want to protect your personal computer, it is less certain when it comes to protecting your company.
Regardless of the size of your organization, the number of terminals used and present in your fleet, considering an EDR is the most appropriate solution.
The main difference between these two categories of products lies in the detection method. The antivirus remains a simple but limited solution.