What is EPP (Endpoint Protection Platform), EDR (Endpoint Detection and Response), MDR (Managed Detection and Response), and XDR (Everything Detection and Response)?

The world has faced changes in many areas since COVID-19, and among them, the work environment is also changing and adapting to the new normal era. In particular, the number of remote works has increased considerably. Accordingly, many incidents such as ransomware attack and data leakage damage have occurred in recent years, and companies and organizations that have experienced such incidents are very actively introducing EDR (Endpoint Detection and Response). As mentioned in the previously uploaded EDR article, EDR is expanding its scope of applications, confirming that EDR can visualize all endpoints to understand where threats originated and how they spread and respond to them. However, from the point of view of a novice user, the terminology related to endpoint protection is confusing, so I would like to describe it as follows.

First, there is the term EPP (Endpoint Protection Platform). This term refers to a platform for protecting endpoints (i.e. devices accessed by users, such as smartphones, PCs, and tablet PCs). What belongs to the platform referred to here is a concept encompassing firewalls, antivirus, and data loss prevention (DLP). In addition, EDR (Endpoint Detection and Response) falls within the scope of EPP when viewed from a broader category perspective. In recent years, EDR tends to be viewed as a larger concept with a lot of emphasis in terms of detection response.

Secondly, it is also worth noting that EDR emerged as a response to overcome the limitations of existing antivirus. Comparing antivirus and EDR, as many users know, once installed, the vaccine automatically updates its signature without administrator intervention, and blocks known threats. In other words, it is a product that detects by signature analysis, which is a predetermined pattern and is close to follow-up action rather than precautionary prevention. On the other hand, EDR is a product that requires active intervention from the administrator and responds appropriately according to the threat level of the detected event. For example, it is a product that detects and responds to abnormal behavior by analyzing event logs that occur on the PC.

<Coverage of Antivirus and EDR>

Third, the efficient operation of EDR products requires the ability of advanced security experts to analyze numerous events. However, small and medium-sized companies or organizations don’t have the right to have such a workforce, and even large enterprises are struggling to acquire such high-level security professionals. Therefore, MDR (Managed Detection & Response), a service type, came out to solve these difficulties. In other words, whether it is a security or IT, a subscription-based service product was born. However, even specialized MDR service companies are exposing their limits to the service because they do not know exactly the detailed circumstances of the company such as domains, etc.

<Advantage of MDR>

The last service to mention is XDR (Everything Detection and Response), a service that applies a comprehensive and integrated concept. It is a concept that detects, links, and analyzes threats occurring in the overall IT environment of the enterprise such as endpoints, networks, clouds, and files. In other words, while EDR focuses on analyzing events occurring on the endpoint itself, XDR is a concept encompassing all areas, including network and cloud.

<Conceptual diagram of XDR>

In conclusion, EDR was born in response to the limitations of antivirus, and MDR was also available for the purpose of solving this problem due to the lack of operational experts. Furthermore, since the continuity of information can be cut off to analyze with only EDR, XDR, which requires overall analysis from network to cloud, came out.

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.