Skill Level: Any Skill Level

Learn about the evolution of endpoint security and how endpoint detection and response (EDR) tools complement traditional endpoint protection platform (EPP) capabilities.


Endpoint devices, such as computers and smartphones, provide a valuable means for users to access your network. This is especially vital if you rely on the ability of employees and third-party users to work remotely. However, these endpoints also provide a potential entry point to threat actors, who seek to exploit these openings to carry out attacks and steal sensitive information. The greater the number of endpoints connected to your network, the higher the risk of a breach. Endpoint security systems, notably EPP and EDR, have thus emerged to help manage this risk and contain the damage in the case of attack.



  1. What Is an Endpoint and Why Is It a Threat?

    The term endpoint refers to any device situated at the end of the network, such as smartphones, tablets, servers, workstations, and Internet of Things (IoT) devices. Each endpoint device represents a connection point between the device and the network. 

    Endpoint devices use Internet connections such as Direct Internet Access (DIA), Wireless Access Point (WAP), or mobile broadbands, to connect to the network. Once the endpoint gains access to the company network, it gains permission to communicate with other endpoints and exchange data. 

    Privately-owned endpoints are often poorly secured, which makes them an easy mark for threat actors looking to exploit network vulnerabilities. Corporate-owned endpoints may also find themselves on the victim side of an attack, due to lack of sufficient visibility at the endpoint.

  2. The Evolution of Endpoint Security

    1971—The First Computer Warm and Anti-Virus

    The first computer warm and anti-virus (AV) programs can be traced to 1971, during which a research project led by Bob Thomas inspired two new innovations. Thomas discovered that:

    • A computer program could move across a network, and,
    • It leaves a trail that marks its movement.

    Following this discovery, Thomas decided to experiment with the concepts and wrote a program called Creeper. The Creeper traveled through the network, displaying the message “I’M THE CREEPER: CATCH ME IF YOU CAN.”  

    When Ray Tomlinson, who is known as the inventor of the email, saw Creeper, he was inspired. He modified the Creeper and made it self-replicating. Creeper gained a superpower that turned it into the first computer worm. To even the balance, Tomlinson created Reaper, the first AV software, and programmed it to chase Creeper and delete it.

    1980s—The Beginning of the AV Industry

    In the following years, malware and anti-virus programs were pitted against each other in a race to protect the company network. The spread of the Internet, from the 1990s onward, has given malware the opportunity to spread globally. 

    During these years, the security perimeter was physically centralized, and malware was more easily contained by AV. Before the dawn of cloud-computing, companies relied on on-premise data centers, maintained and secured at physical locations. At this point, what we now call legacy AV worked well to hold off the increasing wave of malware attacks. 

    2000—Legacy AV Struggles to Catch Up With Increasingly Sophisticated Malware

    At the dusk of 1999, a panic set. It was called the Millenium Bug. Mass panic ensued as programmers throughout the globe struggled to apply fixes that would ensure programs were capable of distinguishing between the 1900s and the 2000s. The apocalypse was prevented, and programs evolved into a scale of Artificial Intelligence (AI), which is rumored to be the next apocalypse. 

    Two years later, Amazon gave birth to contemporary cloud computing. By the time we reached the 2010s, cloud computing has completely changed the technology landscape. Networks and devices shed the restraints of a physical location and gained the ability to access the digital assets located in the network, through any Internet connection, at any given time. 


    2010s—The Rise of EPP and EDR Security

    At every turn of history, threat actors gained the same innovative capabilities, and their attacks became more sophisticated. Until, at a certain point, legacy AV wasn’t enough to protect endpoints. Legacy AV relied on signature-based threat identification processes, and was only able to scan new threats for known file signatures. They couldn’t protect the network against the increasing wave of new attacks.

    Endpoint Protection Platform (EPP) evolved from legacy AV, as a response to the growing need to improve security controls for network protection at the device level. At first, EPP used mainly legacy AV, but over time added tools such as Next-Generation Antivirus (NGAV), firewall control, data encryption, and Data Loss Prevention (DLP). Still, EPP tools were too passive, just waiting for an incoming attack.

    In 2013, Anton Chuvakin of Gartner officially recognized an emerging group of tools and dubbed them Endpoint Threat Detection and Response (ETDR). These tools evolved into the security branch now called EDR security, which provides visibility into the endpoint of the network, and enables administrators to actively search for security triggers and respond appropriately. Admins are thus able to initiate further investigations and/or remediate.

    2017—Lateral Movement and the Increase In Vulnerabilities

    In April 14, 2017, the Shadow Brokers hacker group leaked the EternalBlue vulnerability, which exploited lateral movement techniques to gain access to operating system protocols. On May 12, 2017, threat actors used the EternalBlue vulnerability to initiate the WannaCry ransomware attack, which breached networks all over the globe. 

    From 2017 and onward, there has been a rising increase in the amount of discovered vulnerabilities. Each consecutive year has seen more new vulnerabilities, and 2019 is gearing up for an impressive increase, with over 5,000 vulnerabilities disclosed in its first quarter. Since each endpoint can potentially introduce thousands of unknown threats into the network, endpoint protection became critical for the continual health of the network.

  3. EDR plus EPP = Two Peas in the Endpoint Security Pod

    Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) work together to provide an end-to-end endpoint security solution. 

    The EPP solutions of 2019 utilize a combination of Next-Generation Antivirus (NGAV) tools for preventing endpoint threats from entering the network. They scan the endpoint, looking for threats, but they cannot respond without an EDR module added to the mix.

    EDR solutions of 2019 are designed for active response to endpoint threats. They collect data, perform behavioral analysis, use it to discover anomalies, and can respond according to pre-configured triggers.

  4. Conclusion

    EPP and EDR solutions were developed as a response to the rising need in preventing, detecting, and responding to threats that originated at the endpoint of the network. As technological advancements continue to expand the security perimeter past its physical origins, gaining visibility and control over the endpoint of the network becomes vital to its health. 

    Today, administrators can choose the EDR and EPP solutions that fit their network. There’s a great variety to choose from, and you can mix and match according to needs and budget. Alternatively, administrators can opt for a holistic EDR solution, like Cynet, that combines EPP and EDR capabilities into one centralized solution that covers all your endpoint needs.

Join The Discussion