Antivirus or EDR

If you're an IT manager or cybersecurity specialist, you've no doubt heard about EDRs (EndPoint Detection and Response). They are touted as the latest technology for protecting the computers in your network. The emergence of this technology also raises a lot of questions about how EDR and antivirus relate to each other since their roles seem similar:

 

  • What exactly does EDR do?
  • Why do we need EDR?
  • Does an EDR system replace antivirus, or are they complementary?
  • Do I have to install the EDR on top of the antivirus?
  • If I have a good antivirus, do I still need an EDR?

 

In this article, we’ll explore the concept of EDR and address the issue of whether or how to choose between EDR and antivirus for your organization.

The Role of an Antivirus

Antivirus software is the tool traditionally used to protect every computer and server in your network. Once installed on a computer, it scans all files that enter each computer (through the network or via devices such as USB sticks) to determine if that file is potentially malicious. If it is, the antivirus automatically blocks it. It can also delete or quarantine the file. To make it simpler, all malicious files detected by the antivirus are collectively called viruses, even though there are many different types (virus, worm, Trojan horse, etc.).

Antivirus programs use several methods to detect malicious files, including signatures. This assumes that the malicious file has already been seen and analyzed by the antivirus vendor. When the malicious file is new or unknown, the antivirus will have difficulty detecting it.


What exactly Does an EDR Do?

Like antivirus programs, EDR is a technology that protects your computers against infection by malicious software. The fundamental difference with antivirus is that EDR can detect malicious tools and other types of activities on a computer, such as an attempt to connect to a malicious website, malicious lateral movement in the network, etc. The EDR was designed to automatically detect and respond to these activities that a traditional antivirus cannot detect (and there are many).

An EDR will also collect and provide information necessary to investigate (forensic analysis) any identified malicious activity. As we can see, the EDR goes beyond the actions taken by a traditional antivirus program.

 

Why EDR Now?

EDRs have appeared because traditional antivirus software shows more and more limitations when faced with malicious tools that only expose. The Internet is flooded with viruses, ransomware, and other malicious tools (more than 1M new malicious tools are discovered daily). It is unrealistic to expect your antivirus to be able to detect and block all these tools. The EDR is therefore supposed to close the gap.

Like antivirus, EDR agents are installed on the computers to be monitored, and very often, the EDR is seen as the natural successor of the traditional antivirus.

 

Does the EDR replace the antivirus, or are they complementary?

There are several EDR solution providers on the market, but you should know that their functionalities are not necessarily the same. Some EDRs will also have antivirus functionality, while others are designed to detect what the classic antivirus cannot.

 

Do I have to install the EDR on top of the antivirus?

Yes and No. If the EDR you have chosen has antivirus functionality, you can use it instead of your antivirus. On the other hand, if your EDR does not have antivirus features, it must be installed in addition to the antivirus. You need to be careful. The perception that the EDR completely replaces the antivirus is not necessarily true.

 

If I have a good antivirus on my side, do I still need an EDR?

Not necessarily. The EDR provides additional protection capacity, but this capacity is not necessarily essential to have an acceptable security level. You can have no EDR but still have good protection for your computers.

For example, if you already have an intrusion detection system (IDS/IPS or NDR) in your network, it will detect several of the types of malicious activities your EDR detects. In this case, your antivirus will simply be sufficient to protect you.

It all depends on the security risks you face. To determine whether you need an EDR or not (or need additional security measures), you should conduct a security risk analysis based on our guide.

Another important thing to note is that just because you deploy an EDR doesn't mean you'll be immune to malicious tools targeting your computers. There is no such thing as 100% protection. We regularly assist organizations that are victims of cyber attacks (ransomware, etc.), and we see that computers with antivirus or EDR still sometimes get infected.

Depending on the security risks you face, in addition to your EDR, you may need to deploy other technologies, monitor the security of your network, have a security governance framework, manage the security vulnerabilities of your network, etc. In short, security is a process that must continuously evolve to adapt to the changing nature of cyber threats.

 

Does Streamscan offer EDR technology?

StreamScan offers a patented network intrusion detection technology called CDS, which many leading organizations use. Our CDS was also selected by the Federal Government of Canada as an Innovation in cybersecurity.

We are currently working on a complimentary EDR technology that will be available in Q1 2022. We are designing our EDR agent to be lightweight (low resource consumption) while allowing for automated actions (blocking malicious files, automating investigations, etc.). It is also focused on ransomware detection and AI-based behavioral analysis.

If you want to know more about our EDR agent, get in touch with us here smbsecurity@streamscan.ai.

 

How can Streamscan help you?

Before embarking on any EDR deployment projects, we recommend that you take a step back and do a risk analysis to determine if this is a good option for you. You shouldn't change your antivirus to an EDR just because it's the hot product of the moment.

Moreover, our long experience in incident response has allowed us to identify which antivirus products are the most effective, which EDRs are the most recommended, and so on. So we can help you make the best choices.

Finally, if you are using our MDR security monitoring service, depending on the evolution of the cyber attacks that target you, if we see that it is necessary to move towards the implementation of an EDR, we will discuss it with you and accompany you in its selection and implementation.

Whether you need help conducting a security audit, developing a security plan, or implementing a Managed Detection and Response solution, StreamScan has experts with years of experience in the manufacturing sector who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.

CTA Newsletter