📘CompTIA Security+ (SY0-701)
1. What is an Endpoint?
An endpoint is any device that connects to a network and can be attacked by threats.
Common endpoints in an IT environment:
- Desktop computers
- Laptops
- Servers
- Virtual machines
- Mobile devices
Endpoints are often the first target for malware, ransomware, and attackers, so protecting them is very important.
2. What is an Endpoint Protection Platform (EPP)?
Definition (Exam-Friendly)
An Endpoint Protection Platform (EPP) is a preventive security solution that protects endpoints from known threats before they can cause harm.
👉 EPP focuses on prevention first
Main Purpose of EPP
- Stop malware before it runs
- Block known threats using signatures and rules
- Reduce the chance of infection on endpoints
Key Features of EPP
1. Antivirus and Anti-Malware
- Detects viruses, worms, trojans, and spyware
- Uses known malware signatures
2. Signature-Based Detection
- Compares files against a database of known threats
- Very effective for known and common attacks
3. Heuristic and Behavior-Based Detection
- Looks for suspicious patterns
- Can detect slightly modified malware
4. File and Process Scanning
- Scans files when opened, downloaded, or executed
- Blocks malicious files automatically
5. Host-Based Firewall (Optional)
- Controls inbound and outbound traffic on endpoints
- Adds extra protection at the device level
How EPP Works (Simple Flow)
- File or application reaches the endpoint
- EPP scans it
- If it matches known malware → it is blocked
- User is protected automatically
Strengths of EPP
- Easy to deploy
- Stops known threats effectively
- Low resource usage
- Automatic blocking without user involvement
Limitations of EPP
- Weak against unknown or advanced attacks
- Limited visibility after an attack starts
- No deep investigation or threat hunting
3. What is Endpoint Detection and Response (EDR)?
Definition (Exam-Friendly)
Endpoint Detection and Response (EDR) is a detection and investigation security solution that continuously monitors endpoint activity to detect, analyze, and respond to advanced and unknown threats.
👉 EDR focuses on detection, visibility, and response
Main Purpose of EDR
- Detect threats that bypass EPP
- Monitor endpoint behavior continuously
- Investigate security incidents
- Respond quickly to active attacks
Key Features of EDR
1. Continuous Monitoring
- Records endpoint activity in real time
- Tracks processes, files, registry changes, and network connections
2. Behavioral Analysis
- Detects abnormal behavior instead of relying only on signatures
- Identifies zero-day and fileless attacks
3. Threat Detection and Alerts
- Generates alerts when suspicious activity is detected
- Helps security teams identify active attacks
4. Incident Investigation
- Provides full attack timeline
- Shows how the threat entered, spread, and executed
5. Response Capabilities
- Isolate infected endpoints
- Kill malicious processes
- Roll back changes
- Remove threats manually or automatically
How EDR Works (Simple Flow)
- Endpoint activity is continuously monitored
- Suspicious behavior is detected
- Alert is generated
- Security team investigates
- Action is taken to stop and clean the threat
Strengths of EDR
- Detects advanced and unknown threats
- Provides deep visibility into attacks
- Supports threat hunting and forensic analysis
- Enables fast incident response
Limitations of EDR
- Requires skilled security staff
- Generates many alerts
- Higher cost than EPP
- Not primarily preventive
4. Key Differences Between EPP and EDR (Very Important for Exam)
| Feature | EPP | EDR |
|---|---|---|
| Primary Focus | Prevention | Detection and Response |
| Threat Type | Known threats | Advanced & unknown threats |
| Detection Method | Signature-based | Behavior-based |
| Monitoring | Limited | Continuous |
| Incident Investigation | No | Yes |
| Response Actions | Automatic blocking | Isolation, investigation, remediation |
| Visibility | Basic | Deep endpoint visibility |
| Best Use | First line of defense | Advanced threat handling |
5. EPP vs EDR – Exam Perspective
EPP Answers the Question:
“How do we stop threats before they infect endpoints?”
EDR Answers the Question:
“How do we detect and respond when a threat already exists on an endpoint?”
6. Why Organizations Use Both EPP and EDR
For the exam, remember:
- EPP alone is not enough
- EDR alone is not preventive
Most modern security designs:
- Use EPP to block common and known attacks
- Use EDR to detect and respond to advanced threats
Together, they provide layered endpoint security.
7. Cisco Context (Exam Awareness)
In Cisco environments:
- Endpoint security solutions may combine EPP + EDR features
- Centralized management and visibility are important
- Integration with other security tools improves response
(You do not need product-specific commands for this topic.)
8. Key Exam Takeaways (Must Remember)
- EPP = Prevention
- EDR = Detection + Response
- EPP uses signatures
- EDR uses behavior and analytics
- EDR provides incident investigation
- EPP blocks threats before execution
- EDR reacts after suspicious activity starts
9. Simple One-Line Summary (Exam Memory Tip)
EPP prevents known threats, while EDR detects, investigates, and responds to advanced threats on endpoints.
