Achieving complete endpoint security with antivirus and Datto EDR

Endpoint Detection and Response (EDR) platforms are designed to work in conjunction with antivirus products installed on the endpoints they monitor. The antivirus solution performs the detection and quarantine function, while EDR monitors the status of the endpoint, providing alerting and remediation responses when rule-based threat detection is triggered.

This article explains why it's important to maintain both types of solutions in your environment for the most comprehensive protection against threats.

NOTE  To learn about the key components of an EDR platform and the roles they play in your business, review our What is Endpoint Detection and Response (EDR)? article.

Overview

Antivirus software, also known as antimalware, is used to prevent, detect, and potentially remove malware. It was initially developed to detect and remove computer viruses, and for many years, it was the primary source for defending networks against ransomware.

EDR is a layered, integrated endpoint security solution that continuously monitors end-user devices and collects endpoint data with a rule-based automated response.

What's the difference?

Antivirus (AV) tools are necessary for protecting endpoints from daily cyber threats. They detect and respond to malware on an infected computer. But, because they rely on signature detection or the ability of the software to detect "known threats," sophisticated actors can bypass AV by using various attack techniques that standard AV solutions cannot detect. Additionally, you must update AV software on a regular basis — if it is not up to date or a threat is not yet known, it will not be detected. As a result, many MSPs and their customers are left open to ransomware, fileless malware, credential harvesting, data loss, and other types of cyber-attacks.

Endpoint detection and response is a layered, integrated endpoint security solution that continuously monitors end-user devices and collects endpoint data with a rule-based automated response. At Gartner, Anton Chuvakin suggested "EDR" as a term to describe emerging security systems that can detect and investigate suspicious activities on endpoints and hosts. EDR platforms use software agents to record and remotely store system-level behaviors of endpoints. These behaviors are continuously analyzed by the platform to detect suspicious activity and provide various response and remediation options. Leveraging EDR can help your security team quickly detect, investigate, report, and respond to malware, ransomware threats, and malicious activity that may have bypassed traditional security solutions.

Do I need both?

Yes. AV products work well to stop common threats. You should always use them to protect endpoints. However, because they are signature-based, they often fail to catch zero-day threats, multi-staged attacks, or other sophisticated threats. They often cannot perform real-time behavior analysis to detect an attack in progress. Most traditional endpoint protection products protect endpoints by using a signature-based library of known threats.

As a result, AV by itself is not enough.

EDR products add endpoint security layers by detecting suspicious behaviors and providing actionable alerts for the most important threat indicators. This type of early warning system is made possible by leveraging advanced technologies, such as behavioral analysis and heuristics (machine learning), to catch advanced threats that bypass traditional AV solutions.

Leveraging a combination of AV and EDR protection provides a more full-featured defense against a wide range of potential threats.

What antivirus solutions work well with EDR?

Datto EDR can work alongside any antivirus product. It offers you the ability to configure & manage Microsoft Windows Defender, an endpoint protection solution designed to safeguard devices from various cyber threats, including malware. It provides real-time protection and automated response capabilities, allowing for actions like blocking, quarantining, or deleting malware.

Our platform, when working alongside the antivirus product on your endpoint, offers powerful toolsets, including MITRE ATT&CK® Mapping. This feature equips organizations with a shared framework for effectively comprehending and discussing cyber threats. Moreover, it encompasses robust incident response features, enabling users to delve into alerts, trace events, and effectively counter incidents.

Datto EDR goes further by executing response actions like automatic host isolation when it identifies exceptionally critical threats with high certainty, such as ransomware. However, activating auto-isolation or comparable response actions for other threat types requires careful consideration. This caution is warranted because enabling auto isolation or response mechanisms carries a risk of taking a response to false alarms. Such false alarms could result in a device being isolated or quarantined, disrupting the user's workflow and hindering access to vital files and applications. In some scenarios, doing so might lead to a complete shutdown of the device, resulting in significant business disturbances.

By deploying the Datto solution alongside an antivirus product and leveraging our comprehensive incident response features, your organizations can enjoy optimal security against all manner of cyber threats, enabling them to operate with confidence in today's digital world.