Pandora FMS Tech blog

EDR and Endpoint Security

by | Mar 3, 2025 | Pandora FMS

edr pfms blog

Endpoints are the primary target of cyberattacks. The most conservative estimates indicate that between 68% and 70% of data breaches begin on these devices. This is why implementing an EDR (Endpoint Detection and Response) solution is crucial to protect them in today’s cyber threat landscape.
An EDR is an advanced security tool installed on the end devices of the technological infrastructure (personal computers, servers, phones…) that monitors their activity in real-time, providing visibility into exactly what is happening on each of these endpoints.
This makes it possible to detect, analyze, and respond to security threats proactively and smartly. In case of an incident, it also allows the response team to have all the necessary information to dig into and solve the issue.
This goes beyond the capabilities of a traditional antivirus, which is normally used to protect some endpoints but falls short in the current security context faced by organizations.

Content:

How an EDR Works

The features of an EDR and the level of endpoint security they provide ultimately depend on each manufacturer, but they all rely on three fundamental pillars, which help to understand how they work and the protection they offer:

  • Activity monitoring on a steady basis: This includes everything from processes to device connections, collecting data and analyzing it intelligently.
  • Threat detection: When the monitoring system detects abnormal behavior, such as lateral movements, malware, phishing attempts, and other malicious actions.
  • Automated response to threats: This may involve isolating the compromised device from the rest of the network, blocking suspicious processes, or deleting harmful files.

EDRs differ from traditional antiviruses not only in their detection capabilities (being able to face unknown and sophisticated threats) but also in their response capabilities, such as isolating a device from the network. On the other hand, antivirus usually quarantines or deletes an infected file at best.
For instance, a malicious actor might create a new type of malware conceived to retrieve critical data from an organization, such as credentials or privileged information.
While an antivirus might not recognize malware and allow it to operate unchecked, an EDR can detect malicious file’s activity, such as data leaks. It can then stop the process if it detects an unknown connection and a massive flow of data going to it.
A similar situation could take place if data exfiltration is attempted by a disgruntled employee without any malware involved.
A certain user might try to copy information to an external device. While an antivirus wouldn’t react to this, an EDR could detect the connection of a USB drive or the unusual behavior of a large-volume data transfer, and then take the appropriate action against this suspicious activity.

Differences Between Security Management and Infrastructure Management

To ensure optimal endpoint protection and overall system security, it is key to understand the difference between these two concepts and ensure they are aligned.
Infrastructure management aims to ensure that the technological environment works properly and supports the organization’s goals. However, this objective is compromised if security is not also a key consideration.

On the other hand, security management involves implementing measures and policies to protect the infrastructure, such as integrating SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) solutions. However, it is not the same to secure a straw building thrown together haphazardly as it is to protect a well-planned stone castle.
Likewise, an adequately managed technological infrastructure will make the following possible:

  • Security management.
  • Integrated operation of EDR and SIEM.
  • The effectiveness of the blue team, if present.
  • Incident response.

Let’s look at an example illustrating the difference between a well-managed infrastructure and an unprotected one.
Imagine an environment with proper network segmentation, strong device access controls, and a consistent patch management policy.
Even if an infrastructure element fails (for instance, a delayed firmware update on an IoT device due to a vulnerability), if that device has been configured with appropriate network and access policies, it will still contribute to overall security. This setup reduces the likelihood that a malicious actor who compromises that endpoint can move laterally to another, more critical part of the network.
Moreover, if this proper infrastructure management is combined with effective security management using an EDR integrated with a SIEM solution, any attempt at unusual lateral movement would be detected, alerted, and mitigated.
Conversely, if that IoT device still uses the default username and password (an all-too-common situation unfortunately) or has unrestricted network access, a malicious actor will have significant opportunities to move through the network to critical systems or compromise the device in other ways, such as spying through a webcam.

Infrastructure Management Approaches to Strengthen Security

Continuing with the previous analogy, how do we build our castle with robust stone and a resilient design?
An effective infrastructure management strategy would involve the following practical approaches:

  • Strict update and patching policies: To prevent malware or exploit techniques from taking advantage of vulnerabilities in outdated versions. This includes updating both software and firmware on endpoints.
  • Optimal network design: By properly segmenting networks and ensuring that each device has access only to what is strictly necessary for its function—both in terms of data and communication with other devices.
  • Implementation of SIEM solutions: To collect data on what is happening within our infrastructure, consolidate that information for the Network Operations Center (NOC) analyze it, and alert on any suspicious activity.
  • Log monitoring and analysis policies: To detect anomalies within those logs. Currently, security policies allow companies to meet the highest security standards and certifications, such as ISO 27001 as well as government regulations like the new NIS2, which is being implemented by lots of companies.

With these measures in place, our infrastructure becomes more resilient to attacks while continuing to fulfill its primary purpose: supporting organizational goals and workflows.
There is often talk of having to choose between security and convenience or security and performance, but this is a false dichotomy. Proper infrastructure management supports both security and operability—there is no need to choose between them. While system infrastructures and hybrid environments make it hard to get a unified overview, Pandora FMS unifies data sources and allows centralized management.

How Different EDRs and Antivirus (A/V) Solutions Approach Security

Although we often talk about EDRs and antivirus solutions as two general approaches to endpoint security, not all products are created equal.
Therefore, it is essential to understand the key features of each solution and how they may vary depending on the manufacturer.

EDR

Antivirus

Constant activity monitoring on endpoints to detect suspicious behaviors.

It scans files and applications looking for known malware brands.

It uses behavioral analysis to identify unknown threats.

It uses file definition databases to identify known malware.

Some options use predictive AI, such as Pandora FMS, to detect and make decisions.

Some manufacturers use heuristics (suspicious behavior predefined rules), an older technology that generates more false positives.

Sophisticated automated response: it may isolate devices, block suspicious processes and generate advanced alerts (the scope of said response will depend on the features of each manufacturer).

Limited automated response to quarantine or infected file deletion.

Advanced forensics capabilities, logging everything that happened to make audits easier as well as the work of the incident response team.

Forensics capabilities limited to logging basic detections.

Active and reactive protection.

Reactive protection based on the definition file.

High integration capacity with SIEM and the infrastructure in general.

Limited integration.

This last aspect of SIEM and EDR integration is critical today and the key to security in such a constantly evolving environment.

However, on the other side of the scale, the capabilities of antivirus solutions are much more limited, both in terms of the information they can send to a SIEM and their integration capacity with these systems. Additionally, some antivirus solutions are prone to compatibility issues with the rest of the technological or security infrastructure, leading to conflicts with firewalls or other protection tools.

Advantages and Disadvantages of an EDR Compared to a Traditional Antivirus

The above does not mean that everything is that positive in the case of EDRs, so an impartial analysis should put these advantages on the table, but also the disadvantages and challenges.

Advantages of an EDR Compared to an Antivirus

  • Advantages of an EDR Compared to an Antivirus against both known and unknown threats.
  • More advanced automated incident response capabilities.
  • Enhanced security management through detailed visibility into exactly what is happening on each endpoint.

Disadvantages of an EDR Compared to an Antivirus

  • More complex to implement and manage.
  • It requires skilled personnel to interpret and respond to incidents, as well as for installation and integration, especially in on-premise solutions.
  • Generally higher cost.

Advantages of an Antivirus Compared to an EDR

  • Easier and faster to implement.
  • Effective against known malware and common threats.
  • More affordable than EDRs, and sometimes even free.

Disadvantages of an Antivirus Compared to an EDR

  • Insufficient protection in the current cybersecurity landscape, especially for scenarios beyond low-risk individual users.
  • It may cause management issues, such as false positives or conflicts with other applications.
  • Very limited response capability to security incidents.

Practical Approaches for Endpoint Security in On-Premise Environments

Whether due to legal requirements, such as protecting and managing sensitive data, or due to a strategic technology approach, such as the need for greater control or equipment performance, on-premise solutions are gaining appeal compared to a 100% cloud-based approach.
Therefore, it is important to consider these fundamental strategies for successfully implementing EDR solutions in on-premise environments.

  • Analysis and Assessment of Infrastructure Needs. Every truly strategic action, of any kind, begins with this step. It is essential to have a thorough understanding of your network, its critical assets, and the primary threats you face, which will shape a significant part of your specific threat model, differing from that of other organizations.
  • Choosing the Right EDR Solution. Based on the conclusions from the previous point and your budget.
  • Initiating a Testing Phase. In a controlled environment that allows you to evaluate whether the chosen solution is appropriate.
  • Establishing a Gradual Deployment Strategy. Even if tests are successful, it is crucial to proceed gradually to identify and solve any issues and challenges that will inevitably arise.
  • Integration with Other Tools. Particularly with SIEM, configuring rules and verifying their effectiveness.
  • Setting Up a Robust Monitoring and Auditing Policy. The tool alone is ineffective without a solid process behind it, making it essential to systematize monitoring and control tasks.
  • Establishing Contingency Plans. What would happen if everything failed? Security must always consider this question, even when applying best practices, as the probability of unexpected black swan events is never zero. For such scenarios, it is necessary to have a “red button” plan that allows for operation continuation and the restoration of data and infrastructure as quickly as possible.

While the on-premise approach is gaining traction again, nothing is absolute, so a hybrid solution can also be considered.
Therefore, here are the differences between a 100% on-premise implementation, a hybrid one, and a 100% cloud-based solution.

  • 100% On-Premise: The security infrastructure is located within the organization’s premises. Its main benefit is complete control over data, devices, and security, as well as potentially better performance and lower latency. However, the challenge is that it is more expensive in terms of economic and human resources. These resources, besides being more numerous, also require higher qualifications and will perform more intensive management tasks. It is worth noting that, often due to ENS or NIS2 requirements, certain pieces of infrastructure must be on-premise.
  • Hybrid Implementation: It combines on-premise and cloud elements. The key is to leverage the best of both worlds, for example, by keeping sensitive data locally while managing threat analysis and response in the cloud. A well-planned hybrid approach allows cost reduction and increased flexibility. The biggest challenge is that we will not rely solely on ourselves, as there will be points of failure beyond our control.
  • 100% Cloud-Based: Its main benefit is reduced economic and human costs, as well as lower technological complexity, which rests with the cloud provider. The downside is that we place the most critical aspects in the hands of third parties, in whom we must trust. And in case of an incident, we also depend on their response capabilities.

This is no small matter, and the echoes of July 19, 2024, still resonate in every security manager’s mind. On that morning, millions of Windows systems displayed the infamous blue screen of catastrophic failure, caused by a faulty remote update from CrowdStrike, one of the most well-known EDRs.

How Pandora FMS Enhances Endpoint Security

Throughout this journey, we have emphasized that EDR solutions are more advanced but only as effective as the real-time monitoring and threat detection capabilities we have in place.
This is where the next link in the security chain connects: with a flexible monitoring system like Pandora FMS, which complements endpoint security.

How?

  • By integrating with Pandora SIEM, which collects and centralizes everything, providing a clear overview of what is happening at all times.
  • Through log analysis and audits, which further strengthen endpoint protection. Every company is unique, as are its specific threats. This means that we must have complete visibility into our infrastructure, its unique characteristics, and any suspicious deviations from the norm, which will differ from those of other organizations.
  • With advanced security event correlation, to effectively identify anomalies in our specific case and respond appropriately.
  • Through seamless integration with network devices and firewalls, ensuring that everything operates smoothly.
  • By collecting events from agents on multi-platform endpoints (Windows, macOS or Linux).

As we have seen, for any organization that takes security seriously, using EDR along with a SIEM strategy is essential.
The cyber threat landscape changes frequently and quickly. Attacks are becoming more frequent, and malicious actors are getting more sophisticated. Supported by the emergence of AI, even adversaries with limited technical knowledge can now modify malware to compromise defenses and evade traditional detection systems, such as antivirus solutions. They can even create new malicious programs from scratch.
Therefore, threats that were once exclusive to highly skilled and motivated actors are now within reach of many. This underscores the importance of designing our infrastructure with resilience in mind and integrating security measures capable of anticipating this ever-changing landscape.
Without this approach, we risk facing an increasingly hostile and complex environment unprotected every single day.

Shares