What is an endpoint protection platform (EPP)?

An endpoint protection platform (EPP) is an integrated security solution that combines a personal firewall, port and device control, and anti-malware capabilities to protect endpoints across an organization. It blocks known threats at the point of entry on devices such as laptops, workstations, mobile devices, and servers, using built-in mechanisms including signature-based malware defenses.

An EPP focuses on prevention: it stops threats before they execute, but it does not detect or respond to threats that get past those front-line defenses.

Because no EPP can block every threat, a complete endpoint security program pairs an EPP with endpoint detection and response (EDR). Endpoints are a primary target for attackers, which is why frameworks like NIST SP 800-83 treat malware prevention at the endpoint as a core control.

Cisco Secure Endpoint

What an endpoint protection platform includes

An EPP brings several preventative controls together into one solution that administrators manage centrally. Each control blocks a different category of threat at the device before it can execute or spread.

The table below summarizes the core capabilities of an endpoint protection platform. 

CapabilityWhat is does
Antivirus and anti-malware Blocks known malware at the point of entry, including signature-based threats
Application control Allows or blocks specific applications from running on the endpoint
Device and port controlGoverns which external devices and ports can connect to the endpoint
Host-based firewall Filters inbound and outbound traffic at the individual device

Effective anti-malware protection is the most demanding of these capabilities, because malware can appear harmless at first and change behavior later. To counter that, a modern EPP uses advanced anti-malware techniques:

  • Machine learning: Uses large-scale data to determine whether a file is malicious, including files it has not seen before.
  • Threat intelligence: Draws on historical and real-time data from billions of threats to automatically block known attacks.
  • Sandboxing: Isolates suspect files in a safe environment, then detonates and monitors them without risk to the rest of the system.

Detection techniques map against documented adversary behavior catalogued in MITRE ATT&CK.

Even with these capabilities, no EPP can guarantee 100 percent efficacy, which is why an EPP alone is not sufficient endpoint security.

How is an EPP different from EDR? 

An EPP brings several preventative controls together into one solution that administrators manage centrally. Each control blocks a different category of threat at the device before it can execute or spread.

The table below summarizes the core capabilities of an endpoint protection platform. 

An EPP prevents known threats at the point of entry. Endpoint detection and response (EDR) focuses on threats that have already evaded front-line defenses and entered the environment, continuously monitoring endpoints to find, investigate, and contain them. The two are complementary, not interchangeable. The table contrasts them at a capability level; for the full definition of EDR, see the EDR page

Capability type EPP EDR. 
Primary focusPrevention at the point of entry Detection, investigation, and response
When it acts Before a threat executes After a threat evades prevention
Core method Signature-based and behavioral blocking Continuous monitoring and analysis of endpoint activity
Limitation Cannot block every threat Acts after a threat is already inside

A complete endpoint security program uses both. The EPP reduces the volume of threats that reach the environment; EDR catches what gets through.

Common questions about endpoint protection platforms

 

An EPP is an integrated security solution that combines a personal firewall, port and device control, and anti-malware to block known threats at the endpoint. It focuses on prevention, stopping threats at the point of entry on devices such as laptops, servers, and mobile devices.

An EPP prevents known threats at the point of entry, while EDR continuously monitors endpoints to detect and respond to threats that evade prevention. The two work together: an EPP blocks what it can, and EDR catches what gets through. See the EDR page for full detail. 

An EPP can be described as a traditional antivirus solution, but it does more than signature-based blocking, adding application control, device control, and a host-based firewall. Antivirus alone improves front-line security but does not stop more sophisticated threats that find another way in. 

Yes. An EPP focuses solely on prevention, and because no EPP can block every threat, it should be paired with EDR. A comprehensive endpoint security solution includes both EPP and EDR capabilities. 

An EPP should include antivirus and anti-malware, application control, device and port control, and a host-based firewall, managed from a central console. Advanced versions add machine learning, threat intelligence, and sandboxing to block threats the EPP has not seen before.