My final post of this class was an introduction to EDR and Endpoint Security. EDR stands for Endpoint Detection and Response. There is also a component of Endpoint Security referred to as NGAV or Next-Generation Antivirus. Both are required now to have the greatest chance of preventing infections and breaches. What is the difference between the two and how do they work together to help mitigate threats to your computer?

            “NGAV is the prevention component of endpoint security, which aims to stop cyber threats from entering a network.” (Aarness, 2025) EDR detects activity that circumvents NGAV and allows teams to contain the threat, hopefully before it can move laterally in the environment. (Aarness, 2025) You can think of NGAV as the first line of defense in your arsenal against cyber threats. While EDR is next in line to help contain anything that gets by the first line. Because EDR gathers all the activity surrounding a potential threat, it is valuable data even if it fails to contain the threat. This data can be used to determine what the threat actor actually did and what they gained access to.

            I work as part of the managed endpoint protection security team for a large computer security firm. I have been doing this for 14 years. What is managed endpoint protection? It is the outsourcing of endpoint protection. This covers laptops, desktops, servers and even mobile devices. (SentinelOne, 2025)

            Why would you outsource such an important part of your computer security? Mainly because of a few things. The first being the rising endpoint threat complexity. But this can be covered by a good EDR and NGAV solution. More importantly, there is limited in-house security expertise and around-the-clock monitoring. (SentinelOne, 2025) Today, it is quite hard to staff a full security staff with the knowledge needed to detect and combat cyber threats. Not even considering trying to staff one 24/7/365. Additionally, compared to staffing your own internal SOC (Security Operations Center) it is quite cost effective. If you must deal with any government regulations such as HIPAA, PCI DSS or GDPR, these companies should be equipped to help you deal with the cyber security side of remaining compliant.

Because these new EDR tools upload pretty much everything that an endpoint does to their respective clouds, it often requires outside tools to analyze all the data. A common technique is to export all the data for a given period when searching for a threat or breach. Then importing this data into Excel and then using the data tools in Excel to sort and analyze the data.

Additionally, you may find that if you have extensive knowledge of a scripting language, such as Python, that it may be easier to implement a script to go through the data. Many threat analysts write their own tools in Python to analyze EDR data. This speeds up their analysis and provides a more comprehensive result, especially when looking at a potential breach.

Keeping track of all of this data requires a very large database and extensive database management. Our largest databases are used for what we call MDR. Which is similar to EDR but ingests data from multiple sources, not just the Endpoint. We use Google SecOps for this. We ingest data from all sources such as the endpoint, Office 365 and Azure AD. This cloud-based database acts as a very large SIEM and correlates data among the different feeds to find potential risks and threats.

What is Google SecOps? It is a cloud service that is designed to retain, analyze and search the large amounts of security and network data that is generated by today’s tools. (Google, 2025) “The Google SecOps platform enables security analysts to analyze and mitigate a security threat throughout its lifecycle.” (Google, 2025)

Works Cited

Aarness, A. (2025, January 7). EDR vs NGAV. Retrieved from Crowdstrike: https://www.crowdstrike.com/en-us/cybersecurity-101/endpoint-security/edr-vs-ngav/

Google. (2025). Google SecOps overview. Retrieved from cloud.google.com: https://cloud.google.com/chronicle/docs/secops/secops-overview

SentinelOne. (2025, June 15). What is Managed Endpoint Protection? Retrieved from SentinelOne: https://www.sentinelone.com/cybersecurity-101/endpoint-security/managed-endpoint-protection/