Do You Need EDR if You Already Have a Firewall?

Considering the effectiveness of an endpoint security solution when a firewall is already in place is a valid concern for any organization looking to run lean. On the surface, they can look like two solutions doing very much the same thing. However, they are as different as a guard fence and an internal alarm system, and maximum security demands both these security measures.

What is EDR?

An endpoint is a small software device installed on devices such as laptops, mobile phones, servers, network architecture, or in virtual environments. Endpoint security is “the set of policies, practices and solutions defending the endpoints on a network against external attacks from malicious exploits.” Endpoint detection and response (EDR) is the automated, autonomous grouping of technologies and solutions that gets that done.

Multiple layers of protection are required on the endpoint to fend off attacks originating from malware, social media, websites, email and software vulnerabilities. These techniques include:

  • Signature-based detection
  • Machine learning
  • Patches
  • Root cause analysis
  • Containment and remediation

EDR works by detecting malware and other security events on the endpoint, sending out an alert and autonomously investigating and responding to the threat. It secures the following layers:

  • Application— Against social engineering attacks, outdated versions and malicious scripts
  • File— Against dangerous attachments, malicious programs, and infected media
  • Network—Against spoofed sites and ads, phishing emails and protocol exploits

Because multi-vector attacks are on the rise, multi-layered solutions are needed to combat them.

Endpoint Security Vs. Network Security

While they both secure the enterprise, a firewall protects the network and EDR defends the endpoints. Just like an outer fence and an internal alarm system, they both do different things.

A firewall prevents access between internal and external networks, tracking all traffic entering and exiting a private network. It uses rule-based triggers to monitor and restrict what goes in and what comes out, blocking suspicious IPs and only allowing safe traffic to access the organization. This is the fence around the perimeter, and only those with valid access badges are permitted to enter. Although the formal perimeter has evaporated when it comes to digital assets and the way they are secured today, the firewall is one relic that remains. While it is useful in preventing certain threats, it lacks the depth, breadth and dynamism to be totally effective.

Things slip through the firewall every day, and re-compiled code, fileless malware and freshly spun-up domains are evading signature-based detections at an ever-increasing rate. Certain threats will reach the endpoint, or approach it directly, and for that endpoint protection solutions are required. Endpoint security resides on and protects individual endpoint devices. EDR solutions monitor, detect and identify threats on devices in real-time, providing a second layer to firewall-only defense. This is the internal alarm system that defends the buildings inside, complimenting the guard fence at the edge. Both are needed for a defense-in-depth (layered) approach.

Why You Still Need EDR

Most cybersecurity threats have historically come through the network; however, the recent trend is for them to come directly to the endpoint. A study by the Ponemon Institute indicated that 68% of organizations experienced an endpoint attack resulting in compromised data or IT infrastructure, and the same amount experienced an increase in endpoint attacks from the year before.

In response, the market for endpoint security tools is booming. Gartner’s endpoint protection platform forecast predicts that global spending will reach $26.4 billion by 2025, boasting an 18.7% CAGR. Corroborating that prediction, Absolute Software’s 2021 endpoint risk report noted that 76% of IT decision-makers reported their organization’s use of and investment in endpoint security devices increased in 2021.

Endpoints are the entry point from which hackers can pivot to the rest of the network and are often manned by users without expert security awareness. Since they are often used, less stringently guarded, and configured for ease of use, they present a more easily accessible target to hackers.

Firewalls filter web traffic and defend on the network front, and endpoint solutions implement web access policies, prevent malicious links, and enforce compliance on end-user devices, securing them against threats that can then creep into the network.

A firewall can’t prevent a laptop from getting infected via a malicious URL–an endpoint protection solution can. A firewall can’t notify you of the amount of malicious traffic aimed directly at your email client–an endpoint protection platform can. A firewall cannot issue autonomous investigation and response actions on a supply chain IoT device when triggered by a critical vulnerability–EDR can.

To achieve a zero-trust security system, multiple layers of defense are needed. Endpoint detection and response is an integral part of a DiD approach and can defend where firewalls cannot. As threats evolve and trends shift from network to endpoint-based attacks, EDR cannot be undervalued in an organization’s overall security, even when a firewall is already in play.

Avatar photo

Katrina Thompson

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.

katrina-thompson has 3 posts and counting.See all posts by katrina-thompson