Endpoint Detection and Response (EDR) is the modern replacement for traditional antivirus. Where old-school antivirus matched files against a list of known malware signatures, EDR watches behaviour across every endpoint, laptops, servers, phones, and flags anything suspicious, even if it’s never been seen before.
EDR is now the baseline expectation for any UK business serious about security, and it’s a question on almost every cyber insurance application.
How EDR differs from traditional antivirus
| Traditional Antivirus | EDR | |
|---|---|---|
| Detection method | Known signatures | Behavioural analysis |
| Zero-day protection | Weak | Strong |
| Response | Alerts the user | Can isolate and remediate automatically |
| Forensic data | Minimal | Full timeline of every process on every endpoint |
| Cloud-connected | Not required | Standard |
| Cost | Low | Medium |
What EDR does on your devices
- Watches every process for suspicious behaviour, PowerShell running from an Office document, for example
- Blocks known bad things instantly, just like antivirus
- Flags unusual patterns, a user suddenly accessing a hundred files on the shared drive at 3am
- Isolates infected devices from the network while responders investigate
- Retains a timeline of what every process did, so responders can trace the attack back to its origin
- Rolls back changes in some cases, restoring files that ransomware encrypted
EDR vs MDR vs XDR
Three related acronyms worth knowing:
- EDR, the software that watches endpoints. You still need someone to respond to alerts.
- MDR (Managed Detection and Response), EDR software plus a team of analysts who watch the alerts for you, 24/7.
- XDR (Extended Detection and Response), EDR plus correlation with network, email, and cloud signals. More sophisticated, more expensive.
For most UK SMBs, MDR is the right answer, the software needs humans watching it, and most small businesses don’t have 24/7 security analysts on payroll.
What insurance underwriters ask
Cyber insurers increasingly require EDR on all endpoints, not just antivirus, as a precondition for cover. They may also ask:
- Is the EDR deployed to 100% of devices?
- Who responds to alerts, and how quickly?
- Are logs retained for 90 days or more?
- Is there a managed detection and response service?
“Defender for Endpoint in block mode” is usually a yes answer. Basic Windows Defender usually isn’t sufficient.
How we help
Equate Group deploys and manages EDR as part of our cyber security and managed IT services. For most clients, that’s Microsoft Defender for Endpoint (integrated into Microsoft 365) with managed response, a pragmatic sweet spot for UK SMBs.