In my previous blog titled "Security Landscape", I listed Network Security, App Security, and
Endpoint Security as major categories to be covered. In that blog, I dove into Network Security
and left the other two alone. In this blog, I will dive a bit more into Endpoint Security - arguably the most visible for of security for consumers.
Endpoint devicee—such as laptops and smartphones—serve as the primary gateways to the digital world. Through these devices,
users access critical software containing financial, engineering, and governmental data. Consequently, endpoints
are prime targets for cyberattacks. Hackers typically target these devices to:
Compromise Credentials: Steal login details to gain unauthorized access to data.
Steal Data : intellectual property, personally identifiable information (PII), or classified governmental records for financial gain or espionage.
Deploy Ransomware: Encrypt and lock data to demand payment for its release.
Install Malware: Plant bots that can spread to other systems or lie dormant until triggered to disable the host.
Endpoint Detection and Response (EDR) was developed to secure these entry points and safeguard the
sensitive information they hold. Beyond simply blocking known threats, modern EDR acts as a sophisticated
surveillance system for every device in an organization. While traditional antivirus software checks files against
a list of "known bad" signatures, EDR focuses on behavioral analysis. It monitors what a device is actually
doing—such as a word processor suddenly trying to modify system registry files—and flags these anomalies
in real-time.
Daily Life of an EDR : 1. Detect (The Watchman) EDR provides "continuous visibility." It doesn't just
look at files; it monitors every process, registry change, and network connection. It looks
for "Indicators of Attack" (IOA). For example, if a calculator app suddenly tries to connect to a
server in a foreign country, EDR detects that behavior as suspicious even if the app itself isn't a "virus."
2. Prevent (The Shield) This is where EDR stops the "Entry." This happens at the moment of impact to
ensure the threat doesn't take root. It uses Machine Learning and Threat Intelligence to block known bad
signatures (like a specific malware file) and "zero-day" attacks (new threats that haven't been seen before
but behave like malware). It stops the download or execution before the "modern human" even knows
there was a threat. 3. Respond (The Medic & Investigator) This is the "R" in EDR and the part to adjust in
your notes. "Respond" isn't just about future prevention; it’s about active containment of a live threat. How
it works: If a device is compromised, the EDR can isolate it from the network so the infection doesn't spread
to the engineering or governmental servers you mentioned Remediation: It "kills" the malicious processes
and rolls back changes (like deleted files) to restore the device to its original state. The "future prevention"
part comes from the Forensics—analyzing how the hacker got in so you can patch that specific hole.
Conclusion :
