Endpoint Protection and EDR
Antivirus once meant matching files against known-malware signatures; modern endpoint detection and response watches behavior — process trees, memory, network calls — because attackers now use fileless techniques and living-off-the-land that no signature catches. EDR is the sensor and the responder on Meridian's laptops and servers, feeding the SOC (Chapter 10) and enabling remote containment (Chapter 11).
This topic covers what endpoint tools actually do and their limits — because an EDR an attacker can disable, or one whose alerts nobody triages, protects far less than its price tag suggests.
Signature AV vs Behavioral EDR
Signature antivirus catches known-bad files cheaply but misses novel, fileless, and living-off-the-land attacks — exactly the techniques from Chapter 5. EDR adds behavioral detection: a suspicious process lineage, a credential-dumping pattern, an unusual network call. It catches what has no signature, which is why it is the modern baseline rather than an optional upgrade.
Telemetry and Detection
EDR streams rich endpoint telemetry — process, file, registry, and network events — that both detects in real time and provides the forensic record for an investigation. As network traffic encrypts (Chapter 4), the endpoint has become the richest detection source, because it sees the activity after decryption, at the point where the attacker actually operates.
Response Capabilities
EDR can isolate a host from the network, kill a process, and collect artifacts remotely, turning detection into containment in minutes rather than the hours a manual response takes (Chapter 11). This is why EDR is a response tool as much as a detection one — the ability to network-isolate a compromised laptop from a console is what stops a foothold from spreading while responders work.
Limits and Evasion
Attackers try to disable, blind, or bypass EDR — unhooking, bring-your-own-vulnerable-driver attacks, outright tampering — so tamper protection is essential, because an EDR a foothold can switch off is no sensor. The other real limits are coverage gaps (unmanaged and BYOD devices where no agent runs) and alert fatigue (a stream of untriaged detections that hides the real one). Tamper protection on, gaps closed, alerts triaged — those are the operational requirements.
Signature AV — known-malware signatures; cheap, but blind to novel and fileless attacks.
EDR — behavioral detection and response on the endpoint; the modern baseline.
XDR / MDR — EDR correlated across endpoint, network, cloud, and identity (XDR), or run by an outside team (MDR), for organizations without a 24/7 SOC. More coverage, more cost.
- Relying on signature antivirus alone and missing the fileless and living-off-the-land intrusions that dominate modern attacks.
- Deploying EDR without tamper protection, letting an attacker with local privileges disable the very sensor watching them.
- Coverage gaps — unmanaged servers, BYOD, forgotten hosts — which are exactly where attackers operate unobserved.
- Drowning in EDR alerts without tuning or a SOC to triage them, so real detections are lost in noise.
- Treating EDR as detection only and never wiring up its isolation and response capabilities.
- Deploy behavioral EDR on all managed endpoints with tamper protection enabled, not signature antivirus alone.
- Stream endpoint telemetry to the SIEM (Chapter 10) and define isolation and kill playbooks for fast response (Chapter 11).
- Close coverage gaps: inventory hosts, cover servers not just laptops, and take a clear stance on unmanaged devices.
- Tune detections and pair EDR with a team — in-house SOC or MDR — that actually triages the alerts.
- Use EDR's remote isolation to contain a compromised host in minutes rather than waiting on manual response.
Knowledge Check
Why is signature antivirus alone insufficient against modern intrusions?
- Fileless and living-off-the-land attacks leave no known-bad file to match
- Signature scanning is simply far too slow to keep up with modern disk write speeds
- Antivirus engines cannot be installed on production servers at all
- Signatures only match while the host is completely offline
Why has the endpoint become the richest source of detection telemetry?
- As the wire encrypts, only the endpoint still sees post-decryption activity
- Endpoints generate far less telemetry than the network, which makes analysis easier
- Networks have entirely stopped carrying any attacker traffic
- Endpoints, unlike network links, can never be encrypted at all
Why is EDR tamper protection essential?
- An EDR the attacker can switch off protects nothing
- It makes the EDR agent scan and run noticeably faster
- It transparently encrypts the whole endpoint disk
- It removes the analyst's need to triage any alerts
You got correct