Endpoint Security: EDR, XDR, System Hardening, and Secure Baselines
Endpoints (laptops, servers, mobile devices, IoT) are the most common entry point for attacks. Endpoint security combines hardening, monitoring, and response capabilities to protect devices.
Endpoint Detection and Response (EDR)
EDR solutions continuously monitor endpoint activity to detect threats that traditional antivirus misses. EDR records telemetry (process execution, file changes, network connections, registry modifications), analyzes behavior to identify malicious patterns, and enables rapid response (isolate endpoint, kill processes, roll back changes).
EDR is essential because modern attacks use fileless malware, living-off-the-land binaries (LOLBins), and other techniques that evade signature-based detection. EDR focuses on behavior rather than signatures.
For the Security+ exam, EDR is a key concept for objective 4.5 (Enterprise Security Capabilities). Know that EDR provides visibility beyond what antivirus offers.
- EDR: continuous endpoint monitoring with behavioral analysis
- Detects fileless malware, LOLBins, and advanced persistent threats
- Response actions: isolate, kill process, rollback, quarantine
- EDR complements but does not replace traditional antivirus
XDR (Extended Detection and Response)
XDR extends EDR capabilities across the entire security ecosystem. While EDR focuses on endpoints, XDR integrates data from endpoints, networks, cloud workloads, email, and identity systems into a single detection and response platform.
XDR breaks down silos between security tools. An XDR platform can correlate a suspicious email attachment (email security), with an outbound connection (network security), to a process execution (endpoint), providing a complete attack story.
The Security+ exam distinguishes EDR (endpoint-only) from XDR (multi-source). XDR is newer and broader.
- XDR: extends EDR across endpoints, network, email, cloud, and identity
- Correlates data from multiple sources for comprehensive detection
- Reduces alert fatigue by connecting related alerts into incidents
- Broader scope than EDR — covers the entire security ecosystem
System Hardening
System hardening reduces the attack surface by eliminating unnecessary services, ports, and permissions. Hardening should follow industry benchmarks like CIS Benchmarks and vendor security guides.
Hardening practices: disable unnecessary services and ports, remove unused software, apply security patches promptly, configure host-based firewalls, enable logging and auditing, enforce strong password policies, disable default accounts, and configure file permissions (least privilege).
Secure baseline — a standardized, hardened configuration applied to all systems of the same type. Baselines ensure consistency and simplify management. Deviations from baseline should be flagged and investigated.
Immutable systems (immutable infrastructure) — systems are never patched or modified in place. Instead, new instances are deployed with updated configurations, and old instances are destroyed. Common in cloud environments.
- Hardening: reduce attack surface by disabling unnecessary services and ports
- CIS Benchmarks: industry-standard hardening guidelines
- Secure baseline: standardized hardened configuration for all systems
- Immutable infrastructure: replace, don't patch — deploy fresh instances
- Host firewall: block inbound by default, allow only required traffic
Application Security Controls
Application Whitelisting — only approved applications can execute. All other software is blocked by default. This is the opposite of antivirus blacklisting (which blocks known bad and allows everything else). Whitelisting is more secure but requires more management.
Application Blacklisting — blocks known malicious applications. Less secure because new or unknown malware isn't blocked.
Sandboxing — running untrusted code in an isolated environment. If the code is malicious, it can't affect the host system. Modern browsers sandbox web pages; antivirus products sandbox suspicious files for analysis.
Other application controls: software restriction policies (Windows SRP), AppLocker, and SELinux/AppArmor (Linux mandatory access controls).
- Whitelisting: allow only approved apps, block everything else (most secure)
- Blacklisting: block known bad, allow everything else (less secure)
- Sandboxing: isolate untrusted code execution from the host
- AppLocker and SELinux enforce application execution policies
Mobile Device Management (MDM)
MDM solutions manage and secure mobile devices (smartphones, tablets) in the enterprise. MDM enforces policies, distributes apps, and can wipe devices remotely.
MDM capabilities: device enrollment, policy enforcement (PIN requirements, encryption), application management (mandatory installs, blocklists), remote lock and wipe, location tracking, and compliance reporting.
Deployment models: BYOD (Bring Your Own Device — employee-owned, policy-enforced), COPE (Corporate-Owned, Personally Enabled — company buys, personal use allowed), and CYOD (Choose Your Own Device — limited approved models).
MDM integration with containerization — creates a secure workspace on the device separate from personal data (work profile on Android, managed Apple ID on iOS).
- MDM: manage mobile devices — enforce encryption, PIN, remote wipe
- BYOD: employee device, company policy — privacy concerns
- COPE: company device, personal use — more control
- Containerization: separate work and personal data on the same device
- Remote wipe: erase device data if lost or stolen
Exam Tip
Know EDR vs XDR: EDR is endpoint-only, XDR is multi-source (network, email, cloud). Hardening = reducing attack surface via CIS benchmarks. Whitelisting is more secure than blacklisting. MDM = mobile device management (BYOD vs COPE).