Endpoint Security
Introduction
Endpoint security protects devices — laptops, servers, mobile devices, and IoT — that connect to corporate networks. Modern endpoint protection has evolved from signature-based antivirus to sophisticated platforms combining behavioral detection, threat intelligence, and automated response.
EDR vs XDR vs Traditional Antivirus
Traditional Antivirus (AV)
Signature-based AV compares files against a database of known malware hashes. It is effective against commodity malware but fails against zero-day threats, fileless attacks, and polymorphic malware.
# ClamAV command-line scanning
clamscan --recursive --infected /home/user
clamscan --database=/var/lib/clamav --log=/var/log/clamav.log /
Limitations of signature-based AV:
* Cannot detect unknown threats
* No behavioral monitoring
* Limited or no response capabilities
* No cross-host correlation
Endpoint Detection and Response (EDR)
EDR platforms continuously monitor endpoint activity, recording system calls, process creation, network connections, file system changes, and registry modifications. They provide visibility into attacker behavior across the kill chain.
# Hypothetical EDR telemetry query
def query_process_tree(process_id, timespan_hours=24):
return edr_api.query(f"""
SELECT pid, parent_pid, name, command_line,
event_time, user, hash
FROM process_events
WHERE (pid = {process_id} OR parent_pid = {process_id})
AND event_time > NOW() - INTERVAL '{timespan_hours} hours'
ORDER BY event_time
""")
Extended Detection and Response (XDR)
XDR extends EDR by correlating telemetry across endpoints, network traffic, email, cloud workloads, and identity systems. This cross-domain correlation reveals multi-stage attacks spanning different infrastructure layers.
# XDR cross-domain correlation example
def correlate_alerts():
# Correlate endpoint alert with network flow
endpoint_alerts = xdr.get_alerts(sources=['endpoint'], severity='high')
network_flows = xdr.get_flows(source_ip_subnet='10.0.0.0/8',
time_range='last_1h')
for alert in endpoint_alerts:
matching_flows = [
flow for flow in network_flows
if flow.dest_ip == alert.external_ip
and abs(flow.timestamp - alert.timestamp).seconds < 300
]
if matching_flows:
alert.add_evidence(matching_flows)
alert.escalate_severity('critical')
Detection Techniques
Behavioral Detection
Monitors sequences of actions rather than static indicators. Detects ransomware by observing mass file encryption patterns.
# Behavioral detection rule
detection_rules:
- name: "Ransomware Behavior"
conditions:
- process.file_operations.count > 100
- process.file_operations.extension_changes > 50
- process.file_operations.avg_write_size_bytes > 500000
- duration_seconds < 60
severity: critical
response: isolate_host
ML-Based Detection
Machine learning models analyze features extracted from endpoint telemetry to classify benign and malicious behavior. Models must be trained on diverse datasets and continuously updated to avoid concept drift.
Response Automation
SOAR (Security Orchestration, Automation, and Response) platforms automate response actions based on detection triggers.
# Automated response playbook
playbook:
name: "Host Isolation and Investigation"
trigger: severity == critical AND threat_type == ransomware
steps:
- action: isolate_host
target: alert.host_id
network_scope: full
- action: capture_memory
target: alert.host_id
- action: collect_process_tree
target: alert.process.id
- action: enrich_iocs
targets: [alert.file_hash, alert.dest_ip]
feeds: [virustotal, abuseipdb]
- action: create_ticket
system: jira
priority: P1
assignee_group: "SOC Tier 3"
Conclusion
Modern endpoint protection demands more than antivirus. EDR provides deep visibility into endpoint activity, while XDR extends correlation across the entire security stack. Automated response reduces dwell time, but requires careful tuning to avoid disrupting legitimate operations.