Endpoint Detection, Response, and DLP
What the Exam Is Really Testing
Endpoint security has changed more in the last decade than in the previous thirty years combined. Traditional antivirus — the kind that matches files against a signature database — cannot stop fileless malware running in memory, cannot detect a legitimate PowerShell process being abused for lateral movement, and cannot correlate what is happening on one endpoint with events on another.
Modern threats bypass traditional antivirus. Endpoint security has evolved from signature matching to behavioral analysis, automated response, and cross-platform correlation.
The exam tests whether you understand that evolution: the differences between EDR, XDR, and MDR, how DLP prevents data from leaving the organization, and when NAC is the right control to enforce device compliance.
The Evolution of Endpoint Security
Traditional Antivirus/Anti-Malware
Traditional antivirus uses signature databases to identify known malware. When a file matches a known malicious signature, it is quarantined or deleted.
Limitations:
- Cannot detect zero-day malware (no signature exists yet)
- Polymorphic malware changes its signature with each infection
- Fileless malware operates in memory and leaves no files to scan
- Relies on regular signature updates to remain effective
Antivirus is still part of a layered defense, but it is no longer sufficient on its own.
EDR (Endpoint Detection and Response)
EDR goes far beyond signature matching. It continuously monitors endpoint activity and uses behavioral analysis to detect threats that antivirus misses.
EDR capabilities include:
- Continuous monitoring — Records process execution, file changes, registry modifications, network connections, and user actions
- Behavioral analysis — Identifies suspicious patterns (a Word document spawning PowerShell, a process injecting code into another process)
- Threat hunting — Allows analysts to search across endpoints for indicators of compromise
- Automated response — Can isolate an endpoint, kill a process, or quarantine a file automatically
- Forensic data — Provides a detailed timeline of what happened on an endpoint during an incident
XDR (Extended Detection and Response)
XDR extends EDR by correlating data across multiple security layers — not just endpoints, but also network, email, cloud, and identity sources.
- Provides a unified view across the entire attack surface
- Correlates a phishing email with a malicious download with lateral movement on the network
- Reduces alert fatigue by connecting related events into a single incident
MDR (Managed Detection and Response)
MDR is a service, not a product. A third-party security team operates EDR/XDR tools on your behalf, providing:
- 24/7 monitoring and threat hunting by experienced analysts
- Incident investigation and response guidance
- Ideal for organizations that lack in-house SOC capabilities
For the exam: EDR is the technology on endpoints. XDR extends that across all data sources. MDR is the outsourced service that operates these tools.
Host-Based Security Controls
Host-Based Firewall
A software firewall running on the endpoint itself. Controls inbound and outbound traffic per application and port. Provides protection even when the device is outside the corporate network.
HIDS (Host-Based Intrusion Detection System)
Monitors activity on a single host: file integrity changes, log anomalies, suspicious process behavior. Alerts on potential intrusions but does not block them.
HIDS is particularly valuable for detecting insider threats and configuration tampering on critical servers.
Data Loss Prevention (DLP)
DLP systems prevent sensitive data from leaving the organization through unauthorized channels. DLP operates at three enforcement points:
Network DLP
Monitors data in transit across the network. Inspects email, web uploads, file transfers, and other network communications for sensitive content.
- Blocks emails containing credit card numbers to external addresses
- Prevents upload of classified documents to personal cloud storage
- Scans HTTPS traffic (when combined with SSL inspection)
Endpoint DLP
Monitors data in use on endpoints. Controls what users can do with sensitive data on their workstations.
- Blocks copying sensitive files to USB drives
- Prevents screenshots of confidential applications
- Monitors clipboard operations (copy/paste of sensitive data)
- Controls printing of classified documents
Cloud DLP
Monitors data at rest and in transit within cloud services. Scans cloud storage, SaaS applications, and cloud email for policy violations.
- Identifies sensitive data stored in unapproved cloud locations
- Enforces classification and handling policies in cloud environments
- Integrates with CASB (Cloud Access Security Broker) for visibility
Network Access Control (NAC)
NAC ensures that only authorized, compliant devices can access the network. Before granting access, NAC verifies:
- Device identity and authentication
- Antivirus is installed and up to date
- OS patches are current
- Host-based firewall is enabled
- Device meets organizational security policy
802.1X (Port-Based NAC)
Uses the 802.1X framework (supplicant, authenticator, authentication server) to control access at the network switch or wireless access point level. Non-compliant devices are placed in a quarantine VLAN or denied access entirely.
Agent-Based vs. Agentless NAC
- Agent-based — Requires software installed on the endpoint. Provides deeper visibility into device health and compliance. Best for managed corporate devices.
- Agentless — Assesses devices without installing software, typically through network scanning or browser-based checks. Better for BYOD and guest devices where installing agents is impractical.
Additional Endpoint Controls
DNS Filtering
Blocks DNS resolution for known malicious domains. If a user clicks a phishing link or malware tries to contact a command-and-control server, the DNS query is blocked before any connection is established.
Email Security Gateways
Filter inbound email for spam, phishing, malware attachments, and malicious URLs. Outbound filtering prevents data exfiltration via email. Technologies include:
- SPF, DKIM, and DMARC for sender verification
- Sandboxing for suspicious attachments
- URL rewriting and time-of-click analysis
- Content inspection for sensitive data (DLP integration)
Pattern Recognition
When you see endpoint security questions, look for these patterns:
- Advanced threat that bypasses antivirus = EDR with behavioral analysis
- Need visibility across endpoints, network, and cloud = XDR
- No in-house security team = MDR (managed service)
- Sensitive data leaving via USB or email = DLP (endpoint or network)
- Unmanaged device connecting to network = NAC
- Blocking known malicious domains = DNS filtering
Trap Patterns
Watch for these distractors:
- "Update antivirus signatures" — Does not address fileless or zero-day threats. EDR is the modern answer.
- "Deploy a firewall" — Network firewalls do not prevent data from being copied to USB drives. That requires endpoint DLP.
- "Block all USB ports" — Overly restrictive. DLP can selectively control what data is transferred, not blanket-block all USB use.
- "XDR replaces SIEM" — XDR and SIEM serve complementary functions. XDR focuses on detection and response; SIEM on log management and compliance.
Scenario Practice
Question 1
A company's antivirus solution fails to detect a fileless malware attack that uses PowerShell to execute entirely in memory.
What technology should be deployed to address this gap?
A. Updated antivirus with more frequent signature downloads
B. Endpoint Detection and Response (EDR) with behavioral analysis
C. A network-based intrusion prevention system
D. Full disk encryption on all endpoints
Answer & reasoning
Correct: B
EDR monitors endpoint behavior continuously and can detect suspicious activity like PowerShell execution patterns, process injection, and memory-only operations — threats that leave no file for signature-based antivirus to scan.
More frequent signature updates still cannot detect fileless attacks. Network IPS does not see endpoint-level process behavior. Encryption protects data at rest, not running processes.
Question 2
An employee attempts to copy a spreadsheet containing customer Social Security numbers to a personal USB drive. The transfer is automatically blocked.
What technology prevented this data transfer?
A. Host-based firewall
B. Network DLP
C. Endpoint DLP
D. NAC with 802.1X
Answer & reasoning
Correct: C
Endpoint DLP monitors data in use on the local machine and can block transfers of sensitive data to removable media, including USB drives. It inspects the content being transferred and enforces policy on the endpoint itself.
Network DLP monitors network traffic, not local USB transfers. Host-based firewalls control network connections, not USB. NAC controls network access, not data transfers.
Question 3
A visitor connects a personal laptop to the corporate network. The device is not managed by the company and has no antivirus or current patches.
What should prevent this device from accessing sensitive resources?
A. Endpoint DLP
B. Network Access Control (NAC)
C. Web Application Firewall
D. DNS filtering
Answer & reasoning
Correct: B
NAC evaluates device health and compliance before granting network access. An unmanaged device without antivirus or patches would fail the health check and be placed in a quarantine VLAN or denied access to sensitive resources.
DLP controls data movement, not network access. WAF protects web applications. DNS filtering blocks malicious domains, not non-compliant devices.
Key Takeaway
Here is the exam-day filter for endpoint questions:
- Is the threat a known malware signature or an unknown behavior? (antivirus vs. EDR)
- Is the concern about what is getting in or what is getting out? (EDR vs. DLP)
- Is the issue the device itself or the data on it? (NAC vs. DLP)
- Does the organization manage the device, or is it BYOD? (agent-based vs. agentless NAC)
Each of these controls solves a different problem. Antivirus catches known threats. EDR catches behaviors. DLP catches data. NAC catches devices. None replaces the others — layer them together.