Endpoint Security: EDR, EPP and holistic device protection
Endpoint security protects all endpoints—laptops, servers, and mobile devices. From traditional antivirus to EDR and XDR: technologies, detection methods, hardening measures, and choosing the right solution.
Table of Contents (7 sections)
Endpoints—laptops, workstations, servers, mobile devices, and virtual machines—are the primary target for cybercriminals. 80% of all security incidents begin at an endpoint. Endpoint security is therefore not an optional feature, but the foundation of any security architecture.
From Antivirus to EDR: The Evolution
Generation 1: Signature-Based Antivirus (1990s–2010s)
Traditional antivirus compares files against a database of known malware signatures. It works well for known malware—but fails completely against:
- Zero-day exploits (no signature available)
- Polymorphic and metamorphic malware (changes signature)
- Fileless malware (no file on the hard drive)
- Living-off-the-land techniques (legitimate system tools abused)
Status: Necessary as a foundation, but far from sufficient.
Generation 2: Endpoint Protection Platform (EPP)
EPP combines multiple detection methods:
- Signature-based detection
- Behavior-based heuristics (suspicious activity patterns)
- Machine learning models
- URL/reputation filters
- Application whitelisting
EPP is reactive: It attempts to block malware upon entry.
Generation 3: Endpoint Detection and Response (EDR)
EDR goes a step further—it combines prevention with detection and response:
Continuous monitoring: EDR records all activity on every endpoint: processes, network connections, file operations, registry changes, memory accesses. This telemetry stream flows into a central cloud platform.
Threat detection: Behavior-based detection based on MITRE ATT&CK techniques. An EDR does not recognize "this is known malware"—but rather "this behavior corresponds to technique T1003 (Credential Dumping)."
Forensics and Investigation: After an alert: Complete process tree view—what the process did, which connections it established, which files it wrote. In minutes instead of hours.
Automated Response:
- Automatically terminate the process
- Isolate the host (disconnect from the network but maintain management connectivity)
- Quarantine the file
Market Leaders (Gartner Magic Quadrant 2024): CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, Sophos Intercept X, Trend Micro Vision One.
Generation 4: XDR (Extended Detection and Response)
XDR extends EDR with additional telemetry sources:
- Endpoint (EDR)
- Network (NDR)
- Cloud workloads
- Identities (Active Directory, Entra ID)
Correlation across all sources enables: "Phishing email received → User clicks link → Browser launches PowerShell → PowerShell connects to C2 → Lateral movement to DC" – recognized as a coherent attack path, not as 5 separate alerts.
Endpoint Hardening
Hardening reduces the attack surface before malware even becomes active.
Windows Hardening (Essential Measures)
PowerShell Restrictions:
# Constrained Language Mode (prevents PowerShell from being used as an attack tool)
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope LocalMachine
# Script Block Logging (for forensic analysis)
# Via GPO: Computer Configuration → Administrative Templates → Windows Components → PowerShellWindows Defender Application Control (WDAC): Only signed and approved applications are allowed to run—application whitelisting at the kernel level. Prevents the execution of unauthorized binary files.
Credential Guard: Protects LSASS (Local Security Authority Subsystem) from credential dump attacks (Mimikatz). Stores credentials in an isolated Hyper-V environment.
# Check Credential Guard status
msinfo32 → System Summary → Virtualization-based securityWindows Defender Exploit Guard:
- Attack Surface Reduction (ASR) Rules: Blocks common attack techniques (Office macros, script execution from Temp folders)
- Controlled Folder Access: Prevents ransomware encryption (only authorized apps can write to files)
- Network Protection: Blocks outbound connections to known malicious domains
LAPS (Local Administrator Password Solution): Every Windows computer is assigned a unique, rotating local admin password. Prevents pass-the-hash lateral movement (a compromised machine does not provide a password valid on 500 other machines).
UAC (User Account Control): Standard user privileges instead of admin rights for everyday use. Elevated privileges only upon explicit confirmation—prevents malware from automatically running with admin rights.
macOS Hardening
- Gatekeeper: Only signed and notarized applications
- System Integrity Protection (SIP): Protects critical system paths from tampering
- FileVault: Full-disk encryption (similar to BitLocker)
- Mobile Device Management (MDM): Enterprise management via Apple Business Manager
Mobile Endpoints (iOS/Android)
Mobile Device Management (MDM): Corporate policies for mobile devices: password requirements, app whitelist, remote wipe.
Mobile Application Management (MAM): Separation of personal and corporate apps/data on BYOD (Bring Your Own Device) devices.
Conditional Access: Only managed and compliant devices are granted access to corporate resources (Microsoft Intune, Jamf, VMware Workspace ONE).
Patch Management - A Critical Foundation
Unpatched systems are the most common attack vector. WannaCry (2017) exploited a two-month-old Windows vulnerability for which a patch existed—but had not been applied.
Patch SLAs as Best Practice:
| CVSS Score | Severity | Patch Deadline |
|---|---|---|
| 9.0-10.0 | Critical | 24-48 hours |
| 7.0-8.9 | High | 7 days |
| 4.0–6.9 | Medium | 30 days |
| 0–3.9 | Low | 90 days |
Automation: Microsoft WSUS/Intune, Red Hat Satellite, Ansible, Puppet for automated patch deployment.
EDR and SIEM: Interaction
EDR provides high-quality endpoint telemetry. In the SIEM, this is correlated with other sources (network, DNS, AD logs, cloud):
EDR Alert: Suspicious PowerShell Command
+
Active Directory: New domain admin created (unusual time)
+
Firewall: Outbound connection to known C2 IP
=
SIEM correlation: Active compromise incident → SOC Alert P1Without SIEM correlation: 3 separate alerts that may be overlooked. With SIEM: A prioritized P1 alert with full context.
Endpoint Security for Remote Work
Working from home changes the threat model:
- Devices are not within the protected perimeter
- Private networks without an enterprise firewall
- Mixed use (personal and professional)
Recommendations:
- EDR on all corporate devices (including home office PCs)
- VPN or ZTNA for corporate traffic
- Conditional Access: Only compliant devices are granted access
- Endpoint DLP (Data Loss Prevention): Prevents uncontrolled data leakage to personal USB drives
- Mandatory disk encryption (BitLocker/FileVault)
Compliance Requirements
NIS2 Art. 21: "Detection of cybersecurity incidents" and "Protection of ICT systems" are explicit requirements—EDR is the technical implementation.
BSI IT-Grundschutz SYS.2.1: "General Client" contains detailed requirements for operating system hardening, antivirus protection, and patch management.
ISO 27001 A.8.7: "Protection against malware" as an explicit control.
PCI DSS 5.x: Anti-malware protection on all systems in the Cardholder Data Environment.
Endpoint as a Trust Anchor in Zero Trust
In Zero Trust architectures, the endpoint health status determines access:
User request to corporate app
↓
Conditional Access checks:
✓ User identity (MFA passed?)
✓ Device compliance (MDM enrolled, antivirus active, OS patched?)
✓ Device status (EDR: no active alerts?)
✓ Location/network (trusted network or known IP?)
↓
Access granted / denied / with additional MFA stepOnly devices that pass all checks are granted access—regardless of network location.
Sources & References
- [1] Gartner Magic Quadrant for Endpoint Protection Platforms 2024 - Gartner
- [2] MITRE ATT&CK: Endpoint Techniques - MITRE Corporation
- [3] BSI: Empfehlungen für Endpoint-Sicherheit - BSI
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
