What are the three layers of endpoint defense in depth, and what does each layer address?
Edge security — firewalls, IPS, and perimeter controls filter threats before they reach the internal network. Access controls — NAC posture assessment validates device health before granting network access; failing devices go to a quarantine VLAN. Endpoint hardening — host-based firewall, antivirus, EDR, patch management, and encryption protect the individual device after it joins the network. No single layer is sufficient; all three must operate together because attackers exploit gaps between them.
What is a persistent NAC agent, and what type of device is it best suited for?
A persistent agent is permanently installed software on a managed endpoint. It remains on the device between sessions, receives ongoing policy updates from the NAC server, and performs continuous compliance monitoring. Best suited for corporate-managed laptops and desktops where the organization controls software installation. Unlike dissolvable agents, it can perform ongoing assessments, not just a one-time login check. Provides the richest health data because it runs continuously and can monitor real-time security status.
What is a dissolvable NAC agent, how does it work, and when should it be used?
A dissolvable agent is downloaded and executed at login time without requiring installation. It performs the posture assessment once, and then self-terminates when the session ends, leaving no persistent software on the device. Used for BYOD, guest networks, and contractor devices where installing permanent software is not permitted. The key distinguishing feature is that it leaves nothing behind after the session — the device returns to its original state. Trade-off: assessment is point-in-time rather than continuous.
What is agentless NAC, how does it assess devices, and what is its primary limitation?
Agentless NAC requires no software on the endpoint. Instead, it integrates with Active Directory and evaluates device health at login and logoff using AD-visible attributes such as domain membership, account status, and group policy compliance. Primary limitation: it cannot inspect running processes, installed software versions, or real-time security status because no agent executes on the endpoint. Best used when agent deployment is impractical and the assessment only needs to verify domain membership and basic account attributes. Cannot assess non-domain devices.
What are five common checks performed by endpoint posture assessment, and what happens when a device fails?
Common posture checks: (1) OS patch level — is the OS at the required patch version? (2) Antivirus status — installed, enabled, and signature database current? (3) Host-based firewall — active and properly configured? (4) Disk encryption — enabled where required? (5) Machine certificate — valid certificate present? A device that fails is redirected to a quarantine VLAN with access only to a remediation server. After self-remediation, the device re-requests assessment to regain normal access.
How does EDR differ from traditional signature-based antivirus in its detection approach?
Traditional AV uses signature matching: it compares files against a database of known malicious hashes. It fails against new malware (no signature yet), fileless attacks (no file to scan), and polymorphic code (signature changes each execution). EDR uses behavioral analysis: it monitors what processes do — what files they access, what network connections they make, what registry keys they modify, what child processes they spawn. Malicious behavior produces detectable patterns even if the binary has never been seen before. EDR detects zero-days; AV cannot.
What role does machine learning play in EDR, and what attack type does it specifically enable detection of?
EDR machine learning models are trained on millions of attack samples, learning to recognize behavioral patterns associated with malicious activity. ML enables detection of zero-day attacks — attacks using previously unseen malware with no existing signature. When a new process exhibits behavior patterns similar to known malware (e.g., process injection techniques, C2 communication patterns, unusual registry modifications), the ML model assigns a high malicious probability and triggers an alert even without a specific signature match. ML also reduces false positives by weighting behavioral context, not just single suspicious actions.
What is EDR root cause analysis, and why is it more valuable than just knowing which file was malicious?
Root cause analysis in EDR reconstructs the full attack chain: which process started first, what it executed, what changes it made to the file system and registry, what network connections it established, and what data it accessed. This is more valuable than identifying the malicious file alone because it answers: How did the attacker get in? What did they do? What is the full scope of compromise? What other systems might be affected? Without root cause analysis, responders may clean the obvious malware but miss persistence mechanisms, exfiltrated data, or compromised credentials that allow the attacker to return.
What are the three EDR automated response capabilities, and what does each one do?
Automated isolation — quarantines the compromised endpoint from the network at the OS level, preventing lateral movement. The EDR management channel remains active even when the device is isolated from the rest of the network. Automated quarantine — moves malicious files to a protected container inaccessible to users or processes, preserving them for forensic analysis rather than deleting them. Automated rollback — uses Windows VSS snapshots (or equivalent) to restore files to their pre-attack state, reversing ransomware encryption or other destructive changes without manual intervention.
What is XDR, how does it differ from EDR, and what specific attack type does it detect that EDR alone cannot?
XDR (Extended Detection and Response) aggregates telemetry from endpoints, network sensors, cloud workloads, and identity providers into a unified detection and response platform. EDR has visibility only into the endpoint where its agent is installed. XDR detects multi-stage, cross-domain attacks that span multiple security layers — for example, a phishing email that delivers malware to an endpoint (email data), which then performs lateral movement (network data), and finally exfiltrates data to a cloud service (cloud data). Each event is invisible to any single tool but the cross-domain correlation in XDR reveals the complete attack chain.
What are three operational benefits XDR provides over running separate EDR, network, and cloud security tools independently?
(1) Reduced false positives — correlating context from multiple domains means a suspicious event in one domain can be validated or dismissed based on concurrent activity in other domains, reducing noise. (2) Shorter investigation time — analysts no longer need to pivot between separate SIEM, EDR, network, and cloud tools to reconstruct an attack; XDR presents the unified story automatically. (3) Cross-domain automated response — XDR can simultaneously isolate the endpoint, block the IP at the firewall, disable the compromised account in the identity provider, and revoke cloud access — all from a single platform with a single response action.
What is User Behavior Analytics (UBA), what is its baseline, and what threat type is it specifically designed to catch?
UBA establishes a behavioral baseline for each user and account: which systems they log into, what hours they work, what data they access, what applications they use, and how they move through the network. It then continuously compares current behavior against this baseline and flags statistically significant anomalies (impossible travel, accessing 10x normal file volume, logging in at 3 AM, service accounts generating interactive logins). UBA is specifically designed for insider threats and credential theft — both scenarios involve legitimate credentials performing illegitimate actions that do not trigger traditional signature-based rules. The deviation from behavioral norm is the signal.