Safeguards
Antivirus and EDR
What is EDR?
EDR (endpoint detection and response) is protective software for workstations and servers that spots suspicious sequences of activity, raises an alert and can isolate the affected device from the network. Traditional antivirus recognises malware by known signatures, and EDR adds observation of how programs behave.
Attacks frequently proceed without any conspicuous malicious file. Attackers use tools already present on every Windows machine, such as the command line, or remote maintenance programs of the kind your own IT provider uses. Detection that compares files against known signatures sees little of this. EDR watches the sequence of events instead: a Word document launches a script, the script downloads something from the internet, and moments later files on the network drive are being rewritten one after another. That chain triggers the alert.
The R in EDR stands for response. The software can terminate the suspicious process, take the device off the network so that it can no longer reach the other machines, and preserve the sequence for later analysis. This response helps only if somebody notices the alert. An alarm at three in the morning in a company without an IT department goes nowhere. That is why EDR is best run as a managed service, with a provider watching the alerts and acting when it matters.
For a small or medium business this yields a short list of requirements. Current protection runs on every device, including the servers and the machines in the workshop. There is one central overview showing which device has failed to report in for weeks. Alerts arrive at a single place for which responsibility and availability have been agreed. Protective software whose messages nobody reads prevents very little.
No endpoint protection catches every attack. The foundations therefore remain in place: tested backups, a second factor at login, separated network zones and staff who report a suspicious email. What EDR does is shorten the time between the start of an attack and its discovery, and that time decides whether a single workstation is affected or the entire server room.
The first sensible step is a comparison. Place your list of devices next to the device list in the management console of your protection software. Any device missing there is unobserved. The IT-Check records which systems are protected, where the alerts go and who reads them.
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.