A security analyst is investigating alerts indicating that several workstations are exhibiting behavior consistent with a malware infection, including unusual process creation and network connections to suspicious domains. The analyst needs to remotely investigate these systems to understand the scope of the attack and isolate them from the network to prevent lateral movement. Which of the following tools is specifically designed to provide this level of endpoint visibility and response capability?
A Security Information and Event Management (SIEM) platform
An Endpoint Detection and Response (EDR) solution is the correct choice because it is specifically designed to provide deep visibility into endpoint activities (like process creation and network connections), detect malicious behavior, and enable response actions such as isolating a compromised system. A Security Information and Event Management (SIEM) platform aggregates and analyzes logs from various sources but lacks the direct endpoint investigation and containment capabilities of an EDR. A Data Loss Prevention (DLP) system is focused on preventing the exfiltration of sensitive data, not investigating malware activity. A patch management server is used for deploying software updates, which is a preventative measure, not a response tool.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is meant by 'endpoints' in the context of EDR?