EDR

If SIEM watches the whole network, EDR watches the individual devices — the laptops, servers, and workstations where attackers actually operate.

EDR stands for Endpoint Detection & Response.
It’s software installed on each device that monitors activity in real time and flags suspicious behavior.

Think of EDR like a body camera for every endpoint:

It records what processes run
It tracks what files change
It watches for unusual behavior
It alerts when something looks malicious

Unlike traditional antivirus, EDR doesn’t just look for known threats.
It looks for behaviors — the same behaviors documented in MITRE ATT&CK.

Why this matters for insurance:
Most cyber incidents start on an endpoint. If the EDR isn’t deployed everywhere, isn’t configured correctly, or isn’t monitored, attackers can move freely without being seen.

When a company says they “have EDR,” the real question is:
“Is it installed on every device — and is anyone actually watching the alerts?”

And if you’re wondering how insurers can tell whether EDR is deployed and monitored effectively, that’s something we’ll cover in a future post.

The takeaway:
EDR is the frontline visibility tool.
It’s only as strong as its coverage, configuration, and monitoring.

Pop Culture Parallel:
If you’ve seen Blackhat, the attacker’s ability to operate quietly on compromised machines shows exactly why endpoint visibility matters — and why EDR coverage and monitoring make such a difference.

Previous Episode:
6. SOC ←

Next Episode:
8. Digital Forensics & Incident Response (DFIR) →

Browse the Series:
View all Cyber in Plain English episodes →

Cyber Orientation Hub:
Explore the full Cyber Orientation hub →

Learn more at https://insurancedesignationlookup.com/cyber-orientation/
#CyberForInsurance #CyberInPlainEnglish #LettersForSuccess