
Left, like a fence and sign in a real-life restricted area, anti-malware and antivirus products work based on knowledge of an existing threat. For example, anti-malware software will put up a sign to block a website if it’s listed in its database as a source of malware.
Right, EDR is like the motion sensor. It picks up intruder activities. For example, if a cybercriminal is lurking on a desktop or laptop, the criminal’s actions will be discovered and the intruder will be removed.
These are complementary security approaches. Both are part of layered security.
How EDR Protects Your Organization
Spy vs Spy
Anti-malware and antivirus are great at stopping known threats – like blocking dangerous websites and catching common malware during scans. But clever attackers can hide malware in normal-looking software to avoid detection. Once they get in, they can secretly watch your system and either lock it for ransom or try to spread to other computers on your network to do greater damage.
This is where EDR comes in. While antivirus looks for known threats, EDR watches for suspicious behavior – like when a trusted program suddenly starts trying to change hundreds of files. It’s a different layer of security working alongside antivirus, designed to catch what traditional approaches would miss.
The 30,000-Foot View
EDR performs three functions:
- Detects anomalous behavior on a desktop or laptop
- Analyzes the behavior
- Blocks threats
And Under EDR’s Hood
Bryley’s EDR works like this:
Note: EDRs can be executed in different ways. Also, the following is not exhaustive, but meant to give a detailed overview.
- Activity data is gathered from an endpoint (desktop or laptop) and analyzed. It can include:
- File and System Changes Tracks changes to files, settings and user access.
- Network and Web Use Checks online connections, uploads and downloads.
- Apps and Startup Tasks Watches applications the employee is using and software that runs behind-the-scenes
- User Actions and Logins Notes when users sign in and access apps.
- Extra Safety Steps:
- Regular Checks Looks for risks or unexpected changes.
- Ransomware Traps Uses hidden files to catch malicious software activity early.
- Deeper Dives If needed, gathers more data to learn if there is a problem.
- 24/7 Security Operations Center (SOC)
- Analysts watch system activity for strange behavior
- Take action when needed
- ThreatOps Analysts
- Dig deeper into threats for a full review
- When a Threat is Found
- Locking Down the Device
- Stops hackers from spreading to other systems
- Removing the Threat
- Blocks harmful actions
- Quarantines infected files
- Deletes malicious software
- Cutting Off the Attacker
- Blocks hacker access points
- Stops hacker web links and IP addresses
- Revokes stolen logins and resets them, keeping the attackers out
- Locking Down the Device

Like a motion detector can escalate alerts – from a notification on a cellphone, to an alert at a security company, to an alert at the police station – EDR detects unusual activity on a system and responds by escalating actions to stop potential threats.
EDR Is a Bullet … If You Use It Right
On the CISOSeries podcast1 host David Spark and Andy Ellis and Russell Spitler were discussing breaches – where was EDR’s protection?
We can’t set the bar of ‘just install the EDR, and it will perfectly work,’ Andy Ellis said. It would be nice if people would just install the EDR and set it up reasonably so it would work at least 95% of the time.
EDR is not the silver bullet, David Sparks said. Of which we know there’s nothing that’s the silver bullet in cybersecurity.
But it’s a bullet if you use it right, Andy Ellis answered. And I don’t think most people are using it right.
You need to have [EDR] properly configured, Russell Spitler said. But if it’s not in all the systems, there’s a nice way in … we need to have it effectively managed.
Bryley doesn’t just install EDR – it is Bryley’s job to see that EDR is used right. Our team of seasoned IT and security professionals brings full deployment, proper configuration and continuous monitoring to provide reliable protection as we have for Bryley clients since 1987.
Keeping Your Data Protected as Threats Evolve
Cyber threats, like Qakbot and other ransomware, continue to evolve, and so does Bryley’s approach to securing your systems. By adapting our proven layered security approach to emerging risks, Bryley can help you stay protected and reduce potential vulnerabilities.
Think of it like adding motion sensors to a secured area: EDR added to your existing cybersecurity stack – already equipped with antivirus and anti-malware – creates an additional line of defense against cyber threats.
If you would like more information about implementing EDR or about IT services, you are welcome to schedule a no-obligation, 15-minute call with Roy Pacitto. Alternatively, Roy is at rpacitto@bryley.com and 978.562.6077 x217.
Endpoint Detection and Response (EDR):
- Bryley’s EDR continuously monitors endpoints and collects data from activities that may mean a threat. Examples of this data are processes running on the machine, analyzing patterns of behavior and registry modification (i.e. have privileges changed?).
- That data is then collected and sent to a cloud repository where the heavy lifting of analysis is accomplished without bogging down the endpoint.
- Analysis is the key process for any EDR security solution. Machine learning scans for threat patterns. If escalated by the machine-learning software, a team of human analysts handles the threat hunting. EDR analyzes and interprets the data to learn from it in order to detect signs of suspicious behavior.
- Last, a rep assists in removing any threat that has been found. Incident response may also be automated, or it’s a combination of a rep and automation.