4.5.6 FIM, DLP, NAC & EDR/XDR
Modern endpoint and network defense layers automated tools that watch file integrity, block data exfiltration, control network access, and respond to advanced threats.
File Integrity Monitoring (FIM) FIM watches sensitive system, configuration, and application files and alerts on unauthorized changes. - Hashing: FIM baselines a known-good hash for each file; any modification changes the hash and raises an alert. - Integrity: the goal is detecting tampering with critical OS components or system-of-record data. - Triggers: unexpected changes to protected paths such as C:\Windows\System32 or /etc/passwd.
Data Loss Prevention (DLP) DLP identifies, monitors, and protects data to stop unauthorized exfiltration. - Data in motion: inspects network traffic (email, web uploads) for patterns like SSNs or card numbers. - Data at rest: scans drives and cloud storage for unprotected sensitive files. - Data in use: watches endpoint actions like printing, copying to USB, or screenshots. - Response: can block, quarantine, or encrypt data before it leaves the protected boundary.
Network Access Control (NAC) NAC grants or denies network access based on a device's identity and health. - Posture assessment: checks for up-to-date antivirus, current patches, and an active firewall. - Agents: permanent agents stay installed; dissolvable agents run once and disappear. - Quarantine: non-compliant devices are moved to a restricted VLAN for remediation. - IEEE 802.1X: the port-based authentication standard many NAC deployments rely on.
EDR and XDR These extend visibility well beyond signature-based antivirus. - EDR (Endpoint Detection and Response): continuous host-level monitoring that uses behavioral analysis to catch "living off the land" attacks. - XDR (Extended Detection and Response): correlates data across email, endpoint, server, cloud, and network for a unified view. - Automated response: both can isolate a host or kill a malicious process to stop lateral movement.
Quick recall - FIM → detects unauthorized file changes by comparing hashes. - DLP → stops sensitive data from leaving the organization. - NAC → gatekeeps the network with posture assessments and 802.1X. - EDR → deep endpoint monitoring for behavioral anomalies. - XDR → cross-platform correlation for enterprise-wide threat hunting.