Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.5.4. DLP, NAC, EDR/XDR, and User Behavior Analytics

šŸ’” First Principle: These capabilities extend security beyond network boundaries to protect data wherever it goes, control device access, detect sophisticated threats on endpoints, and identify insider threats through behavioral analysis.

Data Loss Prevention (DLP) ā€” prevents unauthorized data exfiltration by inspecting data in motion (network DLP), data at rest (storage DLP), and data in use (endpoint DLP). DLP policies define sensitive data patterns (credit card numbers, SSNs, proprietary keywords) and actions (block, quarantine, alert).

Network Access Control (NAC) ā€” evaluates device health and compliance before granting network access. Pre-admission checks: is antivirus current? Is the OS patched? Is disk encryption enabled? Non-compliant devices are quarantined to a remediation VLAN with limited access.

EDR (Endpoint Detection and Response) ā€” continuously monitors endpoints for suspicious activity using behavioral analysis, not just signatures. EDR records process execution, file changes, network connections, and registry modifications. When suspicious behavior is detected, EDR can isolate the endpoint, kill malicious processes, and collect forensic data.

XDR (Extended Detection and Response) ā€” extends EDR across multiple security layers (network, email, cloud, identity) for correlated threat detection. XDR connects the dots across siloed security tools to identify complex, multi-vector attacks that no single tool would catch.

Loading diagram...

User Behavior Analytics (UBA/UEBA) ā€” establishes baseline behavior patterns for each user and alerts on deviations. If an accounting employee suddenly accesses engineering files at 3 AM from a foreign IP, UBA flags the anomaly. Effective against insider threats and compromised accounts because it detects behavioral changes, not just known attack signatures.

āš ļø Exam Trap: EDR monitors endpoints. XDR correlates across multiple layers (endpoints + network + cloud + email). If the question asks about detecting a multi-stage attack that moves from email phishing to endpoint compromise to lateral movement, XDR is the better answer because it correlates across all those layers.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications