Skip to content
  1. Home > Services > Threat Detection and Identification > Endpoint Detection and Response (EDR) Overview

Endpoint Detection and Response (EDR) Overview

What is EDR?

EDR is a class of cybersecurity software designed to monitor, detect, and respond to threats. As part of UC’s security program, EDR is installed on UC-owned devices (laptops, desktops, and servers), known as endpoints. EDR helps stop cyberattacks by quickly identifying suspicious behavior, isolating affected systems, and supporting investigation and recovery. EDR tools focus strictly on detecting security threats while respecting user privacy. This approach aligns with UC’s privacy principles, ensuring protection without unnecessary monitoring. Trellix is the EDR software provider at UC, and Trellix HX EDR is the standard for UC.

What risks does EDR software detect and respond to?

EDR software detects unusual behavior and responds to complex threats such as malware, ransomware, and unauthorized access. EDR can block, contain, or remove these risks in real-time. EDR is designed to complement firewalls and antivirus software, adding another layer of security.

EDR software identifies cybersecurity threats by recognizing known attack patterns and suspicious system activity—not by tracking user intent or personal behavior. For example, if a risky file is downloaded from a malicious site, EDR might flag the domain or the file's behavior, but it won't record your search terms or the content you viewed. Mandiant’s Managed Defense is the managed service provider that analyzes alert data from Trellix EDR, data such as malicious files or log data related to actions performed by a threat actor, and escalates to UC security personnel as necessary.

Key takeaways for faculty and other academic appointees

  • UC security personnel, Trellix, and Mandiant are all required to comply with the UC Electronic Communications Policy (ECP).
  • UC does not use EDR for surveillance or for monitoring your browser, emails, documents, or teaching materials.
  • Only security-related activity, like IP addresses from an attacker or malicious files attempting to compromise a system, is monitored, and only when there’s a potential threat.
  • No changes to your teaching or research workflows—you can keep using tools like Canvas, Zoom, and cloud-based research platforms.
  • Remote actions (like deleting a malicious file) are strictly controlled.

 

Copyright © Regents of the University of California | Terms of use