So, what’s up with all the DRs?
Managed Detection and Response (MDR), Endpoint Detection and Response (EDR), and more recently, Extended Detection and Response (XDR) (CyberMaxx doesn’t have a product officially called “XDR”, but our services and team are qualified to check that box too) – the sea of cybersecurity-related acronyms continues to expand to accommodate incremental advancements in technology.
Clearly, the common ground is detection and response (D&R). D&R is all about limiting threat actor dwell time (277 days – average time to identify and contain a data breach [Source]) through rapid detection and mitigating the impact of a realized threat event through an efficient and effective response.
Not all managed services are the same and sometimes an all-encompassing service like MDR is overkill when all an organization need is EDR.
Let’s dive in…
Endpoint Detection and Response (EDR)
Originally termed Endpoint Threat Detection and Response (ETDR), EDR is the classification for software focused on detecting and investigating suspect activities on endpoints like workstations, laptops, servers, phones, tablets, IoT devices, etc.
The software (usually a small agent) is deployed on each endpoint you wish to monitor where it gathers data to identify patterns of suspicious behavior. This differs from “signature-based” tools like traditional antivirus software that are limited to identifying set patterns based on the latest fingerprint of a known piece of malware. With EDR, the endpoint is continually monitored, and the data is stored in a centralized database where it is analyzed using various algorithms, including artificial intelligence, to identify abnormal behavior.
When malicious activity is identified, the end-user, or in the case of a managed service, the security operations center (SOC) is immediately prompted with prescriptive actions to respond to the threat event.
Most quality EDR tools will have at least the following characteristics:
- They can detect suspicious activity and identify security events on various platforms.
- They provide a deep analysis of system behaviors to better identify actual events instead of false positives.
- They can automatically contain an identified event so that it does not propagate to adjacent systems and networks.
- They suggest actions required (remediations) to contain, minimize impact, and address or remove the threat.
Since endpoints represent the largest attack surface at an organization, EDR is gaining significant momentum and becoming a de facto tool in the cybersecurity arsenal for security-conscious enterprises.
Advantages & Challenges of EDR
Advantages:
- Significant improvements over legacy anti-virus systems
- Coverage of a wide variety of platforms, including mobile and Internet of Things (IoT)
- Recognizes anomalous behavior as opposed to known signatures to better protect against zero-day exploits
- Can automatically isolate problem devices to reduce the likelihood of malware propagating to adjacent systems and networks
- Provides detailed analysis and recommended actions for mitigation
Challenges:
- Can be expensive to implement across a large population of endpoints
- Having to prioritize endpoints can leave coverage gaps
- EDR can lead to large volumes of data for analysis even considering the use of advanced AI
- Requires training and experienced staff to maximize ROI – Consider an MDR to help
- Most effective when monitored 24x7x365
Managed Detection and Response (MDR)
MDR is less about the tools and more about how the tools are leveraged and managed.
This service combines:
- People
- Processes
- Technology
…to monitor systems and networks, identify proactive threat events, and rapidly respond to protect the enterprise.
MDR services are usually provided by an MDR like CyberMaxx. The provider typically has the expertise and size to effectively gather and evaluate the terabytes of data generated by tools like EDR systems, security information and event management (SIEM) systems, and intrusion detection and prevention (IDS/IPS) systems.
These various inputs can put a tremendous strain on a small IT staff or even a dedicated security team when this activity is insourced.
In fact, the scarcity of highly specialized professionals that can monitor these systems on a 24x7x365 basis is the biggest reason that even sizeable organizations choose to outsource detection and response activities.
Now that EDR technologies are becoming more widely deployed, alert traffic is increasing exponentially.
Advantages & Challenges of MDR
Advantages:
- Outsourcing detection and response activities can provide an immediate impact on reducing bad guy dwell time (going from days to seconds) and response capabilities
- Relieves the organization of the burden to build out and staff a 24×7 security operations center
- Gives the organization access to expertise and threat intelligence gathered from across a large population of the MDR provider’s client base – often within the same industry vertical
- Reduces the burden on existing IT and security staff tracking false positives and non-critical background “noise”
- Easily scales as the organization grows or contracts, and it’s usually more cost-effective than insourcing
Challenges:
- An organization may become “just a number” and not get a high level of personalized service unless the MDR provider is extremely customer-focused and responsive – Not the case with CyberMaxx
- Being comfortable with a third party owning critical security activity and data
- The organization’s staff will still need to be responsive to alerts escalated by your MDR service provider
MDR vs. EDR – A False Dichotomy
It’s not about one of these detection and response strategies being better than the other. It’s not either-or, they are complimentary!
The truth is that you can engage an MDR solution and not have EDR in place. You can also implement EDR without the expertise and staffing support that comes with an MDR implementation.
Like peanut butter and chocolate, these two things go great together.