Managed Detection and Response (MDR), Endpoint Detection and Response (EDR), and more recently, Extended Detection and Response (XDR). The sea of cybersecurity related acronyms continues to expand to accommodate incremental advancements in technology.
So, what’s up with all the DRs?
Clearly, the common ground is Detection and Response (D&R). D&R is all about limiting threat actor dwell time (average of 24 days in a recent 2021 study) through rapid detection and mitigating the impact of a realized threat event through an efficient and effective response. Since we’ve established both MDR and EDR share this common goal, let’s point out how they differ in approach.
Endpoint Detection and Response (EDR)
Originally termed Endpoint Threat Detection and Response (ETDR), EDR is the classification for software focused on detecting and investigating suspect activities on endpoints like workstations, laptops, servers, phones, tablets, IoT devices, etc. The software (usually a small agent) is deployed on each endpoint you wish to monitor where it gathers data to identify patterns of suspicious behavior. This differs from “signature-based” tools like traditional antivirus software that are limited to identifying set patterns based on the latest fingerprint of a known piece of malware. With EDR, the endpoint is continually monitored, and the data is stored in a centralized database where it is analyzed using various algorithms, including artificial intelligence, to identify abnormal behavior. When malicious activity is identified, the end-user, or in the case of a managed service, the security operations center is immediately prompted with prescriptive actions to respond to the threat event. Most quality EDR tools will have at least the following characteristics:
- They can detect suspicious activity and identify security events on various platforms.
- They provide a deep analysis of system behaviors to better identify actual events instead of false positives.
- They can automatically contain an identified event so that it does not propagate to adjacent systems and networks.
- They suggest actions required (remediations) to contain, minimize impact, and address or remove the threat.
Since endpoints represent the largest attack surface at an organization, Endpoint Detection and Response is gaining significant momentum and becoming a de facto tool in the cybersecurity arsenal for security-conscious enterprises.
Advantages & Challenges of EDR
- Significant improvements over legacy anti-virus systems
- Coverage of a wide variety of platforms, including mobile and Internet of Things (IoT)
- Recognizes anomalous behavior as opposed to known signatures to better protect against zero-day exploits
- Can automatically isolate problem devices to reduce the likelihood of malware propagating to adjacent systems and networks
- Provides detailed analysis and recommended actions for mitigation
- Can be expensive to implement across a large population of endpoints
- Having to prioritize endpoints can leave coverage gaps
- Leads to large volumes of data for analysis even considering the use of advanced AI
- Requires training and experienced staff to maximize ROI
- Most effective when monitored 24x7x365
Managed Detection and Response (MDR)
As with EDR, the first word says it all. Managed Detection and Response is less about the tools and more about how the tools are leveraged and managed. MDR is a service that combines software tools and technology with human experts to monitor systems and networks, identify proactive threat events, and rapidly respond to protect the enterprise. MDR services are usually provided by a managed security service provider (MSSP). The provider typically has the expertise and size to effectively gather and evaluate the terabytes of data generated by tools like EDR systems, Security Information and Event Management (SIEM) systems, and Intrusion Detection and Prevention (IDS/IPS) systems.
These various inputs can put a tremendous strain on a small IT staff or even a dedicated security team when this activity is insourced. In fact, the scarcity of highly specialized professionals that can monitor these systems on a 24x7x365 basis is the biggest reason that even sizeable organizations choose to outsource detection and response activities. Now that EDR technologies are becoming more widely deployed, alert traffic is increasing exponentially.
Advantages & Challenges of MDR
- Outsourcing detection and response activities can provide an immediate impact on reducing bad guy dwell time (going from days to seconds) and response capabilities
- Relieves the organization of the burden to build out and staff a 24×7 security operations center
- Gives the organization access to expertise and threat intelligence gathered from across a large population of the MDR provider’s client base – often within the same industry vertical
- Reduces the burden on existing IT and security staff tracking false positives and non-critical background “noise”
- Easily scales as the organization grows or contracts, and it’s usually more cost-effective than insourcing
- Not all MSSPs are qualified and equipped to provide true MDR services
- Your organization may become “just a number” and not get a high level of personalized service unless the MDR provider is extremely customer-focused and responsive
- You will need to be comfortable with a third party owning this critical security activity
- The organization’s staff will still need to be responsive to alerts escalated by your MDR service provider
- Finding an MDR service provider that supports the tools that best address your organizations security needs (e.g., IDS/IPS, EDR, SIEM, Forensics, etc.)
MDR vs. EDR – A False Dichotomy
As you can see, it’s not about one of these detection and response strategies being better than the other. It’s not either or, they are complimentary! It is certainly true that you can engage an MDR solution and not have EDR in place. You can also implement EDR without the expertise and staffing support that comes with an MDR implementation. But like peanut butter and chocolate, these two things go great together. Learn more about MDR security services with CyberMaxx today.