Table of Contents
Demystifying Cyber: EDR & MDR
In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.
Tom Pioreck, CyberMaxx’s CISO, will be diving into all things EDR & MDR. In this episode of “Demystifying Cyber,” we’ll unlock the mystery and clear the confusion surrounding EDR & MDR.
For your convenience, we’ve included a transcript of the 17-minute episode below. Feel free to watch the video on YouTube.
Transcript
Organizations keep hearing that they need to detect and respond, and EDR, or a trusted MDR provider, is one of the best ways to do that.
That’s all well and good, but what do EDR and MDR mean? What does an organization need to know and consider when determining which option is the better choice for them?
If security professionals keep saying EDR should be a standard part of our security program, then it’s probably a good idea if we understand the abbreviation, the terms it contains, and what we’re really saying when we talk about EDR and MDR.
Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode of Demystifying Cyber, we define EDR, MDR, and considerations for which one to select as an organization.
The famed author, Arthur C. Clarke had three laws when it came to science fiction, his third law is, “any sufficiently advanced technology is indistinguishable from magic.” We’re here to peel back the curtain and show how the “tricks” in cyber are done, so we can all have a better understanding. This, is “Demystifying Cyber.”
EDR and MDR. In a world of abbreviations, what’s two more? If EDR and MDR are so similar, which seems to be the message out there, then why the need for both terms? Let’s start by breaking down the abbreviations, EDR and MDR.
And since both have “D” and “R,”, let’s start there. The good news is that the D and the R have the same meaning in each abbreviation. The D is for “Detection” and the R is for “Response.” So, that’ll help keep things a little simpler. We will get into what each term means a little later, but what about the E versus the M?
E is for Endpoint. Just like C is for Cookie. Endpoint, endpoint, endpoint start with E. Well, that’s simple enough, isn’t it. Hmm? What’s an Endpoint? Yeah, that’s a good question.
We kind of just throw the term “endpoint” out there and figure everyone knows exactly what we’re referring to when we say “endpoint.”
There’s mostly two different ways people interpret the term “endpoint” and that can create confusion when we’re talking about EDR.
The broadest definition of an endpoint is, “any device that operates within your corporate environment.” And that really means any device; mobile phone, tablet, servers, desktops, switches, laptop, point-of-sale systems, automated inventory systems, smart TV, smart fridge, smart coffee maker (a critical asset, if ever there was one), an “endpoint” is anything and everything.
When we ask an organization about asset inventories and we ask them to account for all of their endpoints, this is the breadth we want you to consider and document. Generally, though, when a company is considering EDR (and this applies to MDR too), we tend to narrow the scope just a bit.
Your EDR “endpoints” really comes down to computers, whether laptop, tower, or desktop, and your servers, physical or virtual. Why such a narrow scope? The reason is what’s available on the market as of this recording. It’s these endpoints that have available agents that are tried and true. Yes, some solutions on the market have an agent for phones and tablets, and depending on what runs your point-of-sale system, an agent for that, maybe an agent for a smart device, like that TV in the boardroom, but they don’t have the operational history like the agents for servers and computers do.
Let’s take that term “agent.” That word gets thrown around a lot too. Single agent, agentless, consolidated agent, call my agent, almost all solutions out there have some kind of “agent” associated with them. Even AI is getting in on the game with “agentic AI.” So, what’s an agent?
Let’s say you’ve decided to go with an EDR solution, which we’ll just call The Farm. The main component, the brains if you will, exists as some kind of central headquarters. That headquarters could be something you build, install, and run in your own data center, or it could be a cloud-platform solution, often called the “console,” that The Farm provides.
That console is where all the data and information is visible to you. It’s where you login to see data, alerts generated and where you go to triage those alerts, set your configurations, the real functional aspect. All of the intelligence you’re gathering comes back to this central location. It serves as a central intelligence hub. Here’s where central intelligence’s agent comes in.
The agent works for The Farm. Its job is to monitor what happens on the single endpoint it’s been deployed to and report back on all the activity that it sees, so that modules within The Farm can perform an analysis and decide if what it’s seeing is “suspicious, malicious,” or “benign.” The agent is basically a small piece of software that gets deployed on every endpoint. Once it’s deployed, it’s perma-linked to that endpoint and reports back to headquarters, or the mothership, so to speak, pretty much in real-time. Agents can function on their own, but their operating parameters are defined by the mothership, kind of like the alien ships in Independence Day.
So now I have an agent deployed on the servers and computers, my “endpoints,” that operate across my environment. The activity that occurs on each endpoint reports back to the console, where the “magic” happens. Congratulations, you’ve implemented the first step in monitoring your environment. You are getting insight into the activity that is occurring on each endpoint and can be alerted when malicious, or at least suspicious, activity is Detected.
And that’s the D in EDR. Detection. By being able to ingest the activity and analyze it, we’re then able to detect unwanted behavior. There’s a bit more that happens than just “detecting” though.
EDR systems have some form of alerting or notification whenever something is detected that you need/want to be aware of, see what’s really going on. So the D for Detect really has a silent N for Notify or silent A for Alert.
Great, so I’ve monitored, detected, and been notified, but I want to do something about it. That activity you alerted me to is bad, make the bad thing stop, I need to Respond to the bad thing. I don’t want to be aware that it’s happening and just sit there while it wreaks havoc on my company, I want to Respond. And there’s our R.
R is for Response. You want to be able to Stop the activity. You’ll hear the word “Kill” used here a lot with EDR vendors. You can set parameters where the EDR solution itself will Kill and/or Quarantine (exactly what you think it means) that activity or process. The really cool part is you can set a lot of the Response actions to happen automatically within the system and not give up manual review or human decision–making.
If the system seems to be killing too many legitimate actions just because they seem sketchy, you can tune its behavior. Or tell it to alert you but take no further action until you tell it to do so.
Most EDR solutions can isolate that endpoint. Meaning, nothing that’s happening on that one endpoint can get to any other system on the network or even anywhere on the Internet. The only communication an isolated endpoint can have is back to the mothership. The endpoint can only phone home. So, we have any number of response capabilities ready for us to implement now.
Ok, that’s EDR in a nutshell, so what’s MDR? The D and the R are the same, Detection and Response. The M is for Managed, so MDR is Managed Detection and Response. So, what’s the difference between EDR and MDR? The difference lays in who manages the solution.
See, MDR is really Managed EDR. You select a vendor to manage the EDR solution that’s been implemented. The functionality of the EDR doesn’t change, it’s the same for EDR and MDR, but with MDR, you’re offloading the management of the system to a trusted security partner. And that partner is usually an MSSP, a Managed Security Service Provider, specifically an MDR vendor. Notice the M means the same thing in MDR and MSSP? That’s how you can remember the connection and meaning, plus the difference between MDR and EDR.
Your next question is likely, is EDR or MDR better for my organization? That’s a fair question. And it may seem like a simple question of do I want to outsource it or do I want to run it in-house? There’s actually a lot that goes into that decision.
Managing an EDR is a 24/7 job. That’s just the time. That whole Detection component? It requires constant tuning and maintenance, tweaking it until you find that perfect sweet spot where the alerts you’re getting are mostly just the signal amongst the noise. The cyber world changes so rapidly that your tuning is never truly complete. You’re always going back and tuning as the threat landscape changes, as new attack techniques are identified and shared, as your business evolves and changes. Once you have the system tuned, you still need to investigate each alert that is generated for risk and actual legitimacy.
And you can’t do any of that without staffing, and staffing means a knowledgeable team of professionals that have experience and can put items in context. Folks that can really apply critical thinking to the deluge of notifications and intelligence that all these solutions present.
Think of it like this. You own a home. Not an especially large home, but what most folks think of when they think of a typical American home in the suburbs. That home has a lawn, likely some bushes, maybe even a couple of flower beds. You want your home to have a beautiful yard. Well, that means mowing, edging, weeding, and pruning. That’s just the regular maintenance you have to do every week. Then there’s knowing when to plant, managing the soil, being able to identify crab grass, grubs, rot, plant infections or whatever they’re called, knowing when to plant what plants at what time of year, in what soil and maintain the pH of that soil, in a location where they’ll get the right amount of sunlight and shade. That’s a lot of work, a lot of time, and a lot of knowledge you need to have or obtain. Can you really afford to do all that yourself AND have the outcome you want? Oh, and have time for the myriad of other things going on in your life?
Like many suburban homeowners, you’d likely hire a landscaping service. Professionals who have the experience and know the answers to those questions, who can recommend treatments, how to plant and what to plant, lay new seed, mitigate the grubs and other bugs, identify when foliage seems to have become infected and treat it, recommending future steps to avoid it from happening. And when they do the maintenance, the mowing, the edging, the pruning, they know just how to do it, so that the yard remains and looks healthy. Trusting them to carry out that work means you get two things. One, you feel better knowing that this thing of importance to you, your yard’s health, is entrusted to professionals with years of experience. And second, you free up your time that would be spent performing these tasks and research to gain the knowledge required to achieve the results desired, to focus on other areas of importance for your life. You’re gaining in two places, not just one.
That, admittedly somewhat loosely, is what you get when you elect to go with an MDR to implement an EDR solution. And just like with the landscaper, there are additional costs when you do it yourself that you incur when trusting it to experienced professionals.
All that equipment that landscapers use, you would need to buy for yourself. That includes the fuel, replacement blades, sharpening the blades, pruners, trimmers, edgers, seed, insecticide, plant formula, all of it. Those costs recur; they don’t go away. Same is true with implementing your own EDR. All the tools, watchlists, implementations, API’s, workstations, sandboxes, all the utilities that you may not even think of, are a recurring cost. And that doesn’t cover the cost of staffing and training that you would have to incur. Plus, you get the benefit of all the knowledge they gain from working on all the other houses that they service, which allows them to see and diagnose potential issues faster or make recommendations to get ahead of an issue they’ve encountered at another home recently. They’re aware of trends because it’s just a part of what they do. Of course, that will all depend on the value that they provide. Are they doing the bare minimum, mow, trim, prune, preseason clean, postseason clean? Or are they a committed partner? I know which one I’d prefer.
Endpoint Detection Response, EDR, and Managed Detection Response, MDR, are an integral component of what we call, “Continuous Security Monitoring.” Real-time insights, data points for correlation and aggregation, and ability to respond to threats as they’re occurring, a lot of times at the point of attempted entry, before they get to taking action within a system. Frankly, in today’s business world, having them is table stakes. Insurance carriers will ask if you’ve deployed them, your partners will ask about it, and many of your clients and prospects will ask about it. The days of rolling out an antivirus solution alone are over. Going back to our suburban home analogy, having an alarm system is pretty much the same thing. It doesn’t mean we stop putting locks on the doors and windows, it just means that we acknowledge that times have changed, and having someone be able to monitor our valuable assets for us 24/7 is a must-have. And we trust a service provider to enhance the capability and manage the monitoring, detection, and response for us. Think about it, do you really want to, can you really afford to, monitor and respond to your doorbell camera every time it goes off? 24/7?
And hopefully now you have a better understanding of what everyone means when they’re talking about EDR and MDR, what they provide you, and how they differ when you’re determining which is the best option for your organization. I think EDR is incredibly vital to a security program and hope you do now too.
Until next time, I’m Thomas Pioreck for Demystifying Cyber.
