
Blog Post
July 11, 2023 | Cyber security education
With contributions from Libby Robinson and James Morgan.
Last updated: September 25, 2023
The cybersecurity industry should come with a glossary to cover all the acronyms it uses. We’ve talked about some of the more common terms in the past, but today we’re taking a closer look at three big detection and response technologies:
These three approaches to detection and response technologies are hot topics in the security sector and dominate a lot of conversation.
While closely related, there are several major differences—not to mention subtler nuances—that differentiate these approaches to security from one another. Without a clearer understanding of the actual outcomes each one provides, businesses may struggle to make an informed decision about the solution(s) they need to defend their operations and data.
MDR, XDR, and EDR share a lot of DNA, but the way they approach security can vary wildly. Let’s take a closer look at these three solutions to better understand their capabilities and potential benefits.
In this blog, you’ll learn:
MDR | XDR | EDR | |
Capabilities |
|
|
|
Coverage |
|
|
|
Benefits |
|
|
|
Limitations |
|
|
|
Endpoint detection and response (EDR) focuses on securing endpoint devices—any device with connections to and from a network. Endpoints typically include laptop and desktop computers, smartphones, tablets, Internet-of-Things (IoT) devices, servers, and more.
EDR can be seen as an evolution of traditional endpoint protection (EPP), a classification-based form of threat detection. Classification-based detection is limited in what it can accomplish, and as such endpoint solutions that rely on classification can only identify known threats by querying an existing database. This lets these EDR solutions compare detected activity to a list of known threats, and to take automated action when they find a match.
Where modern EDR truly sets itself apart is with a greater focus on active monitoring and the ability to identify abnormal or suspicious activity—which may go beyond known threats—and react appropriately. For example, actions taken could include an active block, isolating a host, or escalating findings for further investigation. This is a stark contrast to classification-based detection because it adds a layer of intelligence to the system; classification-based detection requires previous experience or understanding of threats.
This makes EDR better suited to detecting and identifying unknown threats, such as advanced persistent threats (APTs). APTs are, as the name suggests, more sophisticated cyber threats that can go undetected for long periods of time.
EDR is all about endpoint visibility, giving teams more insight into what’s happening on an endpoint so they can quickly resolve threats as they arise.
EDR has a number of benefits that make it an appealing security tool. It offers visibility into activity on your endpoints, and since 70% of all breaches start with endpoints, this approach is highly valuable for security professionals.
EDR is focused on reviewing a broad set of information. As such, threats that would have evaded legacy EPP platforms are able to be detected, such as fileless malware attacks. And like other tools, EDR can integrate with a larger solution like a security information and event management (SIEM) platform.
Yet the narrow focus on endpoint telemetry alone limits the amount of data available for analysis. Seen in isolation, abnormal endpoint activity paints an incomplete picture. Without context from what’s happening on the network or in the cloud, for example, it’s harder to determine what’s a genuine threat and what’s simply a false positive.
What’s more, when used as part of a SIEM, EDR solutions can also contribute to significant alert volume. Activity on endpoints would generate one set of notifications, while activity in the cloud (potentially from the same threat) creates another. The challenge of correlation means that dealing with the alerts can leave teams exhausted, exacerbating alert fatigue and potentially increasing employee turnover.
XDR’s origins come from the fact that looking through a single lens at an organization’s infrastructure simply doesn’t provide the coverage and visibility required to minimize the threat surface. Compromises can happen at the endpoint, network, and cloud, and through employees themselves.
EDR and some traditional MDR offerings are frequently seen as limited point solutions, addressing a single aspect within a network. XDR is a direct response to those limitations, pulling together detection and response capabilities for endpoints, networks, and cloud services in a single platform. XDR is often offered as software-as-a-service (SaaS), making it easier for businesses to access this technology.
In light of hybrid work environments, complex IT infrastructure, and increasingly sophisticated threats, XDR solutions promise to deliver relevant information and threat data so organizations can better protect their data and operations.
XDR solutions acknowledge that endpoint detection alone is not enough to protect modern IT infrastructure. Indicators of compromise don’t exhibit solely at the endpoints; abnormal traffic and traffic patterns through the network, and anomalous cloud activity can equally indicate trouble.
Beyond this, XDR provides a range of benefits for organizations:
XDR takes its broad approach to cyber threat monitoring by pulling together multiple pieces of technology to deliver greater insight into an IT environment—but even this approach has its drawbacks.
XDR solutions often are built in a disparate fashion—that is, each component hasn’t been cohesively developed from the ground up to ensure seamless interoperability. As a result, each piece of the platform may only be providing a snapshot of the bigger picture. Additionally, the footprint and CPU usage due to the different pieces of technology can be significant.
This leads to considerable noise, too. Each tool in an XDR solution may be providing multiple alerts for the same issue. As mentioned above, suspicious activity in a cloud service and suspicious activity on an endpoint may be linked, but XDR solutions don’t always provide that context—which could mean the difference between preventing an attack or falling victim to one.
As helpful as EDR and XDR can be for an organization, they’re not without challenges. Tools that simply compile activity data, whether from endpoints alone or other areas of your IT infrastructure, generate a wealth of data that requires further analysis. In turn, this increases workloads and requires an in-depth understanding of cybersecurity telemetry and processes. This is the challenge that managed detection and response seeks to address.
MDR is not a specific technology, but a managed service that packages the benefits of EDR and/or XDR into a convenient offering, helping offload some of the challenges of hiring cybersecurity professionals who have the experience needed to build an in-house security program.
As we’ve touched on, EDR and XDR generate significant amounts of information, requiring teams to parse greater volumes of alert data and determine what is a false positive and what is an actual threat. MDR takes this off a client’s plate, putting detection and response responsibilities in the hands of an experienced third-party security provider.
In many cases, MDR simply offers a services approach to traditional detection and response activities. Sometimes it’s packaged alongside a range of other security tools, such as a DNS firewall, network sensors, or cloud monitoring to better protect modern IT infrastructure.
The biggest benefit of MDR is the peace of mind it offers businesses. As a managed service, MDR frees up time for IT and security teams to focus on strategic initiatives that support business goals.
What’s more, a managed service may be more cost-effective and more accessible than building an in-house security team. By taking EDR capabilities and delivering them as a managed service, MDR providers can offer added benefits to their clients:
As useful as MDR products and services can be, not every provider offers the end-to-end defence a modern business requires. Some MDR solutions fail to account for network- or cloud-based threats, only offering visibility into a single set of data.
As explained above, MDR isn’t a single technology or tool, but a managed service approach to cybersecurity. With this in mind, buying an MDR solution from a managed service provider (MSP) means navigating its own set of terminology. There are three distinct classes of MDR to be aware of:
The prevalence of these three terms frequently means that companies in search of a solution are often stuck trying to figure out what protections vendors will provide. They also contribute to the belief that a single technology will solve all security challenges. But you won't find the perfect solution in an acronym.
Instead, focus on the outcomes you need for your business. This includes things like the extent of coverage each solution provides, along with the expertise, qualifications, and services offered by the solution provider. You need protection that extends across every aspect of your IT infrastructure, delivering relevant and timely information along with the context needed to make informed decisions about your security posture.
The ideal approach to achieve that level of coverage requires carefully designed technology. Instead of layering multiple solutions on top of one another, look for a single solution that will help you consolidate your security tech stack while delivering the visibility you need. In short, look for a holistic cybersecurity solution, natively built to remove siloes and enhance your protection.
Not sure where to start? Field Effect is here to help. Learn more about Covalence, our managed detection and response solution, to see what a holistic approach to cyber security would look like for your business.