Tuesday, May 10, 2022
BY: Team Nuspire
Detecting, defending against and responding to cyberattacks has always been a challenging job. The widespread shift to the cloud combined with increasingly hybrid work environments has further complicated it. Fortunately, detection and response solutions continually evolve to address dynamic cybersecurity needs.
That said, it’s easy to be confused by the plethora of acronyms in the “detect and respond” space. Let’s walk through three that are rightfully on the radar of today’s security professionals: EDR – endpoint detection and response, MDR – managed detection and response and XDR – extended detection and response.
Endpoint Detection and Response is the Foundation
The first of the core detection and response solution types focused on endpoints. Coined in 2013 by Gartner, endpoint detection and response (EDR) centers on providing security professionals with greater visibility into their endpoints. Endpoints can include laptops, desktops, mobile phones, tablets and more – and became a much larger focus when scores of people began working from home in 2020.
By ingesting endpoint data for review – a process known as telemetry – EDR enables security professionals to more easily detect indicators of compromise (IOCs). While telemetry made it possible to observe evidence of a threat, the key was spotting and responding to the true threat in a mountain of data as efficiently and quickly as possible.
Security professionals experience alert fatigue without a single pane of glass to monitor multiple tools. Even with a consolidated view, lean cybersecurity teams find it daunting to monitor and triage 24x7x365.
Managed Detection and Response is the Service
MDR enables organizations to address the dynamic – and increasingly sophisticated – nature of cybersecurity along with talent shortages. This managed security service combines advanced threat detection technologies, finely tuned processes for monitoring those, and automation to quickly distill high volumes of data and focus attention on true threats.
In addition to all of these investments, MDR providers attract and retain highly talented security experts who determine if and when a response is warranted. In other words, MDR offloads organizations of the responsibility for both visibility into threats, and the remediation and response that’s necessary for a robust security practice.
Data from endpoints comprises the majority of the data ingested by MDR. However, the most effective MDR service correlates telemetry from multiple data sources –like endpoints, cloud and networks, including from mobile phones, security information and event management (SIEM) systems, and other sources. Doing so provides a holistic picture that makes it possible to thwart attacks on endpoints, within networks and in the cloud.
Extended Detection and Response is the Platform
In 2018, XDR found its way into the cybersecurity lexicon. This platform ingests and correlates telemetry from a variety of sources, including cloud, on-premises systems and devices, and other applications. As a detection and response platform featuring built-in APIs, XDR was purpose-built to incorporate tools like SIEMs – thus, the “extended” portion of the name.
In fact, both XDR platforms and MDR services call upon much of the same technology and techniques to detect threats. This includes SIEMs, threat hunting, monitoring, EDR, machine learning and AI, analytics and more. They key difference is that MDR is a service offering managed by a security provider, while XDR is the platform that can pull in different sources of telemetry and conduct threat intelligence automatically to create a comprehensive, extended view into your entire network environment.
Why MDR and XDR Are Best Paired
While any organization can deploy an XDR platform, the XDR platform works best in concert with MDR services. Yes, XDR provides expanded visibility into threats across the security environment: network, endpoint and cloud. However, organizations must still contend with:
- Correlating and enriching potential threat data with expert analysis
- Potentially missing significant events in the stream of false-positive alerts
- Identifying true threats, and then triaging, investigating and responding to them
Simply put, organizations with the necessary resources can use an XDR platform to gain visibility into threats across their IT environment. However, they will still need to handle monitoring, detection and response – across a constantly changing set of complex cybersecurity threats. Organizations that lack in-house expertise for these vital functions are best served by an MDR service. An MDR provider can work with the organization’s XDR platform or its own to provide the most complete view into the organization’s security posture and address threats in real time.
In summary, an MDR can:
- Customize an XDR platform for an organization’s needs
- Correlate the most important security telemetry
- Enrich it with third-party and aggregated customer threat intelligence
- Provide visibility into the threat landscape in a single dashboard
- Respond in real time to ever-evolving threats