This article is by Featured Blogger Michelle Drolet from her Blog Page. Republished with the author’s permission.
Navigating the vendor landscape is a challenge for many IT departments, especially when looking at detection and response solutions, since the cybersecurity industry is overly reliant on acronyms. This paper is designed to clarify detection and response solution categories, providing its readers with a solid foundation of knowledge.
EDR, MDR and XDR are three emerging endpoint security technologies built to provide greater visibility, threat detection, and response across all corporate endpoints.
With today’s dispersed workforce, and as much as 70% of all breaches still originating on the endpoint, it is important for IT teams to increase both their visibility and ability to remediate remotely. Often the biggest hurdle is understanding what each solution provides, especially when terminologies vary from vendor to vendor. Let’s dive into each of these tools separately, so that we can better understand their capabilities:
Endpoint Detection and Response (EDR)
Traditional endpoint security is reactive and detects potential security threats by matching known signatures and attack patterns. EDR on the other hand is predictive and focuses on identifying advanced persistent threats and never-before-seen malware that are designed to evade traditional security defenses. Most EDR solutions leverage the combined power of cyber threat intelligence, machine learning capabilities, and advanced file analysis to help detect advanced threats.
EDR solutions record and store queries, behaviors, and security events, allowing cybersecurity teams to detect and analyze suspicious activities over time. In case of a breach or detection, EDR will contain the malware by isolating it, and will understand it’s behavior by detonating the malicious file in a safe environment (i.e., sandbox). EDR will also help conduct an extensive root cause analysis and aid with faster incident response.
Gartner predicts that by the end of 2023, more than half of all enterprises will have replaced legacy endpoint security software with EDR solutions.
Extended Detection and Response (XDR)
XDR is a more evolved, holistic, cross-platform, approach to endpoint detection and response. While EDR collects and correlates activities across multiple endpoints, XDR broadens the scope of detection beyond endpoints and analyses data across endpoints, networks, servers, cloud workloads, SIEM, and much more. This provides a unified, single pane of glass view across multiple tools and attack vectors. Out-of-the-box integrations and pre-tuned detection mechanisms across multiple different products and platforms help improve productivity, threat detection and forensics.
XDR sifts through thousands of information logs by leveraging the power of artificial intelligence, machine learning, and automation. XDR’s goal is to provide accurate, context-rich alerts to security teams. While XDR is in its early stage of adoption, some believe XDR could disrupt the security industry.
Managed Detection and Response (MDR)
MDR is not technology, but a form of managed service, sometimes delivered by a trusted MSSP (managed security service provider). MDR provides great value to organizations that either have limited resources or lack the expertise to continuously monitor potential attack surfaces. MDR services are not defined by technology, but instead by specific security goals and outcomes. MDR providers usually include a host of cybersecurity tools such as endpoint detection, SIEM, network traffic analysis, User and Entity Behavior Analytics (UEBA), asset discovery, vulnerability management, intrusion detection, and cloud security.
Gartner estimates that in four years 50% of organizations will use MDR and there are several reasons why this is the case:
- Widening talent shortage and skills gap: 76% of cybersecurity leaders confirm that they are unable to use technologies to their full advantage due to a global talent crunch.
- Cybersecurity teams are understaffed and overworked: After months of budget cuts, layoffs and resources being diverted to business continuity, IT departments are understaffed and overworked.
- Widespread alert fatigue: Per IDC research, security analysts are becoming less productive due to “alert fatigue” (too many notifications, false positives from security applications and devices). This results in distraction, ignored alerts, increased stress and fear of missing incidents. Twenty-eight percent of alerts are simply never addressed, when ideally, they should be studied.
MDR services ensure you have committed access to cybersecurity experts round the clock. In absence of MDR, most IT teams will rely on email alerts and attempt to clean up the affected systems using legacy tools.
MDR is a service, not a technology with vendors typically taking one of two approaches (or offering the flexibility of both, with a playbook created as part of the onboarding process). These two options are: 1) the MDR vendor acting on a customer’s behalf, or 2) the MDR vendor notifying and guiding your in-house IT team through the containment and remediation process.
Navigating the vendor landscape can be a challenge. With available solutions evolving alongside the threat landscape, a reliance on acronymous naming conventions, and varying functionality, it is helpful to have an overview of each option.
About the Author
Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm offering compliance and professional cybersecurity solution with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Reach her at firstname.lastname@example.org.