Endpoint Detection & Response (EDR), Managed Detection & Response (MDR), and Extended Detection & Response (XDR) are hot topics right now. And there's a good reason why.
With cyberattacks at an all-time high, the legacy security tools you’ve used for decades are no longer sufficient on their own. As attackers find ways to circumvent these common protections, the pressure increases to add additional security solutions…both internally and externally, as an organization’s clients or regulators increase their standards.
For a lot of organizations, their first interaction with EDR and its relatives will be seeing it listed as a new requirement for their cyber liability insurance, or under a regulated industry’s latest compliance standards. But EDR, MDR, and XDR have been around for a while, developing over time as cybersecurity gets more complicated.
"What's the difference?"
Keep reading to learn more about these “Detection & Response” tools, what each term means, why you’ve been hearing about them more often recently, and why Mytech Partners includes detection & response functions in its managed IT services agreement.
Endpoint Detection & Response (EDR)
Endpoint Detection & Response is a security tool that tracks the ongoing activity of a device, such as a laptop or desktop, recording any processes that occur on the device – things like creating or moving a file, executing a command, or accessing a website. All of these processes leave a trail of evidence, and EDR is able to record this evidence, analyze it, and report on its findings.
Why is that useful? Well, let’s say you click a malicious email attachment and it tries to alter your device – creating a small foothold in your system so the attacker can eventually do further damage, such as encrypting data in a ransomware attack. Without a detection tool like EDR, you would have no idea that this “casing the joint” was happening through the foothold on your device: the first alert that you get could be days, weeks, or months later, when the attacker finally strikes. And by then, it’s too late to do anything.
But with EDR, you have a chance to catch that initial compromise in the moment. By tracking a device’s actions and identifying any suspicious activity ahead of time, EDR can alert you to an indicator of compromise (IoC) before the attacker has a chance to use it to deploy a full-scale attack. In addition, EDR doesn’t just tell you something is wrong – it gives you specifics about the IoC, what’s been changed, and when, allowing you to target your security response to contain the incident quickly before it gets worse.
Managed Detection & Response (MDR)
“But wait,” you might be saying, “I don’t have the resources to put together a ‘security response’! I don’t even have a dedicated in-house IT team!” That’s where Managed Detection & Response (MDR) comes in: this “as a Service” solution provides EDR tools, plus ongoing support from a security team that's trained to interpret the signals from these tools and provide insights.
This model can be very useful for small and medium-sized businesses that don’t have their own IT security staff but still want to improve their cyber security. Smaller organizations might struggle to actually do anything with the information that an EDR tool provides – like getting a medical diagnosis without any explanation or treatment plan. MDR – which Mytech provides in our managed IT services agreement – provides that expertise and explanation, and takes action to remediate an active risk or IoC before it can become a full-blown security incident.
Extended Detection & Response (XDR)
More recently, this push for detection & response tools has developed into a new offering: Extended Detection and Response (XDR), which “extends” beyond individual endpoints like laptops, desktops, and servers. This solution not only watches for indicators of compromise (IoCs) on a network, it also consolidates the information coming from other areas of your environment, including endpoints, cloud data, network devices, and third party data.
XDR aims to be a streamlined offering for tracking statuses, issues, and alerts from multiple different security tools. Its proponents argue that receiving disjointed information from multiple sources makes you more likely to miss something, and XDR can bridge that gap by consolidating information into a single comprehensible stream.
XDR is a newer, more fringe solution than EDR and MDR. Some organizations tout it as the next big critical safeguard – others think it’s mostly a buzzword with little practical benefit. Mytech deploys multiple cyber security controls, but we don’t believe XDR in its current state would contribute meaningfully to our robust monitoring and alerting tools. As new capabilities of XDR develop, this could certainly change in the future, and we frequently evaluate the benefits of new additions to our security strategy.
"Why do I even need these 'Detection & Response' tools?"
EDR, MDR, and XDR can meet a lot of security needs that can't be solved by legacy solutions like antivirus. But does that truly make them necessary? Wouldn’t it be better to invest more heavily in preventing unauthorized access in the first place rather than relying on a different tool to clean up afterwards?
As it turns out, protection is only one of the core principles of cybersecurity – and protection cannot stand alone.
The five core functions of cybersecurity
To understand the value of tools like EDR, it’s helpful to know a bit more about the different areas of a security strategy. There are five core functions of cybersecurity according to the NIST Cyber Security Framework. In a nutshell, they’re each designed to cover a different aspect of your defense:
- Identify – track your assets and vulnerabilities
- Protect – prevent malicious access
- Detect – catch anything that gets through
- Respond – react when an incident happens
- Recover – get back on track afterwards
Think about the legacy cybersecurity tools you’ve used for decades: antivirus tools, spam filters, firewalls. Notice how all of them only speak to a single element of that framework: Protect. If you haven’t invested in any of the other functions, it doesn’t really matter how good you are at the Protect function: when something inevitably slips past it, you will have no other lines of defense.
It’s like a high-security building. The most obvious physical safeguards are clear: locked doors, keycards, security staff. But there are plenty of other less obvious security tools: alarms that react to intruders, cameras that record high-value areas continuously, even systems that can automatically lock doors or call emergency services.
Just like a high-security building, you need to build your cybersecurity strategy around more than locking the front doors. Tools like EDR are part of that next step, because they don’t simply Protect you against unwanted access – they Detect signs of an intruder, and they can also Respond by doing things like “locking the doors” to an affected device, so the attack is quarantined from the rest of your network.
Thinking beyond locking the front doors
In a perfect world, our first lines of defense would work perfectly. Unfortunately that’s not the world we live in: attacks are getting more sophisticated, no matter your organization’s size (read our blog “It’s a Net, not a Harpoon | Why Ransomware Threatens Even the Smallest Businesses”). Legacy solutions that protect you against unauthorized access are still an essential factor in your cybersecurity, but attackers will keep innovating ways around them in an endless cybersecurity arms race. It’s no longer a matter of if you’ll experience a cybersecurity incident, but when.
However, that doesn’t mean you should just give up and stop trying to protect yourself! By shoring up your current legacy defenses with proven modern solutions like EDR or MDR, you can improve your organization’s resiliency against attack, and increase your own peace of mind in an ever-changing cybersecurity world.