5 min read
The cybersecurity industry is notorious for coining terms and acronyms that rise and fall out of favor before they even have a chance to be fully understood. We get it – rapid innovation can be messy and lead to confusion and clutter. While it’s exciting and encouraging to see so many solution providers invent new solutions and improve upon others, resulting in new concepts, sometimes all of this terminology is honestly just an effort to stand out from the crowd. As a result, business and IT leaders are left wondering what cybersecurity solutions they truly need, which ones are redundant, and which ones are complementary.
So, this is Netsurion’s effort to clear the air, to help you separate fact from fiction, and ultimately make the best choice in cybersecurity solutions for your organization.
This has been a hot term in recent years. Managed Detection and Response (MDR) is actually missing a word. That assumed word is “threat”, as in managed threat detection and response. Some argue that the missing word is “endpoint”, but then again, that gets into EDR, which yes, could be delivered as a managed service…but we’ll get into that later.
What exactly constitutes MDR? MDR isn’t a technology – it’s a service. What makes MDR unique is its focus on leveraging technology and expertise to continuously monitor IT assets, to quickly detect and effectively respond to true cybersecurity threats.
The technology behind an MDR service can include an array of options, and this is an important thing to understand when evaluating MDR providers. The technology stack behind the service determines the scope of attacks accessible to detect. Cybersecurity is about “defense-in-depth” – having multiple layers of protection to counter the multiple attack vectors possible. Various technologies are used to provide more complete visibility and thus more complete detection and response capabilities. To name a few, some of the technologies behind an MDR service include:
- SIEM (Security Information and Event Management)
- NTA (Network Traffic Analysis)
- EPP (Endpoint Protection Platform)
- IDS (Intrusion Detection System)
If MDR is about managed threat detection and response, what is EDR? EDR stands for endpoint detection and response. Again, that word “threat” is missing as the name of the game isn’t detecting that endpoints exist. Sometimes referred to, less commonly but more correctly, as ETDR, the difference between MDR and EDR is scope. EDR is focused on threat detection and response on the endpoint environment specifically. This means that EDR is focused on activity on the device as opposed to on the network – think laptops, servers, and critical business devices like POS systems.
To better understand what EDR is and is not, you first have to realize that “detection and response” are only two elements of the Predict, Prevent, Detect, and Respond cybersecurity framework. For full disclosure, in true cybersecurity fashion of having competing and overlapping terminology, this is very similar to the NIST Cybersecurity Framework’s five functions of: identify, protect, detect, respond, recover. But stay with me, let’s understand this in light of the Predict, Prevent, Detect, and Respond framework.
EDR deals with threats that have gotten past the Predict and Prevent functions. Very important – yes, but not a complete endpoint protection platform. Which brings us to our next term – EPP.
EPP stands for endpoint protection platform. Don’t worry about the introduction of the term “platform” at this point, as that can start a whole other nerd fight here. Rather, focus on the term “protection”. While EDR focuses on detecting and responding to endpoint threats, EPP is more complete in that it covers the four cybersecurity functions of Predict, Prevent, Detect, and Respond while still being solely focused on the endpoint environment. As such, EPP solutions to various degrees may encompass EDR. But the devil is in the details. What’s important to note is since no EPP is 100% effective, you must ask what detection and response you have in place for attacks that evade the prevention controls.
Speaking of prevention, EPP is more commonly replacing the basic prevention solutions like anti-virus and anti-malware that are only effective to various degrees against known threats. More advanced EPP solutions leverage Artificial Intelligence (AI) to increase the ability to thwart unknown or zero-day attacks, or even fileless attacks that don’t leave signature-based footprints.
MDR is a managed cybersecurity service backed by various technologies to provide a range of threat detection and response capabilities to mitigate damage caused by cyber attacks that evade prevention controls. The layers of technology employed, and vigilance and expertise of the staff determine how truly effective an MDR provider can be.
EDR is similar in purpose but focused on endpoint environments only. EDR solutions may be technology-only or a managed service – as in Managed EDR. I apologize now for adding that term to the mix.
EPP is a more comprehensive protection covering the lifecycle of a threat, from prediction and prevention to detection and response. However, how effective it is on each of those four functions varies from vendor to vendor.
No, we’re not gaslighting you. We have another detection and response term. The “X” in XDR conveys the concept of threat detection and response across multiple security controls – considering both endpoint and network activity. Yes, endpoint and network threat detection and response is a natural evolution, or perhaps convergence, of several solutions, primarily SIEM and EPP. You may begin to see more buzz around XDR, but in reality, it’s a useful term to denote that a solution is capable of aggregating and correlating telemetry from many security controls to more holistically defend the IT infrastructure. Just remember that this term alone does not encapsulate which specific controls are included. Nor does it imply that the solution is managed by a Security Operations Center (SOC) team.
But that’s not all. What’s an MSSP? A Managed Security Service Provider is broader in nature and refers to an organization (people + technology), not a single service. While MDR is a service many MSSPs deploy, which focuses on active threat detection and response, an MSSP is also concerned with centralized log management for compliance reporting and investigative reports. An MSSP should also have a robust, fully-staffed SOC equipped with technology – typically a SIEM-based platform – and a range of cybersecurity experts including security platform administrators, security analysts, malware analysts, a threat intelligence lab, and incident response analysts. Generally speaking, an MSSP has the wherewithal to bring MDR, EDR, and EPP functionality to bear in a complete package. This may be most ideal for resource-strapped IT teams that must focus on more than just cybersecurity and want the confidence of knowing a team of experts with the right tools are watching their back.