Explaining EDR vs MDR
Discussing firstly on Endpoint Detection and Response (EDR); anecdotally from client engagements, when asked to identify the newest to-implement functionality of their endpoint protection strategy, many said EDR.
Apart from EDR, another trend is quietly but ferociously growing – managed detection and response (MDR). The two terms look similar but are vastly different in many aspects.
EDR to MDR
EDR is able to record and store queries, behaviors, and events on the endpoints, allowing the security teams to detect and investigate suspicious activities. In this regard, the IT team is able to go beyond just indicators of compromise and achieve high visibility into the nitty-gritty that’s going on. Once an attack is discovered, customers want to know what the root cause was and how it spread – EDR is a useful tool for this.
EDR also enables the IT team to answer and resolve issues faster. Imagine if the team wants to know how many devices in the organization are using a particular piece of vulnerable software, or have accessed a bad domain.
However, as organizations expand their security technology stash, a bigger team and more technical skills are needed. Unfortunately, the market doesn’t produce security professionals as fast as the changing IT landscape demands them. MDR has emerged to fill this cybersecurity skills gap.
MDR to boost existing security
Firstly, by nature, MDR is offered by security providers to augment an organization’s existing security infrastructures and address threats that can bypass traditional controls. Modern-day threats such as network attacks, targeted attacks, cryptominers, fileless malware, and remote access tools are designed to be difficult to detect and circumvent many types of security technology.
This is because many organizations’ primary focus is to secure the perimeters, that is to know where threats enter and exit an organization’s network. However, less attention is often being paid to the lateral movements of threats once they find their way into the system.
While EDR supplements the traditional anti-virus software, it does not replace it entirely. It works together with the anti-virus and blocks known threat indicators. Traditional security controls are not equipped to handle these types of secret threats, especially those that need continuous detection and response.
How do MDR and EDR work together?
Some EDR offerings can feature advanced technologies such as machine learning and behavioral analysis, while also integrating other technologies. Because of the complexity of EDR technology, some in-house IT teams don’t have the skills or the time to maximize EDR, leaving many functions and capabilities unused.
MDR then comes in to bridge the skills and resource gap in deploying complex EDR solutions. When used together, EDR provides the powerful tools for comprehensive security implementation, which MDR can tap into for detection, analysis, and response.