Endpoint Detection and Response (EDR) and Managed EDR (MDR) are cornerstones of modern security posture, just as antivirus and firewalls were 15 years ago. With advanced threats and the consequences of compromise high, the defense of the endpoint has been forced to evolve into an architecture that anticipates and preemptively protects from threats identified by known behavioral patterns.
What is EDR?
EDR stands for Endpoint Detection and Response. It’s considered the next generation Endpoint Protection because it uses a modern, sophisticated, and data-centered approach to preemptively detect malicious activity and respond to threats before endpoint compromise occurs. It can also be configured to automatically remediate a host if it’s compromised.
What is the difference between EDR and Endpoint Protection (AV)?
The short answer is: Endpoint Protection finds evidence of compromise (anti-virus) and EDR detects malicious behavior that could result in compromise.Traditional Endpoint Protection is very file focused. It’s a scheduled file scanning application that only detects a threat once it’s manifested as a compromised file. It’s anti-virus and by extension anti-malware.By contrast, EDR uses multiple monitoring points to detect attempts to compromise the system. EDR scans memory, running processes, network activity, and common attack rule sets to preemptively stop threats before they can change files or exfiltrate data.Traditional endpoint protection is a requirement for many organizations and an EDR solution complements it for best the possible endpoint coverage.
What does EDR do well?
By design, EDR is meant to proactively detect behaviors that indicate a threat, attack, or compromise. Its scope of detection on the endpoint is wider and oddly less obtrusive and resource-hungry than a heavy endpoint protection client.In general, EDR is also designed to be integrated with other products in the environment. Whether its shipping log files to a SIEM or exposing an API for customized response, it’s meant to be highly configurable and tunable.
Where does EDR fall short?
While EDR sounds like the superior defense, that comes at a cost — complexity. EDR solutions generate vast quantities of data which must be shipped off the endpoint. And if your organization is of any significant size, the data storage requirements can be overwhelming.EDR is also configuration heavy. While endpoint protection is one install and a signature update from the vendor, EDR can involve configuration to ship log files to a central store for analysis. If that analysis happens in the cloud, there can be some delays in effectiveness.Finally, EDR is great at determining threat detection with a high degree of confidence, but those findings are useless without a human analyst to verify them and define a course of action in response. If the data is huge and “noisy,” the chances of quick response are low.
What is MDR?
Managed EDR, or MDR, is a refinement of the EDR concept. It’s a managed security service that involves a technically strong team of analysts reviewing EDR data and determining which pieces are useful and which aren’t, then tuning the system to be more efficient and accurate at finding and reporting threats. This team would also configure EDR to respond to identified threats automatically.
What is MDR vs Threat Hunting?
Is Threat Hunting the same thing as MDR?
MDR is essentially outsourced Threat Hunting by analysts who understand your network(s) and technologies in use to affect the best possible strategies for finding threats.
What makes an MDR service successful?
A successful MDR service is a collaboration between teams.The MDR team provides comprehensive knowledge and experience in types of threats and how to mitigate them as well as the methods by which the best and most efficient detection and automated response can be achieved.
This is accomplished by using any number of popular EDR products.The customer’s team helps to provide necessary access and data from their organization’s network and endpoints, as well as any collected intelligence from prior engagements.
Glossary of MDR Terms
Signature-based: In the context of anti-virus and anti-malware, a signature is a short hash of a known sample sequence of bytes found in an infected file that indicates the unique change made by a virus. It allows an antivirus engine to determine if known viruses have infected files on a host system or if malware is present. Indexes of signatures are the data that endpoint protection vendors use during scans to determine compromise.
Threat: A cybersecurity threat is a known malicious attack design or exploit of a vulnerability in software. It’s a broad term that represents any potential for a bad actor to utilize weaknesses in the network or endpoints for malicious activities. These include data theft, services disruption, or vandalism.
Response: The response in Detection and Response refers to the action taken to avoid compromise by a cybersecurity threat. It can be a dynamic rule added to a firewall, the removal of access permissions by a compromised user, or even the complete reset of an endpoint. Response can be manual or automated where complex rule sets can determine the response.
Endpoint Protection (Traditional): Anti-virus and anti-malware solutions such as Symantec Endpoint Protection, McAfee Endpoint Security, or Windows Defender.
Threat Hunting: When alerts for certain threats are not defined or none exist, an analyst will have to go “hunting” in an environment to locate evidence of compromise. This is both an art and a science requiring knowledge of attack techniques and the nature of malicious activity.
Binary Triage: If suspicious binaries are detected on a monitored system and automated means for identification return nothing, some analysis is required to determine if that binary is malicious or not. Triage is determining how serious and/or timely a response should be by establishing potential or intent of the binary.
Use Case: A use case for EDR is a way to identify how the concepts of Detection and Response apply and can be best implemented for distinct IT environments, actions, and industry-specific security needs.
Example: If employees must log into a portal using an identity management solution then attacks will likely target that specific solution and detection should employ this use case as a focus.