Endpoint Detection and Response Solutions – EDR / XDR / MDR

So what is EDR?

The Problem

The main problem businesses were facing, was that the attack surface of an endpoint and the complexity of the surrounding infrastructure evolved, but they were still relying on antivirus solutions that relied on signatures, sometimes out of date signatures, to identify and prevent a malicious file from executing. Further to that, attack types had changed and malicious actors were no longer interested in writing malicious files for victim machines but were more interested in stealing data or encrypting data for ransom. Those that were creating malicious files, had devised ways of padding files with extra bytes to avoid detection or evolved attacks to include memory “fileless” attacks.

EDR – the good and the bad of detection

EDR was developed to provide a business with the visibility to “see” unusual activity occurring in an environment using behaviour analytics, some threat intelligence and host intrusion detection sensing, specifically around the endpoints. The problem immediately identified was that with increased visibility came an increased amount of security data to ingest, which required more resources, often burdening already over-burdened security teams, if there were any security teams at all. EDR also had no signatures to refer to, so that meant that SOC teams were inundated with data and false positives to process. Enterprises quickly found that they now needed an EDR and EPP, to sufficiently protect their endpoints.

Converge of prevention and detection techniques

Recently, vendors have started to converge these two solutions together bringing prevention techniques and detection techniques into one single solution. The problem, however, was that now the platform’s security data would grow exponentially and security teams would have no chance of analysing these huge amounts of data, so many of the vendors have integrated machine learning tasks into their solutions in order to prioritise what the solution considers a high impact threat, by piecing various pieces of data flow together, allowing analysts to review the information rather than having to piece the data together themselves. These solutions are also correlating data from threat source feeds externally to identify any similar threats emerging from that feed worldwide. Some solutions are even completing deep analysis of suspected malware files in order to determine “known good” and “known bad” files in an online sandbox.

Introduction of XDR

The security industry hasn’t stopped there, however, most recently, vendors like Palo Alto Networks have introduced XDR which basically extends the converged EDR into their firewalls, their endpoint solutions, and their CASB solutions based on the assumption that an enterprise is already using their solutions, and those security information points act as sensors, sending security data to a threat analysis engine for processing.

Extension to MDR

This leads us on to MDR (Managed Detection and Response). In many cases, a business needs these type of technologies to manage their IT risk, but cannot afford to throw multiple resources at these toolsets. Business’ IT departments are also already dealing with infrastructure, capacity, Business As Usual (BAU) and some security activities. Most of the IT team have limited experience in security analysis. It makes sense then that these businesses use an experienced MDR team to detect, analyse, prioritise and offer remediation to security incidents, allowing the IT teams to focus on their tasks.

Integration of various tools

Secure-ISS offers MDR services by integrating various tools like converged EDR, XDR, SIEM, IDS, threat hunting and vulnerability management for our security analysts in our 24/7 security operations centre, providing our customers with unparalleled security expertise and advice.

Arrange a consultation about Endpoint Detection and Response Security