EDR, NDR, XDR, MDR - Different concepts of Detection & Response
‘Threat Detection & Response’ is now considered an indispensable means of securing corporate networks. Due to large-scale environments and ever more complex requirements, potential dangers and threats should be found or prevented and corresponding systems restored or cleaned as actively, quickly, efficiently, and automatically as possible.
A set of three letters can conceal several types of ‘Detection & Response’ models offered on the market. What do these acronyms stand for and what distinguishes one solution from the other?
Here’s an overview of what you need to know.
... stands for ‘Endpoint Detection & Response’. Every device connected to a network represents a potential attack vector for threats from the Internet, and each of these connections is a potential gateway to your data. In general, EDR solutions collect data from endpoints, use it to identify potential threats, and provide helpful ways to investigate and respond to those potential threats – modern solutions even automate with subsequent reporting.
- Scope: Endpoints and hosts
- Intention: Endpoint/access area protection from infiltration, monitoring and mitigation, vulnerability assessment, alerting and response
- Methods: Malicious behaviour, Indicator of Attack (IoA), Indicator of Compromise (IoC), signatures, machine learning
- Challenges: Advanced Persistent Threats (APT), ransomware, malicious scripts, etc.
... is ‘Network Detection & Response’. This has evolved from conventional network security and is a sub-area of NTA (Network Traffic Analysis). It ensures full visibility into known and unknown threats passing through the network. The solutions typically provide centralised, machine-based network traffic analysis and response solutions, including efficient workflows and automation. The positioning in the network and help from machine learning provides a full insight and analysis of the network in order to identify and eliminate lateral movements in particular.
- Scope: Network and inter-device traffic
- Intention: Visibility/transparency of network traffic, detection of known and unknown threats and lateral movements, alerting and response
- Methods: Indicator of Attack (IoA), anomaly detection, user behaviour, machine learning
- Challenges: Advanced attacks and intrusions, malware-free attacks
... stands for ‘Managed Detection & Response’. The focus here is not on technology, but on service. As part of MDR, customers outsource their security operations and benefit from reliable security year-round, around the clock.
Security providers offer their MDR customers access to their pool of security analysts and engineers who specialise in network monitoring, incident analysis, and security incident response.
This service is particularly in-demand in the field of SOCs (Security Operation Centre) and SIEMs (Security Information and Event Management) due to the required skills and resources.
- Scope: Organisations
- Intention: Outsourcing of security expertise, centralisation of security information, high-quality consulting, and security compliance
- Methods: Integration of customer systems via various interfaces (API, logging, DataLake, etc.)
- Challenges: Lack of security skills/resources within an organisation, deployment of xDR tools, simplification of day-to-day security: Processing/minimisation of alerts/events
XDR not only integrates endpoints but also provides visibility into the corporate network by going beyond the single-vector point solution to include inter-device traffic as well as applications for analysis and assessment.
The resulting massive databases/data lakes enable precise, machine-based analysis and efficient detection, primarily through the deep integration and correlation of data using the deployed components.
Together with the use of a SIEM, this correlation and visibility can be further enhanced. Indications and events can be provided with further (meta) data, facilitating mitigation (attack prevention) and/or remediation (recovery of systems after the attack) of malware.
- Scope: Endpoints, hosts, network and inter-device traffic, applications
- Intention: Visibility/transparency at multiple security levels (network, endpoint, applications), detection of known and unknown threats at a lateral level including all components, holistic monitoring and mitigation, vulnerability assessment, alerting and response, simplification and consolidation of events, and activities and targeted response
- Methods: Machine learning, Indicator of Attack (IoA), anomaly detection, user behaviour, malicious behaviour, Indicator of Compromise
- Challenges: Integration possibility/interfaces of the manufacturers, transparency gaps, partly EDR-typical and NDR-typical challenges