Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Emerging in the early 2010s, endpoint detection and response (EDR) represented an answer to new and emerging threats that evaded endpoint protection platforms (EPP) and legacy anti-virus solutions. Increasing use of fileless and unknown attacks shifted focus from prevention of the expected to detection and response of the unexpected. Recognizing a new market need, native endpoint vendors expanded their portfolios with new tools, later coined “EDR." These managed EDR services provided always-on recording of activity with integrated threat hunting and isolation capabilities.
As organizations adopted EDR, inherent problems became apparent. Given the complexity and vast amounts of data captured by EDR solutions, security teams were quickly overwhelmed with management and efficient use of the tools and capabilities. This resulted in the emergence of managed service offerings to alleviate resource limitations and operational inefficiencies. As of 2018, 30 percent of organizations have adopted EDR technologies with 65 percent reporting outsourcing or planning to outsource managed EDR services. This market is forecasted to grow at 22.9 percent year-over-year, constituting over $3.4B in security spend.
Much like the evolution of EDR, the emergence of MDR represented an answer to new and emerging threats that evaded not only existing technologies but also to resource and expertise limitations. Used by organizations as early as 2011, MDR became an official industry term in Gartner’s Guide to Managed Detection and Response in 2016. Recognizing that prevention will fail, MDR sought to strategically use technology in combination with powerful analytic capabilities and integrated threat hunting to minimize threat actor dwell time.nolo
Unfortunately, given the infancy of the category, criteria for what constitutes an MDR provider was and continues to remain vague. As a result, solutions that have a similar goal in minimizing threat actor dwell time (EDR) attached themselves to the MDR category. This has resulted in widespread confusion and the risk of choosing a vendor that does not provide comprehensive coverage of a customer’s on-premises and cloud networks. In the most recent Guide to Managed Detection and Response, Gartner has specifically called out endpoint detection and response (EDR) vendors that represent themselves as MDR vendors with the following insight and caution:
“Managed EDR is often associated with MDR when it’s just one style, a style that may have limited visibility of threats in a customer’s environment depending on the assets and environments that need to be monitored. While there are some dedicated managed EDR providers, the MDR market is dominated by EDR vendors offering services to software buyers.”
While the importance and value of EDR cannot be disputed, it is one component of a holistic managed detection and response (MDR) solution. In the most recent Ponemon State of Endpoint Security Risk study, organizations on average reported 34 percent of all endpoints connected to the network were not secured. Given the complexity and cost of endpoint protection, this statistic is understandable. The average organization spends $124 per endpoint on security spread across an average of seven endpoint security agents. Often a trade-off between budget and resource limitations and the number of endpoints that should be protected result in gaps that leave networks susceptible to attack.
EDR alone provides a very narrow view of the network. For threat hunting, the broader the set of data (including endpoint, as well as cloud, network data, log, vulnerability, etc.) the greater the information available to correlate and arrive at conclusive decisions that enable rapid response. This is akin to a crime scene where surveillance camera footage, eyewitnesses, DNA, etc. all represent different breadth and depth of evidential data. The greater the data to correlate the evidence, the quicker law enforcement is able to determine the perpetrator and arrest or detain before another crime is committed.
Looking at a defense-in-depth model, information gathered at each layer represents an opportunity to detect a threat actor and enforcement point to initiate response before successive layers and data are compromised. In the case of endpoint detection and response (EDR), it may highlight a breach, but visibility is myopic to that endpoint. If the source is external, EDR is limited as the data is blind to network data.
Ultimately, visibility into multiple layers that can link between different stages of the attack is necessary. Looking at the cyber kill chain, EDR has substantial strengths in detection across exploitation, installation and internal reconnaissance stages. However, EDR remains blind to other stages of the attack. The visualization below represents the primary components (including EDR) and their subsequent strengths and weaknesses in a holistic MDR solution.
As the cyber kill chain shows, endpoint detection and response (EDR) tools are a powerful component of a holistic MDR solution, however limited in singularity. As managed EDR services and vendors continue to portray themselves as MDR vendors, organizations are encouraged to consider risk contextual to their threat landscape and network presence. Understanding the differences between MDR vs EDR will help organizations determine what they need.
To help organizations make informed decisions, the chart below represents criteria that all MDR providers can be objectively plotted against as well as a capability comparison outlining eSentire MDR versus managed EDR services.
To learn more about EDR and the other types of MDR, read the Definitive Guide to MDR eBook.
As eSentire's Director of Product Marketing, Wes oversees market intelligence, competitive research and go-to-market strategies. His mult-faceted, technology experience spans over a decade with market leaders such as Hewlett-Packard and Dell SecureWorks.