What We Do
How we do it
Resources
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Apr 23, 2020

The Limitations of Managed Endpoint Detection and Response (EDR)

4 minutes read
Speak With A Security Expert Now

A Brief History of Endpoint Detection and Response (EDR): Fulfilling a Need

Emerging in the early 2010s, endpoint detection and response (EDR) represented an answer to new and emerging threats that evaded endpoint protection platforms (EPP) and legacy anti-virus solutions. Increasing use of fileless and unknown attacks shifted focus from prevention of the expected to detection and response of the unexpected. Recognizing a new market need, native endpoint vendors expanded their portfolios with new tools, later coined “EDR." These managed EDR services provided always-on recording of activity with integrated threat hunting and isolation capabilities.

As organizations adopted EDR, inherent problems became apparent. Given the complexity and vast amounts of data captured by EDR solutions, security teams were quickly overwhelmed with management and efficient use of the tools and capabilities. This resulted in the emergence of managed service offerings to alleviate resource limitations and operational inefficiencies. As of 2018, 30 percent of organizations have adopted EDR technologies with 65 percent reporting outsourcing or planning to outsource managed EDR services. This market is forecasted to grow at 22.9 percent year-over-year, constituting over $3.4B in security spend.

From Endpoint Detection and Response (EDR) to Managed Detection and Response (MDR)

Much like the evolution of EDR, the emergence of MDR represented an answer to new and emerging threats that evaded not only existing technologies but also to resource and expertise limitations. Used by organizations as early as 2011, MDR became an official industry term in Gartner’s Guide to Managed Detection and Response in 2016. Recognizing that prevention will fail, MDR sought to strategically use technology in combination with powerful analytic capabilities and integrated threat hunting to minimize threat actor dwell time.nolo

Unfortunately, given the infancy of the category, criteria for what constitutes an MDR provider was and continues to remain vague. As a result, solutions that have a similar goal in minimizing threat actor dwell time (EDR) attached themselves to the MDR category. This has resulted in widespread confusion and the risk of choosing a vendor that does not provide comprehensive coverage of a customer’s on-premises and cloud networks. In the most recent Guide to Managed Detection and Response, Gartner has specifically called out endpoint detection and response (EDR) vendors that represent themselves as MDR vendors with the following insight and caution:

“Managed EDR is often associated with MDR when it’s just one style, a style that may have limited visibility of threats in a customer’s environment depending on the assets and environments that need to be monitored. While there are some dedicated managed EDR providers, the MDR market is dominated by EDR vendors offering services to software buyers.”

Endpoint Detection and Response (EDR) Limitations within Managed Detection and Response (MDR)

While the importance and value of EDR cannot be disputed, it is one component of a holistic managed detection and response (MDR) solution. In the most recent Ponemon State of Endpoint Security Risk study, organizations on average reported 34 percent of all endpoints connected to the network were not secured. Given the complexity and cost of endpoint protection, this statistic is understandable. The average organization spends $124 per endpoint on security spread across an average of seven endpoint security agents. Often a trade-off between budget and resource limitations and the number of endpoints that should be protected result in gaps that leave networks susceptible to attack.

EDR alone provides a very narrow view of the network. For threat hunting, the broader the set of data (including endpoint, as well as cloud, network data, log, vulnerability, etc.) the greater the information available to correlate and arrive at conclusive decisions that enable rapid response. This is akin to a crime scene where surveillance camera footage, eyewitnesses, DNA, etc. all represent different breadth and depth of evidential data. The greater the data to correlate the evidence, the quicker law enforcement is able to determine the perpetrator and arrest or detain before another crime is committed.

Looking at a defense-in-depth model, information gathered at each layer represents an opportunity to detect a threat actor and enforcement point to initiate response before successive layers and data are compromised. In the case of endpoint detection and response (EDR), it may highlight a breach, but visibility is myopic to that endpoint. If the source is external, EDR is limited as the data is blind to network data.

Ultimately, visibility into multiple layers that can link between different stages of the attack is necessary. Looking at the cyber kill chain, EDR has substantial strengths in detection across exploitation, installation and internal reconnaissance stages. However, EDR remains blind to other stages of the attack. The visualization below represents the primary components (including EDR) and their subsequent strengths and weaknesses in a holistic MDR solution.

As the cyber kill chain shows, endpoint detection and response (EDR) tools are a powerful component of a holistic MDR solution, however limited in singularity. As managed EDR services and vendors continue to portray themselves as MDR vendors, organizations are encouraged to consider risk contextual to their threat landscape and network presence. Understanding the differences between MDR vs EDR will help organizations determine what they need.

To help organizations make informed decisions, the chart below represents criteria that all MDR providers can be objectively plotted against as well as a capability comparison outlining eSentire MDR versus managed EDR services.

To learn more about EDR and the other types of MDR, read the Definitive Guide to MDR eBook.

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.