What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 29, 2021
UPDATE: PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of the NTLM Relay attack discovered by security researcher Gilles Lionel. It is tracked as an authentication bypass vulnerability in Active Directory (Certificate Services); currently no CVE identifier has been assigned to this vulnerability. Proof of Concept (PoC) code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Apr 23, 2020

The Limitations of Managed Endpoint Detection and Response (EDR)

5 min read

A Brief History of Endpoint Detection and Response (EDR): Fulfilling a Need

Emerging in the early 2010s, endpoint detection and response (EDR) represented an answer to new and emerging threats that evaded endpoint protection platforms (EPP) and legacy anti-virus solutions. Increasing use of fileless and unknown attacks shifted focus from prevention of the expected to detection and response of the unexpected. Recognizing a new market need, native endpoint vendors expanded their portfolios with new tools, later coined “EDR." These managed EDR services provided always-on recording of activity with integrated threat hunting and isolation capabilities.

As organizations adopted EDR, inherent problems became apparent. Given the complexity and vast amounts of data captured by EDR solutions, security teams were quickly overwhelmed with management and efficient use of the tools and capabilities. This resulted in the emergence of managed service offerings to alleviate resource limitations and operational inefficiencies. As of 2018, 30 percent of organizations have adopted EDR technologies with 65 percent reporting outsourcing or planning to outsource managed EDR services. This market is forecasted to grow at 22.9 percent year-over-year, constituting over $3.4B in security spend.

From Endpoint Detection and Response (EDR) to Managed Detection and Response (MDR)

Much like the evolution of EDR, the emergence of MDR represented an answer to new and emerging threats that evaded not only existing technologies but also to resource and expertise limitations. Used by organizations as early as 2011, MDR became an official industry term in Gartner’s Guide to Managed Detection and Response in 2016. Recognizing that prevention will fail, MDR sought to strategically use technology in combination with powerful analytic capabilities and integrated threat hunting to minimize threat actor dwell time.nolo

Unfortunately, given the infancy of the category, criteria for what constitutes an MDR provider was and continues to remain vague. As a result, solutions that have a similar goal in minimizing threat actor dwell time (EDR) attached themselves to the MDR category. This has resulted in widespread confusion and the risk of choosing a vendor that does not provide comprehensive coverage of a customer’s on-premises and cloud networks. In the most recent Guide to Managed Detection and Response, Gartner has specifically called out endpoint detection and response (EDR) vendors that represent themselves as MDR vendors with the following insight and caution:

“Managed EDR is often associated with MDR when it’s just one style, a style that may have limited visibility of threats in a customer’s environment depending on the assets and environments that need to be monitored. While there are some dedicated managed EDR providers, the MDR market is dominated by EDR vendors offering services to software buyers.”

Endpoint Detection and Response (EDR) Limitations within Managed Detection and Response (MDR)

While the importance and value of EDR cannot be disputed, it is one component of a holistic managed detection and response (MDR) solution. In the most recent Ponemon State of Endpoint Security Risk study, organizations on average reported 34 percent of all endpoints connected to the network were not secured. Given the complexity and cost of endpoint protection, this statistic is understandable. The average organization spends $124 per endpoint on security spread across an average of seven endpoint security agents. Often a trade-off between budget and resource limitations and the number of endpoints that should be protected result in gaps that leave networks susceptible to attack.

EDR alone provides a very narrow view of the network. For threat hunting, the broader the set of data (including endpoint, as well as cloud, network data, log, vulnerability, etc.) the greater the information available to correlate and arrive at conclusive decisions that enable rapid response. This is akin to a crime scene where surveillance camera footage, eyewitnesses, DNA, etc. all represent different breadth and depth of evidential data. The greater the data to correlate the evidence, the quicker law enforcement is able to determine the perpetrator and arrest or detain before another crime is committed.

Looking at a defense-in-depth model, information gathered at each layer represents an opportunity to detect a threat actor and enforcement point to initiate response before successive layers and data are compromised. In the case of endpoint detection and response (EDR), it may highlight a breach, but visibility is myopic to that endpoint. If the source is external, EDR is limited as the data is blind to network data.

Ultimately, visibility into multiple layers that can link between different stages of the attack is necessary. Looking at the cyber kill chain, EDR has substantial strengths in detection across exploitation, installation and internal reconnaissance stages. However, EDR remains blind to other stages of the attack. The visualization below represents the primary components (including EDR) and their subsequent strengths and weaknesses in a holistic MDR solution.

As the cyber kill chain shows, endpoint detection and response (EDR) tools are a powerful component of a holistic MDR solution, however limited in singularity. As managed EDR services and vendors continue to portray themselves as MDR vendors, organizations are encouraged to consider risk contextual to their threat landscape and network presence. Understanding the differences between MDR vs EDR will help organizations determine what they need.

To help organizations make informed decisions, the chart below represents criteria that all MDR providers can be objectively plotted against as well as a capability comparison outlining eSentire MDR versus managed EDR services.

To learn more about EDR and the other types of MDR, read the Definitive Guide to MDR eBook.

Wes Hutcherson
Wes Hutcherson Director of Product Marketing

As eSentire's Director of Product Marketing, Wes oversees market intelligence, competitive research and go-to-market strategies. His mult-faceted, technology experience spans over a decade with market leaders such as Hewlett-Packard and Dell SecureWorks.