Blog | Nov 22, 2019

The Seven Categories of MDR - #5 – ED-Big-R (Single Telemetry)

Emerging from the traditional managed security service provider (MSSP) model, Managed Detection and Response (MDR) is an answer to the fact that threat actors have increased their ability to circumvent traditional detection measures. As early as 2011, MDR emerged (uncategorized at the time) with a single guiding principal: Acknowledge that a breach will happen. When it does, minimize threat actor dwell time to reduce risk.

However, as the MDR market has evolved, four criteria remain constant as key to minimizing threat actor dwell time in the event of a breach: visibility, fidelity, detection capabilities and response. When these criteria are measured against in-house resources, risk tolerance and available budget, they can be used to choose the appropriate MDR vendor based on your organizational requirements.

To help organizations make an informed cybersecurity solutions choice, eSentire has authored, The Definitive Guide to Managed Detection and Response (MDR) (and this blog series) which examines seven categories of MDR providers, measured across four criteria, which include:

  • Visibility: Signal sources such as endpoints, IPS/IDS, logs, cloud, vulnerabilities, etc.
  • Fidelity: The depth of information provided by each of the signal sources
  • Detection capabilities: Ability for the provider to detect known and unknown attacker methodologies using commoditized and advanced methodologies
  • Response: Delineation of provider and client responsibilities from investigation, alert, containment and recovery

MDR Category #5 – ED-Big-R (Single Telemetry)
EDR vendors are a viable option for organizations that lack the resources specifically to monitor, investigate and respond to endpoint threats, but have in-house resources to correlate endpoint data from the MDR vendor with network, log, cloud and vulnerability telemetry to detect and respond to threats out of provider scope.

Profile
Similar to EDr, outlined previously, ED-big-R (EDR) is an evolution of a subset of the MDR vendor landscape. Virtually all EDR vendors own, manage, monitor and respond to their own proprietary end- point software. Deep machine learning and behavioral processes are highly integrated, thereby facilitating threat hunting and rapid response to elusive endpoint threats.

Management, monitoring, hunting and containment capabilities were developed secondary as value-adds for clients who lack adequate in-house resources.

Many EDR vendors provide an EPP in addition to EDR, alleviating the need for multiple agents. Additionally, next-generation antivirus data empowers threat hunters with data that can expedite investigation and response by providing important additional context.

EDR vendors are a viable option for organizations that lack the resources specifically to monitor, investigate and respond to endpoint threats, but have in-house resources to correlate endpoint data from the MDR vendor with network, log, cloud and vulnerability telemetry to detect and respond to threats out of provider scope.

Coverage

  • Process visibility
  • East/West (internal/lateral)

Strengths

  • Use of best-in-class endpoint technology
  • Can include endpoint prevention under singular agent,
  • eliminating sprawl/redundancy
  • Offers value-add for organizations that have already invested in endpoint software
  • High level of expertise with endpoint threats
  • Advanced endpoint threat detection capabilities • Deep-level fidelity into endpoint
  • Limited false positives
  • Full IR Lifecycle coverage
  • Deep-level portal visibility into endpoint threats • Lower cost of service

Weaknesses

  • Newer entrants to MDR market; relatively inexperienced
  • Reliance on single security signal
  • Unproven SOCs
  • Limited visibility beyond endpoint
  • Limited signal fidelity outside of endpoint
  • No hunting capabilities outside of endpoint telemetry
  • Response support limited to endpoint only
  • Requires client-side team to hunt, investigate, confirm and respond to threats outside of scope

Questions and considerations:

  • Does endpoint data alone provide appropriate visibility across our current and future network infrastructure? What else is required to manage and provision to complete missing visibility?
  • Does endpoint data captured provide the appropriate depth of data to cover our contextual threat landscape?
  • Does the provider have integrated automated response for known threats available via APIs?
  • How will our team correlate endpoint data with data from technologies across the network? Do we have adequate internal resources to do so?
  • How can data be ingested into existing technologies and processes to facilitate additional investigation?
  • Does the provider have adequate detection capabilities to enable detection of known and unknown threats?

While this blog provides a snapshot of one category of MDR, the intricacies and interdependencies are the varying types is complex. To learn more about the strengths and weaknesses for each of the seven MDR categories and how you can make an informed decision about what MDR solution best suits your organization, download The Definitive Guide to Managed Detection and Response (MDR) here: https://www.esentire.com/resource-library/the-definitive-guide-to-managed-detection-and-response-mdr

Akash Malhotra

Akash Malhotra

Technical Developer/Writer

With diverse knowledge of computer security, threat intelligence and front-end web development, Akash has worked with developing and documenting API libraries with Cymon.io, our open source threat intelligence aggregator.