EDR vs NDR vs XDR vs MDR: What’s Next for Detection and Response?
Endpoint detection and response (EDR). Network detection and response (NDR). Extended detection and response (XDR). Managed detection and response (MDR). Managed extended detection and response (MXDR). Yeesh, if it seems confusing, you are right.
Threat detection and response landscape (D&R) continues to evolve. Finding new and better ways of wreaking havoc is a cyber criminal’s core function. So it’s hardly surprising that the history of how to counter these security threats has been a chess match – attackers innovate and develop new methods, CISOs and their teams counter with more sophisticated defense tactics. Lather, rinse repeat.
The evolution of D&R methods, though… There are so many acronyms – all ending in “DR.” What the actual…heck? Let’s break down what each one means so you can assess which is best for you.
Managed Detection & Response
MDR appeared in the mid-teens as a 24/7 D&R service from MSSPs (or MDR-specific providers using specialized and/or proprietary technology).
- Pros: MDR lowers the rate of alerts and false positives and affords greater visibility into emerging threats, allowing red teams to prioritize and investigate the most consequential ones. Its proactive and reactive services help contain and remediate threats.
- Cons: While lower, alert volume still may be high (driving “alert fatigue”).
Network Detection & Response
NDR primarily captures north/south traffic (internet communications) to detect threats that bypass traditional firewalls, UTM appliances and NGFW appliances. East/west (LAN communications) traffic is supported by the NDR, but EDR is likely a better fit depending upon the use case due to the nature of capturing such traffic effectively and at a reasonable cost.
- Pros: NDR presents a number of benefits, including an extensive rule set identifies threats based on network communications and SOC services, which offer rapid incident response and mitigation/remediation assistance.
- Cons: New and emerging work-from-home policies often blur traditional network perimeter lines. Organizations with a large roster of remote workers may not have much traffic on their defined corporate network, meaning NDR will have minimal visibility into what takes place.
Extended Detection and Response
A more recent development, XDR emerged during 2019 as a SecOps platform that aggregates and analyzes data from multiple point products. These capabilities speed up D&R, although many platforms are limited by vendors lock-in.
What’s the difference between EDR and XDR?
Mostly cloud-native, XDR platforms go far beyond a SIEM’s data collection function. XDR platforms have pre-built integrations to interoperate with and capture telemetry … from servers, endpoints, networks, email, edge, cloud and SIEM/SOAR – enabling far more visibility than MDR. Working around the clock, XDR uses ML and analytics to correlate activity, normalize information, identify threats and reduce the alert noise.
- Pros: XDR solutions reduce complexity via integration, automate responses and significantly reduce response times vs. MDR.
- Cons: XDR can pose vendor/compatibility issues. While XDR offers many features, many providers specialize in just a few areas. Some XDR solutions are compatible with a limited number of vendors (perhaps only one), forcing a compromise between the best specific purpose solution and general functionality.
And Now, the Future is Managed XDR
MXDR is XDR delivered as a managed service. It integrates and works with existing technology, offering real-time threat detection and incident validation. The provision of supplemental technology and security skills makes MXDR simpler than DIY XDR. MXDR is also always-on and lightning-fast due to automated response and remediation across endpoints.
MXDR is a powerful enabler that unites log-capture data that’s either not seen by EDR and NDR services (such as Active Directory or VPN logins), as well as allowing correlation and validation from other rich log sources to validate threats.
Pros: MXDR leverages your existing technology investments and environment (saving a lot of money in the process); drives simplicity and transparency; lets you know which threats matter the most; and offers rapid IR and mitigation/remediation assistance.
In summary, managed extended detection and response is as good as it gets to detect and respond to today’s threats. It assumes and builds on the best features of the last 20 years of D&R, and while something even more advanced (probably ending in -DR) will surely be along in a few years, MXDR’s hands-on, engaged model positions us for the most proactive stance in our future battles against constantly evolving threat actors.
John Ayers is VP of managed eXtended Detection and Response (MXDR) at Optiv, a Top 250 MSSP. Read more Optiv blogs here.
Love your perspective on XDR and it is refreshing to hear from someone who seems to “get it”. It is a very confusing term for many people with varying opinions on the definition. Couldn’t agree more with your comments on the potential cons of XDR and how many platforms only support one vendor, “therefore forcing a compromise between the best specific purpose solution and general functionality”. (Open) MXDR does sound like a logical next step or evolution of XDR. Good stuff, thanks!
Hey Charlie: Thanks for your readership and perspectives. The XDR vs. Open XDR conversation continues to drive strong readership on MSSP Alert. I believe closed and open approaches each have potential benefits and drawbacks. It’s somewhat akin to Apple (mostly closed) vs. PCs (mostly open): Both approaches may wind up thriving for different reasons. Still, MSSPs will need to do their homework, because the tidal wave of options is similar to the early days of cloud services — when every client-server software company in the world attempted to rebrand for the SaaS revolution… … Stay tuned.