Endpoint detection and response (EDR). Network detection and response (NDR). Extended detection and response (XDR). Managed detection and response (MDR). Managed extended detection and response (MXDR). Yeesh, if it seems confusing, you are right.Threat detection and response landscape (D&R) continues to evolve. Finding new and better ways of wreaking havoc is a cyber criminal’s core function. So it’s hardly surprising that the history of how to counter these security threats has been a chess match – attackers innovate and develop new methods, CISOs and their teams counter with more sophisticated defense tactics. Lather, rinse repeat.The evolution of D&R methods, though... There are so many acronyms – all ending in “DR.” What the actual…heck? Let’s break down what each one means so you can assess which is best for you.
John Ayers is VP of managed eXtended Detection and Response (MXDR) at Optiv, a Top 250 MSSP. Read more Optiv blogs here.
Managed Detection & Response
MDR appeared in the mid-teens as a 24/7 D&R service from MSSPs (or MDR-specific providers using specialized and/or proprietary technology).- Pros: MDR lowers the rate of alerts and false positives and affords greater visibility into emerging threats, allowing red teams to prioritize and investigate the most consequential ones. Its proactive and reactive services help contain and remediate threats.
- Cons: While lower, alert volume still may be high (driving “alert fatigue”).
Network Detection & Response
NDR primarily captures north/south traffic (internet communications) to detect threats that bypass traditional firewalls, UTM appliances and NGFW appliances. East/west (LAN communications) traffic is supported by the NDR, but EDR is likely a better fit depending upon the use case due to the nature of capturing such traffic effectively and at a reasonable cost.- Pros: NDR presents a number of benefits, including an extensive rule set identifies threats based on network communications and SOC services, which offer rapid incident response and mitigation/remediation assistance.
- Cons: New and emerging work-from-home policies often blur traditional network perimeter lines. Organizations with a large roster of remote workers may not have much traffic on their defined corporate network, meaning NDR will have minimal visibility into what takes place.
Extended Detection and Response
A more recent development, XDR emerged during 2019 as a SecOps platform that aggregates and analyzes data from multiple point products. These capabilities speed up D&R, although many platforms are limited by vendors lock-in.What’s the difference between EDR and XDR?Mostly cloud-native, XDR platforms go far beyond a SIEM’s data collection function. XDR platforms have pre-built integrations to interoperate with and capture telemetry … from servers, endpoints, networks, email, edge, cloud and SIEM/SOAR – enabling far more visibility than MDR. Working around the clock, XDR uses ML and analytics to correlate activity, normalize information, identify threats and reduce the alert noise.- Pros: XDR solutions reduce complexity via integration, automate responses and significantly reduce response times vs. MDR.
- Cons: XDR can pose vendor/compatibility issues. While XDR offers many features, many providers specialize in just a few areas. Some XDR solutions are compatible with a limited number of vendors (perhaps only one), forcing a compromise between the best specific purpose solution and general functionality.




