The rise of remote work and the move to the cloud, as well as the rising rate and increased complexity of cyber attacks, have fundamentally changed the security landscape. Set-it-and-forget it tools are no longer enough. To truly protect yourself from modern cyber threats you need 24×7 monitoring, detection and response.
However, even that doesn’t look the same anymore. For proof, look no further than the changes we’re seeing in two major solutions — endpoint detection and response (EDR) and managed detection and response (MDR).
What Is Endpoint Detection and Response (EDR)?
EDR allows organisations to monitor their endpoints — which are any physical device that resides at the end point of a network connection and can communicate on that network, including desktops and laptops, servers, mobile devices, IoT technology, and more. EDR can detect security incidents, investigate those incidents, and remediate them as needed. Utilising monitoring technology, EDR solutions can detect unknown endpoint threats and provide visibility into endpoints and endpoint security.
EDR agent software is deployed to endpoints within an organisation and begins recording activity taking place on that system. There are many approaches to detecting threats for EDR. Some detect locally on the endpoint, some forward all recorded data to an on-premises control server, some upload the recorded data to a cloud resource for detection and inspection. Many EDR solutions take a hybrid approach.
The main differentiator between EDR and other detection and response solutions is the focus on endpoints and endpoint security, because endpoints are possible entry points for threat actors.
What Are the Benefits of EDR?
Simply put: visibility and insight.
You can’t protect what you can’t see, and EDR provides real-time visibility into your endpoints, which helps you better understand the threats trying to penetrate your environment.
Other Benefits of EDR:
- Behavioral Protection: Unlike tools that only monitor for known threats, EDR can help you detect suspicious activities that may indicate an unknown threat type.
- Contextualisation: EDR can help provide more context behind an attack so you can tailor your response.
- Remediation Speed: EDR can help you accelerate your breach investigation so you can limit any damage to your business.
It’s important to note that EDR solutions are changing as the security landscape evolves. Cloud security, identity and access management, and protection from data exfiltration attacks are all top priorities for organisations, and EDR solutions are responding.
According to a recent study by Gartner®, “By 2025, 60% of EDR solutions will include data from multiple security control sources, such as identity, cloud access security brokers (CASBs) and data loss prevention (DLP).”
What Are the Challenges of EDR?
Once the leading technology and solution in the monitoring and detection space, businesses now need more than EDR can offer. According to that same Gartner® report, “By 2026, more than 60% of organisations using EDR will use managed detection and response (MDR) capabilities.”
Why is this shift occurring? For two major reasons:
- EDR only monitors an organisation’s endpoints. While endpoints are an important part of an organisation’s security architecture, they are far from the only modern attack vector.
- EDR is useful in detecting breaches and is more powerful than typical antivirus software when it comes to endpoint breaches. However, while EDR can assist with visibility, insight, and remediation, the full scope of the tool is limited to that one aspect of an organisation’s architecture.
Gartner also points out that there’s a continuing trend of consolidation, as businesses demand more capabilities through a single platform. As your organisation looks at their security journey and makes decisions about how to improve your overall posture, the question becomes “EDR or MDR?”
What Is MDR?
MDR is similar to EDR but adds an element of human expertise.
MDR supplies log aggregation, continuous monitoring, threat triaging, and incident response, as well as 24×7 access to a skilled security team. If you utilise MDR, you can continue to use existing EDR, as well as Endpoint Protection (EPP) and data protection solutions — but MDR providers will aggregate those logs, continuously monitor them, triage events, and provide incident response guidance.
The MDR approach provides threat detection and associated response actions as a managed service. Some MDR solutions are more product-focused, where managed services are offered on top of tools. Others are service-focused, which offer detection and monitoring of the existing security stack. The main differentiator for MDR is the human element.
What Are the Benefits of MDR?
MDR has broader benefits that impact more of your security environment:
- Broad Visibility: MDR works with the existing technology stack to discover and profile assets and collect data and security event observations from multiple sources.
- Constant Monitoring: MDR solutions offer 24×7 monitoring with a human team that can respond to potential threats as they occur.
- Managed Investigations: MDR solutions often have the human team manage investigations into threats, relieving an organisations’ security team of the heavy lifting.
- Guided Remediation: MDR’s work with organisations on remediation, offering speed and efficiency.
Which Detection and Monitoring Solution Is Best for Your Organisation?
Both EDR and MDR have their own strengths. In evaluating which solution is best for your security environment, it can be helpful to view those strengths side-by-side:
Every security environment is unique, and it’s important to remember that each organisation has their own business and security goals. But the way the market is heading in terms of security needs, the threat landscape, and advances in technology within the business environment, organisations are seeking solutions that extend beyond endpoints and turning to managed detection and response solutions.
According to the 2023 Gartner® Market Guide for MDR Services, “By 2025, 60% of organisations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30% today.”
- Get a comprehensive analyst overview of the evolving MDR landscape in the 2023 Gartner® Market Guide for MDR Services.
- Read how organisations around the globe are establishing priorities and addressing top security challenges in The State of Cybersecurity: 2023 Trends Report.
- Get an exclusive look at how Arctic Wolf’s Concierge Security experts triage, investigate, and escalate ransomware incidents.