The world of cybersecurity doesn’t lack for acronyms. Whether it’s protocols and standards or tools and technology, the market is dominated by an endless array of capital letters. In recent years, as both technology and threat actors have evolved, more and more platforms are branding themselves with “D’s” and “R’s” for “detection and response.”
This adaptation has been driven by a desire for organizations to proactively stop threats before they turn into major incidents or data breaches. According to the Arctic Wolf State of Cybersecurity 2023 Trends, risk management is the top force driving organizations’ security decisions, and for good reason — it’s more efficient and effective to prevent an attack than recover from one. Detection and response technology allows organizations to gain more visibility into their environment, be alerted to unusual behavior, and take measures to thwart any attack attempts.
However, acronym fatigue has led to confusion among organizations who are either unfamiliar with the terms or are unsure which detection and response solution best fits their security and business goals
Understanding Detection and Response
While visibility is a critical component of any monitoring solution, it can vary from organization to organization, application to application, or vendor to vendor. So instead, let’s look at what all the current tools have in common — detection and response.
In the early days of cybersecurity, antivirus software and firewalls dominated devices and the market. It was a moat-and-castle approach meant to keep intruders out. As business and technology changed — the adoption of the cloud, the proliferation of endpoints, and hybrid-work models, to name a few — cybersecurity needs and solutions changed as well. Now, cybersecurity operates vastly differently, monitoring and responding to multiple elements of the environment, often simultaneously. This modern approach involves detecting a wide range of threats using methods beyond simple signature matching, along with the ability to respond quickly and effectively once a threat is discovered. It can involve machine learning (ML), the ingestion and correlation of data across applications, as well as the human element, who responds swiftly, providing the appropriate response based on the telemetry gathered by these newer tools.
What is EDR?
Endpoint detection and response (EDR) is a tool that offers full-time monitoring, threat detection, and threat response of an organization’s endpoints. The idea behind EDR is that every endpoint, whether it’s a laptop, desktop, server, virtual machine, and in some cases a mobile device, is a potential entry vector for an attacker. Therefore, it’s important that defenders have the highest level of visibility into what occurs on these devices.
EDR agent software is deployed to endpoints within an organization and begins recording activity taking place on that system. We can picture these agents like security cameras focused on the processes and events running on that device. The EDR agent then uses this recorded data to detect potential threats.
There are many approaches to detecting threats for EDR. Some detect locally on the endpoint via machine learning, some forward all recorded data to an on-premises control server for analysis, some upload the recorded data to a cloud resource for detection and inspection, while many others use a hybrid approach of multiple methods.
However, in recent years, EDR technology has been folded into other platforms and tools, rendering it less used as a stand-alone cybersecurity option. This is primarily because, while all threats land on an endpoint eventually, organizations realize they need to observe and stop threats before they reach that stage of escalation. The technology has advanced to the point where endpoint detection — while important for overall telemetry and incident response — is considered too little, too late if a cyber attack is occurring.
Forrester, a leading security consulting organization, recently made the decision to stop evaluating EDR providers, instead opting to categorize them as part of extended detection and response (XDR).
According to Forrester, “EDR vendors have embraced adding additional telemetry, and more XDR vendors have added general-availability features. And importantly, practitioners at large enterprises now refer to EDR and XDR synonymously.”
Scroll down for more information on XDR.
What is NDR?
Network detection and response (NDR) directs its detection capabilities onto data observed from the network traffic that flows through the organization. NDR vendors may have multiple approaches to how they observe and analyze this traffic, but in general, a network sensor is required. This is typically a physical network device, a virtual appliance, or a combination of both. These sensors are then placed in line with the network — essentially observing traffic as it heads towards its destination — or in a mirrored configuration, where a copy of the traffic is forwarded for analysis.
NDR detections are often based on a generalized view of the environment. Instead of detecting threats based on unusual processes or granular events as with EDR, NDR instead looks for potential threats based on anomalous or unauthorized protocols, port utilization, odd timing and transfer sizes, and more. As a metaphor, we can picture NDR acting like a highway patrol officer observing vehicle traffic. If the officer observes a violation, they can take the necessary action to ensure traffic safety. NDR may trigger alerts, drop server traffic, quarantine a device, and generate forensic evidence.
Network security has become more important in recent years as threat actors have set their sights on that part of the security infrastructure — particularly organization’s cloud networks. In fact, 92% of threats Arctic Wolf responded to in 2022 included a compromised cloud component.
There are benefits and drawbacks to NDR that we should always consider. One key benefit is it doesn’t rely on a deployed agent at every endpoint. This makes it ideal for environments where EDR may be unable to cover every system. Another advantage is that NDR can detect and respond to unauthorized devices. If an attacker plugs an unauthorized laptop into your environment, NDR should be able to detect this and allow you to act upon traffic from that device.
However, a big NDR challenge derives from the evolving nature of modern networks. Many organizations now embrace work-from-home policies that blur the lines of traditional network perimeters. If an organization employs a large number of remote workers who may never generate traffic within a defined corporate network, then NDR will have minimal visibility into what takes place and may offer limited value.
What is TDR?
Threat detection and response (TDR) is a hard-to-define term since multiple vendors offer varying tools with this terminology attached. To better understand the usage of TDR, we will focus on two of the most common uses of TDR technology, endpoint TDR and analytical TDR.
- Endpoint TDR is essentially a modified approach to EDR and the large amount of data it may generate. Traditional EDR is designed to record as much data as possible about what takes place on the endpoint. This means it can not only detect threats, but also provide a valuable pool of data for security analysts, incident responders, and threat hunters to search through during investigations. Unfortunately, this also creates a situation where a lot of the data recorded by EDR tools is seen as unnecessary noise. TDR tools attempt to solve this issue by only recording data once it believes a potential threat is occurring, or only recording a strategic set of processes and events that are most likely to reveal a threat. When a threat is detected, this form of TDR often appears quite like traditional EDR.
- Analytical TDR, on the other hand, is a very different approach than endpoint TDR. With analytical TDR, let’s envision it as the detection and response capabilities applied to existing data. Many organizations are moving towards big data models, where vast amounts of information are collected and stored together. The analytical TDR approach leverages these “data lakes” and applies threat detection analytics. Once a threat is detected, it can trigger an alert and the issue can be addressed. A drawback of this style of TDR is its dependency upon those big data structures. If an organization hasn’t already implemented them, then this form of TDR will not be of value.
Threat detection and response can also be referred to as a broader set of tools, technologies, and processes to prevent cyber attacks utilizing an organization’s real-time security data. Vulnerability scans, behavioral analysis, threat intelligence, threat hunting, and penetration testing could all fall into the category of threat detection and response.
What is XDR?
XDR refers to a single platform that can ingest endpoint agent data, network level information, and, in many cases, device logs. This data is correlated, and detections can occur from one or many sources of telemetry.
A benefit of XDR is streamlining the functions of the analyst role by allowing them to view detections and take response actions from a single console. This single-pane-of-glass approach offers faster time to value, a lowered learning curve, and quicker response times since the analyst no longer needs to pivot between windows. Another advantage of XDR is its ability to piece multiple sources of telemetry together to achieve a big picture view of detections. These tools are able to see what occurs not only on the endpoints, but also between the endpoints.
However, XDR is not a cure for the limiting problems of NDR or EDR. It is also a tool, meaning it’s only as effective as its users are capable, and many vendors offer XDR that is more limiting than it first appears. Some XDR solutions only take in telemetry from tools of the same vendor, while others are marketed as XDR but operate like more legacy solutions.
Explore XDR in-depth here.
What is MDR?
Managed detection and response (MDR) is the outlier of the offerings reviewed so far because it is not necessarily a technology but instead a service solution, which incorporates technology, people, and processes.
MDR was formulated from the fact that there are many great detection and response tools available, but many organizations are severely limited in both the time and talent it takes to manage these tools. Therefore, the MDR approach provides threat detection and associated response actions as a managed service.
While MDR can take many forms, there are two main categories these solutions fall into:
- Product-focused MDR generally involves vendors who sell tools and then offer managed services on top of those tools. This brings a number of benefits and considerations. The vendors are experts in their tools and, as such, can offer expert-level guidance, support, and management of these tools. Their focus, however, is then usually limited to just the tools that they sell. If your organization has a diverse stack of security tools, then a product-focused MDR approach will only work with the tools they provide, requiring your team to either manage the rest or consolidate your technology to just that vendor’s offerings.
- A pure-play MDR provider is one who works with your existing security stack to detect and respond to threats. These MDR vendors serve as an organization’s much-needed resource by providing experts to utilize the existing set of tools, and let’s the organization avoid consolidating their technology to a single vendor. This benefits the customer, who can implement a range of tools that best fit their needs and then leverage the MDR provider for detection and response actions. A pure-play MDR vendor can grow and evolve along with the customer and build long lasting, trusting relationships that are not focused on selling products.
Why Organizations Should Consider an Operations-Focused Security Approach
There is massive value in utilizing a detection and response solution for your organization’s cybersecurity. But singular or siloed tools offer a weak defense to rapidly evolving threat actors. To stay on top of mounting threats, organizations need solutions that combine cutting-edge technology with human expertise, and which work proactively and reactively to both harden the attack surface and stop immediate threats.
Arctic Wolf does exactly that with the Arctic Wolf® Security Operations Cloud, which is built on open-XDR architecture and takes a vendor-neutral approach, offers broad visibility, and enriches, analyzes, and surfaces anomalies, threats, and incidents using data science and artificial intelligence to augment our human analyst teams. This is paired with the Arctic Wolf Concierge Delivery Model, which provides organizations with triaged alerts to reduce fatigue, continuous tailored guidance to enhance organizations’ security program, and security expertise on-demand to respond to threats.
Learn more about how Arctic Wolf goes beyond detection and response.
Explore why MDR is the best option to both monitor and detect threats while providing support to your internal security staff.
