The world of cybersecurity doesn’t lack for acronyms. Whether it’s protocols and standards or tools and technology, the market is dominated by an endless array of capital letters.
Recently, to combat the ever-increasing number of attacks against organizations, many security-related acronyms now feature very similar lettering, namely “D” for detection and “R” for response. This has led to a lot of confusion among buyers who are unfamiliar with these terms. So, let's review the difference between these detection-and-response offerings to find which one is right for you.
Understanding Detecting and Responding
Let’s start with the basics: The core capabilities these offerings have in common is detection and response. To understand these capabilities, we must dig into the approach many legacy security tools took when they were released.
In the earlier days of the cybersecurity market, antivirus was the dominant player and the approach was quite simple. Any time a potential threat matched a pattern or signature of a known threat, it was either terminated or prevented from executing. This approach worked well for a while, but became outdated once the threat landscape began to evolve.
First, malware designers quickly learned how to create polymorphic code that was able to bypass antivirus tools. Second, legacy AV offered little, if any, protection against an active human attacker. For these reasons, a new tactic was required.
The modern approach involves detecting a wide range of threats using methods beyond simple signature matching, along with the ability to respond quickly and effectively once a threat is discovered. As we review these offerings, you will see how this approach remains the basis for each solution.
EDR, or endpoint detection and response, is arguably the most widely used offering on this list, with a global market predicted to reach over $7 billion USD annually within the next few years—and the potential to climb even higher.
Much of its popularity may stem from the perception of it as the evolutionary successor to traditional antivirus by solving many of AV’s shortcomings.
True to its name, EDR’s focus on endpoints is its key differentiator. The idea is that every endpoint, whether it’s a laptop, desktop, server, virtual machine, and in some cases a mobile device, is a potential entry vector for an attacker. Therefore, it’s important that defenders have the highest level of visibility into what occurs on these devices.
EDR agent software is deployed to endpoints within an organization and begins recording activity taking place on that system. We can picture these agents like security cameras focused on the processes and events running on that device. The EDR agent then uses this recorded data to detect potential threats. There are many approaches to detecting threats for EDR. Some detect locally on the endpoint via machine learning, some forward all recorded data to an on-premise control server for analysis, some upload the recorded data to a cloud resource for detection and inspection, while many others use a hybrid approach of multiple methods.
We can picture EDR agents like security cameras focused on the processes and events running on that device.
Detections in EDR can be based on a series of mechanisms including AI, threat intelligence, behavioral analysis, indicators of compromise (IOCs), and more depending on the vendor. These tools also offer a varying range of response capabilities, which may include such actions that trigger alerts, isolate the machine from the network, roll back to a known good state, delete or terminate threats, and generate forensic evidence files.
With EDR, it is crucial to deploy the agent to as many systems as possible. This can be seen as a drawback, since the goal should be for full deployment of the agent to all devices within your environment, making it a time-consuming and potentially challenging task. Yet, covering as many endpoints as possible is essential to get the most value out of EDR detection capabilities.
Once we understand EDR’s drawback of focusing on endpoints alone, we can begin to understand the necessity many organizations see in NDR, or network detection and response.
As the name implies, NDR directs its detection capabilities on data observed from the network traffic that flows through the organization. NDR vendors may have multiple approaches to how they observe and analyze this traffic, but in general, a network sensor is required. This is typically a physical network device, a virtual appliance, or a combination of both. These sensors are then placed in line with the network—essentially observing traffic as it heads towards its destination—or in a mirrored configuration, where a copy of the traffic is forwarded for analysis.
NDR Detections are often based on a generalized view of the environment. Instead of detecting threats based on unusual processes or granular events as with EDR, NDR instead looks for potential threats based on anomalous or unauthorized protocols, port utilization, odd timing and transfer sizes, and more.
As a metaphor, we can picture NDR acting like a highway patrol officer observing vehicle traffic. If the officer observes a violation, they can take the necessary action to ensure traffic safety. NDR may trigger alerts, drop traffic, quarantine a device, and generate forensic evidence.
There are benefits and drawbacks to NDR that we should always consider. One key benefit is it doesn’t rely on a deployed agent at every endpoint. This makes it ideal for environments where EDR may be unable to cover every system. Another advantage is that NDR can detect and respond to unauthorized devices. If an attacker plugs an unauthorized laptop into your environment, NDR should be able to detect this and allow you to act upon traffic from that device.
However, a big NDR challenge derives from the evolving nature of modern networks. Many organizations now embrace work-from-home policies that blur the lines of traditional network perimeters. If an organization employs a large number of remote workers who may never generate traffic within a defined corporate network, then NDR will have minimal visibility into what takes place and may offer limited value.
NDR has minimal visibility into organizations who employs a large number of remote workers who may never generate traffic within a defined corporate network.
Threat detection and response, or TDR, is a hard-to-define term since multiple vendors offer varying tools with this terminology. To better understand the usage of TDR, we will focus on two of the most common uses of TDR technology, endpoint TDR and analytical TDR.
Endpoint TDR is essentially a modified approach to EDR and the large amount of data it may generate. As we discussed, traditional EDR is designed to record as much data as possible about what takes place on the endpoint. This means it can not only detect threats, but also provide a valuable pool of data for security analysts, incident responders, and threat hunters to search through during investigations. Unfortunately, this also creates a situation where a lot of the data recorded by EDR tools is seen as unnecessary noise.
In our earlier analogy we pictured EDR as a security camera recording what takes place in a room, and running up to 24 hours a day. When we review the footage while looking for an incident that occurred, we must spend time fast-forwarding through irrelevant footage. Some TDR tools attempt to solve this issue by only recording data once it believes a potential threat is occurring, or only recording a strategic set of processes and events that are most likely to reveal a threat. When a threat is detected, this form of TDR often appears quite similar to traditional EDR.
Analytical TDR, on the other hand, is a very different approach than endpoint TDR. With analytical TDR, let’s envision it as the detection and response capabilities applied to existing data. Many organizations are moving towards big data models, where vast amounts of information are collected and stored together. The analytical TDR approach leverages existing data lakes and applies threat detection analytics. Once a threat is detected, it can trigger an alert and the issued can be addressed. A drawback of this style of TDR is its dependency upon those big data structures. If an organization hasn’t already implemented big data structures, then this form of TDR will not be of value.
To review, we learned EDR is focused on the endpoint but does little to monitor network traffic. NDR, however, is excellent at detecting threats at the network level but doesn’t offer the granular detection and response capabilities for end devices. It would only make sense then that the best approach is to use these tools in tandem, which many organizations currently do. Unfortunately, many security analysts find this approach inconvenient because of the disjointed nature of using multiple products and numerous consoles.
This is where the recent trend in XDR, or extended detection and response, is gaining popularity. XDR involves the idea of a single platform that can ingest endpoint agent data, network level information, and in many cases device logs. This data is correlated, and detections can occur from one or many sources of telemetry.
A benefit of XDR includes streamlining the functions of the analyst role by allowing them to view detections and take response actions from a single console. The single pane of glass approach offers faster time to value, a lowered learning curve, and quicker response times since the analyst no longer needs to pivot between windows. Another advantage of XDR is its ability to piece multiple sources of telemetry together to achieve a big picture view of detections. These tools are able to see what occurs not only on the endpoints, but also between the endpoints.
Since XDR is one of the newest technologies on this list, I offer a word of warning. As you evaluate XDR solutions, do your due diligence and familiarize yourself with their features. Where some tools may offer cutting-edge, cross-functional detection and response capabilities, others may simply be rebranded tools marketed to cash in on a popular trend. Know what the benefits of XDR are, and ensure the tool you evaluate meets those guidelines.
Managed detection and response, or MDR, is the outlier of the offerings we have reviewed so far because it is not necessarily a technology but instead a service solution, which incorporates technology, people, and processes.
MDR was formulated from the fact that there are many great detection and response tools available, but many organizations are severely limited in both the time and talent it takes to manage these tools. Therefore, the MDR approach provides threat detection and associated response actions as a managed service.
There are numerous types of MDR services, but for simplicity’s sake we will focus on two: pure-play and product-focused.
Product-focused MDR generally involves vendors who sell tools and then offer managed services on top to run those tools. Think of it as a car dealership selling you a car along with a contract for a chauffeur who will drive you in that car, and that car alone. This brings a number of benefits and considerations. The vendors are experts in their tools and, as such, can offer expert-level guidance, support, and management of these tools. Their focus, however, is then usually limited to just the tools that they sell.
If your organization has a diverse stack of security tools, then a product-focused MDR approach will only work with the tools they provide, requiring your team to either manage the rest or consolidate your technology to just that vendor’s offerings.
A pure-play MDR provider is one who works with your existing security stack to detect and respond to threats. For this example, we can think of a hired chauffer that will drive whatever cars you currently own. These MDR vendors serves as an organization’s needed resource by providing experts to utilize the existing set of tools, lets the organization avoid consolidating their technology to a single vendor. This benefits the customer who can implement a range of tools that best fit their needs and then leverage the MDR provider for detection and response actions.
A pure-play MDR vendor can grow and evolve along with the customer and build long lasting, trusting relationships that are not focused on selling products.
Which Detection and Response Solution Is Best for You?
The differences between these threat detection and response approaches goes beyond their acronyms. If you think MDR fits your organization best, Arctic Wolf is the leader in security operations, and Arctic Wolf® Managed Detection and Response and our other security operations solutions help ensure your organization is always protected.