Understanding MDR, XDR, EDR and TDR
- A program with proper threat detection and response (TDR) has two key pillars: understanding the scope and being proactive in threat hunting.
- The biggest value of the security operations center (SOC) is incident response, but the how and why are just as important — and ultimately drive better security defense.
- Managed detection and response (MDR) and extended detection and response (XDR) are poorly defined: Nailing down definitions enables deployment of the right systems to provide holistic value for security teams and focus on the most important threats.
I recently had the pleasure of sitting down with Grant Naschke, cybersecurity leader and Head of Global Cyber Threat Detection, Response & Intelligence at 3M. I wanted to get his perspective on the state of the security industry and where he sees MDR, XDR, EDR and TDR fitting in the enterprise’s security stack. Grant generously shared his valuable time and expert insights with us. What follows is a summary of our conversation – so to speak – which I thought others might find as informative and useful as I did.
MDR, XDR, EDR and TDR – What’s the difference?
Managed detection and response (MDR) and extended detection and response (XDR) are not well defined. Some vendors will even refer to endpoint detection and response (EDR) and XDR interchangeably, without distinguishing between the two in any way — essentially viewing XDR as just another marketing buzzword.
Not only is failing to distinguish between terms problematic from a technical perspective, it’s also a fatal trap laid for security teams as customers. XDR as a marketing ploy (without the proper system to back up vendor claims) can cause serious organizational issues.
Understanding what MDR, XDR, EDR and TDR mean is just the first piece of the acronym-heavy puzzle. Then, it’s all about establishing which system is fit for organizational needs.
The proper deployment of the right solution for a security team allows the team to then focus on the how and the why of incident responses. This in turn provides better security defense.
An effective MDR needs to be able to filter data, provide security alerts, and determine next steps. This is a far harder problem to solve than it sounds, but it’s the key place from which to start. Understanding the correct scope and proactivity in threat hunting are the building blocks of TDR.
Coming to terms with so many… terms
Starting with a primer on the key terms is helpful.
- Security Information and Event Management (SIEM): with most needing to be replaced or upgraded, SIEM is no longer reliable as a sole security system across today’s threat landscape.
- Threat Detection and Response (TDR): this is a fairly self-explanatory and catch-all term for any kind of threat detection and response.
- Endpoint Detection and Response (EDR): also known as endpoint threat detection and response (ETDR), EDR focuses on endpoint data.
- Network Detection and Response (NDR): NDR focuses on threats within the network.
- Managed Detection and Response (MDR): LogicHub’s MDR is the flagship service and provides a comprehensive, managed approach to threat detection and response.
- Extended Detection and Response (XDR): quite simply, XDR provides extended threat detection and response, but is a more open-ended term so it requires a deep dive to establish fundamentals.
- Security Orchestration, Automation and Response (SOAR): SOAR can be a platform or a service that delivers automated alert triage, threat detection, and incident response.
Whitepaper: Power to the People – Democratizing Automation & AI-Driven Security
Further defining XDR
An organization with EDR or NDR in place may be protected against up to 90% of classic threats, such as commodity malware. But what about more advanced threats?
XDR takes the concept of EDR and uses not just signatures but also algorithms and heuristic detections to identify threats. It’s essentially broadening the scope by taking data from multiple sources and applying models for advanced threat detection.
Consider a brain or heart surgeon: both specialists play essential roles in the medical field. But a human can still suffer from problems in other parts of the body. Other specialists are still needed. XDR is the cybersecurity equivalent of a general-purpose surgeon who can root out various threats and extract accordingly — a lump in the back or a major artery clot in the leg — as well as refer patients for those with needs pertaining to the heart and brain.
But wait – isn’t this what SIEM was meant to do? This very question highlights the importance of XDR. EDR takes action in a different way to a SIEM, but an effective XDR reaps the data, identifies the threats and takes action using SOAR.
SOAR evolved out of adaptive response frameworks with new optimization, API and case management capabilities. XDR is similarly next-generational and provides the detection of threats which SOAR can manage. The major gap today between SIEM and proper TDR closes by tying the data together.
The primary objective? Focus on threat detection
When assessing how best to defend against organizational cyber threats, security teams should focus on the effectiveness of MDR and security operations centers (SOCs). This planning stage is crucial for addressing potential issues ahead of time, rather than putting them off to deal with further down the line.
The two pillars required for efficacious threat detection
- Understanding the scope of detection: how to use security tools and colossal amounts of data on alerts to identify and respond to the threats that really matter.
- Proactive threat hunting: this entails not just relying on these tools to generate alerts. Appropriate categorization of threats enables security teams to be on guard, but proactivity involves dedicated threat hunting activities to identify and uncover other threats in a security environment.
The role of SOCs (beyond remediation)
Once the detection program has been built, the next challenge to tackle is increasing efficiency in security operations. The larger the team or teams and the more globally dispersed, the more complicated it gets.
But there is hope: incident response for SOCs involves analyzing how incidents happened and using this data to develop better defenses. Zooming in on a phishing email affecting a workstation identifies email security misconfigurations. Endpoint malware reveals outdated EDR alerting the endpoint security team.
In the TDR space, this isn’t thought of as a primary objective — the focus is (erroneously) purely on remediation. The real value lies in working out how an incident occurred to improve defenses in the future.
Organizations don’t have days to respond to major threats — let alone weeks, months, or years — and this underpins the importance of longer-term actions framed by deep analysis of root causes.
A good process along with organizational buy-in supports SOCs in incident response and analysis. An MDR partner efficiently filters out the noise to strengthen this process further.
eBook: MITRE ATT&CK: Implementing a best practices framework for better detection and response
Pinpointing the right stuff
Choosing the right MDR provider involves establishing what the service should do effectively at its best. This can be ascertained by focusing on the right questions to ask.
LogicHub deals with a lot of false incidents. It doesn’t take much work to find a real one, but it seems going through 30 to find it is inefficient. Why not look at three incidents and establish that out of those three, two are real?
Security is not a new space — it’s at least several decades old. SIEMs have been used for the last 20 years, but there’s now too much noise and too much data. However, the response to this problem seems to be generating even more data. But no platform recommends what needs a response.
For example, one LogicHub client had 400 cases but only 23 escalations: Security automation pays dividends in time and focus for security teams. An effective MDR filters security alert data such as false positives and determines actionable cases based on real and significant threats.
Asking (and then answering) the right questions
Getting to grips with important data and genuine security incidents requires asking the right questions. Effective reduction of cyber risk with TDR isn’t just spending time on false positives but mitigating threats and identifying improvement opportunities. How does TDR provide value to a holistic security program?
TDR identifies weaknesses in defense. Proactive tests are ideal, but in reality, incident response is the value add. This is on two fronts: reactively improving overall security, and proactively utilizing a threat hunting team. Effective threat hunting requires an advanced technical skillset and know-how.
The right MDR partner circumnavigates the need to throw bodies at a security problem. Organizations still need an internal response team for full remediation based on a deep understanding of the technical environment. But sifting through the data to determine what’s important (rather than making the client do it) is the bread and butter of a great MDR vendor.
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.
*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® authored by Willy Leichter. Read the original post at: https://www.logichub.com/blog/understanding-mdr-xdr-edr-and-tdr
