EDR vs MDR: what are the differences for cybersecurity?

4 min
88
0
0
Published on

Acronyms are common in cybersecurity and IT in general. With the rise of cloud computing, remote working and especially the exponential increase of cyberattacks, 2 acronyms are particularly popular. These are EDR for Endpoint Detection and MDR for Managed Detection and Response. But the two terms are often confused, including by cybersecurity experts. Discover in this article the differences between EDR and MDR in order to make the best choice to detect threats and secure your computer system.

 


EDR: Endpoint Threat Detection


As the name suggests, EDR mainly focuses on endpoints that is to say host terminals or devices such as computers, tablets, smartphones, etc. Its objective is to detect threats to an organization's IT equipment. For this EDR solutions combine features of:

 

Automatic monitoring and endpoint protection


EDR systems are designed to protect endpoints by collecting and aggregating data from the device to be secured to automatically detect any abnormal uses or threats.

 

Anomaly detection (with the contribution of artificial intelligence)



EDR solutions integrate artificial intelligence technologies such as deep learning or machine learning to detect threats. These systems can thus analyze a large volume of data and extract behavioral patterns and trends that then allow them to detect anomalies, possible intrusions and other problems impacting the computer system.

Thanks to this behavioral analysis, EDR can go further than signature-based solutions such as firewalls and antivirus. It can protect IT equipment from threats that more traditional systems miss, including fileless malware, zero-day viruses, and inside threats.

Device Log Management


Devices or endpoints can generate a lot of information themselves, including logs (log files). EDR solutions automatically collect and analyze log data.
If an attack or anomaly occurs, the information gathered provides cybersecurity teams with full visibility and a complete record of what happened on the device. This allows them to quickly identify attacks and determine the necessary remediation steps. Secondly, this also allows them to eliminate vulnerabilities and flaws of terminals.



EDR systems therefore work primarily by collecting data from endpoints and using behavioral analytics. When the anomaly is detected, the EDR can contain the threat (for example by blocking a user or network access). But then an alert is systematically raised for human intervention to take place. It is at this level that the MDR can be exploited.

 

 

MDR: Detected Threat Management


MDR is more of a service than a technology. This system combines threat detection and human expertise to respond to them. MDR vendor offerings therefore most often include EDR technology for endpoint threat identification as well as the following services:


Continuous network monitoring


Cyberattacks can happen at any time. MDR providers generally use SOCs (Security Operation Centers), that is to say a command center allowing cybersecurity teams to more easily monitor, analyze and protect a computer system.


These SOCs are mainly based on 4 tools:

1. SIEMs or tools for managing information and security events which make it possible to correlate the metrics with the volumes of data received and thus to detect threats.


2. Behavioral monitoring, which, like EDR, relies on artificial intelligence and machine learning technologies.


3. IDS or intrusion detection systems that allow SOCs to detect attacks as soon as they appear. IDS work by identifying known attack patterns (through intrusion signatures);


4. The evaluation of vulnerabilities, based on certifications and regulations, which makes it possible to validate the conformity of the computer system.



 

A hunt for threats


MDR services go beyond the threat detection provided by EDRs and other cybersecurity tools. They include a proactive “threat hunting” approach in which teams search for all vulnerabilities and intrusions that would not have been identified by automatic tools.

There are 2 main types in this threat hunt:

l  threat hunting with clues (lead driven) where security analysts use their tools to detect any malicious and suspicious behavior and then investigate it;

l  hunting for threats without clues (leadless) where no intrusion or anomaly serves as a starting point. Here, the analysis consists of proactively making queries at the level of a client's domains to study their responses.

 

 

 

Security systems management


To guard against cyberattacks, companies must deploy, configure, maintain and evolve a whole set of cybersecurity solutions. With MDR, these responsibilities are transferred to the service provider.

This argument makes the MDR particularly popular for companies. Gartner cabinet estimates that in just four years, 50% of organizations will be using MDR. This massive appeal would also be related to:

l  the shortage of IT talent that 76% of cybersecurity leaders believe they are unable to use technologies to their full advantage due to a lack of staff.

l  the growing number of alerts and attacks that teams can no longer deal with all of them. According to Gartner, 28% of alerts would be ignored for lack of time and resources.

MDR vs EDR are therefore not necessarily opposable... MDR services are largely based on the automatic detection of threats to terminals. The choice must above all be made according to the resources and needs of the organization. The MDR is in particular an ideal solution in the event of a lack of in-house expertise.


And you, as an IT professional, do you use EDR systems or do you use MDR services? Do not hesitate to share your testimonials with us on the IT forum.


 

Useful sources and links:

Gartner Report on MDR Solution Providers:

https://www.gartner.com/reviews/market/managed-detection-and-response-services

Boosting your IT projects

The best missions and job offers are at Free-Work

Continue reading around the topics :
# IT Trends
# Cybersecurity

Comment

In the same category

Weak AI: what is it? IT news
Weak AI, also known as narrow AI, describes artificial intelligence algorithms that can perform a limited set of functions. This is currently the form of AI used in our daily lives. Find out what this technology is and what opportunities it offers.
4 min