EDR vs MDR: what are the differences for cybersecurity?
Acronyms are common in cybersecurity and IT in general. With the rise of cloud computing, remote working and especially the exponential increase of cyberattacks, 2 acronyms are particularly popular. These are EDR for Endpoint Detection and MDR for Managed Detection and Response. But the two terms are often confused, including by cybersecurity experts. Discover in this article the differences between EDR and MDR in order to make the best choice to detect threats and secure your computer system.
EDR: Endpoint Threat Detection
As the name suggests, EDR mainly focuses on endpoints that is to say host terminals or devices such as computers, tablets, smartphones, etc. Its objective is to detect threats to an organization's IT equipment. For this EDR solutions combine features of:
Automatic monitoring and endpoint protection
EDR systems are designed to protect endpoints by collecting and aggregating data from the device to be secured to automatically detect any abnormal uses or threats.
Anomaly detection (with the contribution of artificial intelligence)
EDR solutions integrate artificial intelligence technologies such as deep learning or machine learning to detect threats. These systems can thus analyze a large volume of data and extract behavioral patterns and trends that then allow them to detect anomalies, possible intrusions and other problems impacting the computer system.
Thanks to this behavioral analysis, EDR can go further than signature-based solutions such as firewalls and antivirus. It can protect IT equipment from threats that more traditional systems miss, including fileless malware, zero-day viruses, and inside threats.
Device Log Management
Devices or endpoints can generate a lot of information themselves, including logs (log files). EDR solutions automatically collect and analyze log data.
If an attack or anomaly occurs, the information gathered provides cybersecurity teams with full visibility and a complete record of what happened on the device. This allows them to quickly identify attacks and determine the necessary remediation steps. Secondly, this also allows them to eliminate vulnerabilities and flaws of terminals.
EDR systems therefore work primarily by collecting data from endpoints and using behavioral analytics. When the anomaly is detected, the EDR can contain the threat (for example by blocking a user or network access). But then an alert is systematically raised for human intervention to take place. It is at this level that the MDR can be exploited.
MDR: Detected Threat Management
MDR is more of a service than a technology. This system combines threat detection and human expertise to respond to them. MDR vendor offerings therefore most often include EDR technology for endpoint threat identification as well as the following services:
Continuous network monitoring
Cyberattacks can happen at any time. MDR providers generally use SOCs (Security Operation Centers), that is to say a command center allowing cybersecurity teams to more easily monitor, analyze and protect a computer system.
These SOCs are mainly based on 4 tools:
1. SIEMs or tools for managing information and security events which make it possible to correlate the metrics with the volumes of data received and thus to detect threats.
2. Behavioral monitoring, which, like EDR, relies on artificial intelligence and machine learning technologies.
3. IDS or intrusion detection systems that allow SOCs to detect attacks as soon as they appear. IDS work by identifying known attack patterns (through intrusion signatures);
4. The evaluation of vulnerabilities, based on certifications and regulations, which makes it possible to validate the conformity of the computer system.
A hunt for threats
MDR services go beyond the threat detection provided by EDRs and other cybersecurity tools. They include a proactive “threat hunting” approach in which teams search for all vulnerabilities and intrusions that would not have been identified by automatic tools.
There are 2 main types in this threat hunt:
l threat hunting with clues (lead driven) where security analysts use their tools to detect any malicious and suspicious behavior and then investigate it;
l hunting for threats without clues (leadless) where no intrusion or anomaly serves as a starting point. Here, the analysis consists of proactively making queries at the level of a client's domains to study their responses.
Security systems management
To guard against cyberattacks, companies must deploy, configure, maintain and evolve a whole set of cybersecurity solutions. With MDR, these responsibilities are transferred to the service provider.
This argument makes the MDR particularly popular for companies. Gartner cabinet estimates that in just four years, 50% of organizations will be using MDR. This massive appeal would also be related to:
l the shortage of IT talent that 76% of cybersecurity leaders believe they are unable to use technologies to their full advantage due to a lack of staff.
l the growing number of alerts and attacks that teams can no longer deal with all of them. According to Gartner, 28% of alerts would be ignored for lack of time and resources.
MDR vs EDR are therefore not necessarily opposable... MDR services are largely based on the automatic detection of threats to terminals. The choice must above all be made according to the resources and needs of the organization. The MDR is in particular an ideal solution in the event of a lack of in-house expertise.
And you, as an IT professional, do you use EDR systems or do you use MDR services? Do not hesitate to share your testimonials with us on the IT forum.
Useful sources and links:
Gartner Report on MDR Solution Providers: