EDR, XDR – NDR

cyber, attack, encryption-3324202.jpg

EDR, XDR – NDR or Endpoint detection and response (EDR), eXtended detection and response (XDR) or Network detection and response(NDR) are three solution areas with over lapping coverage.

With the uptake of Cyber Security solutions by clients globally it was only a matter of time for EDR tools to be mainstream for customers as it is today in 2022. NDR is also starting to make progress towards mainstream adoption in 2021 as detailed in the below image.

Gartner hype cycle 2021

https://www.sdxcentral.com/articles/news/edr-reaches-wide-adoption-paving-way-for-xdr-sase/2021/09/

In the hype cycle MDR, XDR and still to go through the “trough of disillusionment where emerging technologies are at their weakest points with customer feeling the pain and determining whether these technologies will service their business needs adequately.

Endpoint detection and response

Endpoint Detection and Response (EDR) is accepted and broadly being unitised, combining telemetry data from the various corporate devices and activities that are happening on each device to tell a broader story of the entire network makes strong cyber security resilience sense today.

Correlating the End Point data and applying Threat intelligence (TI) feeds across the data starts to make it easier for organisations to find Indicators of Compromise (IOC) where activity occurring might be suspicious but not yet overtly malicious.

eXtended detection and response

eXtended detection and Response (XDR) takes the EDR concept further and includes additional telemetry, often email security, Network security and cloud security and correlates all of this telemetry data to provide an even more complete portrait of what is occurring on a network. For smaller organisations and for less mature organisations XDR can be overkill.

Configuring and maintaining the various telemetry sources as well as normalisation of the data from disparate systems does not make XDR easy to implement or support for smaller organisations. Additionally, a business must identify what and where a threat is likely to be initiated from and what systems or services it might infect.

End Points are almost always the infection point and almost always where a malicious attacker will be running their attack from, often Endpoint detection and response will be sufficient to pick up an attack that is occurring.

Network detection and response

Network Detection and response (NDR) is an “add-on” technology to EDR or XDR and is targeting at the network alone, analysing network traffic through a Mirror port or Network tap to capture network traffic, analyse that traffic and apply Artificial intelligence and machine learning to look for malicious activity. Virtually all network traffic today on a network is encrypted traffic so an NDR solution must be able to decrypt network traffic to be truly effective.

An NDR solution works either alone or preferably in conjunction with an End Point Detection and response solution.

Managed detection and response

Managed detection and response (MDR) is a service type rather than a product license, whereas the above solutions are self managed or sometimes “co-managed”, an MDR service is provided to you with detection and response service done by a third party. MDR solutions are becoming more popular and Gartner forecast that 50% of enterprises will be using MDR by 2023:

With MDR services it is vital to know what the service includes and excludes, MDR is not a Managed SOC (MSOC), MDR is purely around responding to your incident in a very specific way with a very specific outcome and MDR is not suitable alone for any business unless operating a SOC already.

In summary

XDR solutions are useful with the additional sources they can utilise but suited to larger organisations where there is a significant investment in a Security operations Centre (SOC).

NDR solutions are also more suited to large organisations with multiple networks and or locations, due to complexity of implementation, management and maintenance.

MDR services are designed to do one thing, detect and Respond to an incident, they may use various underlying technologies to achieve this (typically another vendors EDR solution and SIEM solution like IBM Qradar).

Professionally I rate an EDR solution as a necessity for any business with more than 20 end points, over and above Next Generation Anti virus that they may be running today.

As an example Microsoft Defender for Business ($4.50 AUD per month) EDR and Microsoft M365 Business Premium ($30 AUD) includes XDR, these prices are approximate RRP.

Send us a message if you would like to know more about EDR/XDR/NDR or other cyber security issues.