Sep 30 2021

EDR vs. MDR: What Are Managed and Endpoint Detection and Response?

Federal agencies are required to deploy endpoint detection and response solutions but can also turn to managed detection and response tools.

Under President Joe Biden’s May 12 executive order on cybersecurity, federal agencies are required to “deploy an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents” within federal IT infrastructure, as well as “active cyber hunting, containment and remediation, and incident response.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has been tasked with providing the Office of Management and Budget with recommendations on options for implementing an EDR initiative, “centrally located to support host-level visibility, attribution, and response regarding” agency information systems.

It’s unclear when OMB and CISA will publicly release their EDR recommendations, but it seems clear that EDR deployment is going to become more widespread across the government in the next year.

EDR solutions have many benefits for agencies, including providing broad visibility into threats for organizations and using machine learning tools to detect attacks. However, EDR is just one element in the government’s toolbox to enhance cybersecurity. Another is managed detection and response, or MDR, in which an agency would work with outside personnel to help detect and respond to cybersecurity threats.

What Is Endpoint Detection and Response?

Endpoint detection and response (EDR) is part of a layered security strategy for agencies. EDR tools can provide agencies with enhanced visibility into threats.

EDR solutions “provide continuous and comprehensive real-time visibility into what is happening on an organization’s endpoints — including desktops, laptops, mobile phones, servers, tablets, and virtual environments — or any remote device that is connected to and communicates with a network,” Thomas Etheridge, senior vice president of services at CrowdStrike, writes in GCN. “By applying behavioral analysis and actionable intelligence to endpoint data, EDR solutions can stop an incident from turning into a breach.”

Steve Faehl, federal security CTO at Microsoft, writes in a company blog post that “outdated endpoint protection strategies based on static prevention-focused capabilities like antivirus are ineffective.”

“Today’s next-generation anti-malware capabilities — powered by advanced machine learning and behavioral monitoring — are critical to helping organizations stop threats,” he writes. “EDR then goes a step further beyond prevention to provide detailed telemetry that provides additional visibility and enables dynamic analytics and automation to discover and remediate more sophisticated threats at scale.”

The cybersecurity order is ultimately aimed at “ensuring agencies have the tools necessary to address the full spectrum of endpoint protection, detection and response,” Faehl writes.

“As cyberattacks have advanced in their ability to evade first-layer defenses, such as endpoint protection platforms, and mask their presence, security teams benefit from EDR in gathering and correlating multiple endpoint signals to detect attacks that were not initially detected and thwarted, and then respond to prevent the attack from advancing further,” says Michael Suby, research vice president for security and trust at IDC. “In addition, scripted (i.e., search for a known pattern or sequence of signals) and unscripted (i.e., tailored and progressive search) threat hunting capabilities included in EDR assist security analysts in proactively detecting highly sophisticated attacks (e.g., advanced persistent threats, APTS).”

DIVE DEEPER: What are best practices for securing devices used for teleworking?

What Is Managed Detection and Response?

Managed detection and response is connected to EDR but is a different tool for agency IT security teams.

MDR, Suby says, “is the human talent side of EDR,” and could be especially useful for smaller agencies that don’t have large cybersecurity teams. As Mandiant notes on its site, MDR provides “24/7 continuous threat monitoring, detection and response activities —including proactive threat hunting — across all threat vectors: endpoint, network, cloud, email and logs.”

“MDR service benefits organizations that lack in-house talent to utilize the EDR tool to the extent they require to meet their cyber risk mitigation objectives,” according to Suby. “The MDR engagement can be tailored to the organization. The alternatives range from fully outsourced to augmentation.”

According to a blog post from security firm Arctic Wolf, MDR is aimed at small and midsize organizations with limited investments in cybersecurity tools and staff, and midsize organizations “that already invest in security resources, but seek partners to augment in-house capabilities.”

Craig Robinson, program director for security services at IDC, adds that early versions of MDR encompassed “the human element and threat hunting surrounding EDR and other technologies to give a fuller detection and response capability” to organizations

Managed security service providers and MDR providers have since evolved their MDR offerings “to account for telemetry beyond that endpoint, such as network, cloud, operational technology and other sources of telemetry,” Robinson says.

“MDR services may provide their own EDR capabilities, but more frequently they support more than one to allow them to reach a greater pool of organizations that are reluctant to swap out their EDR,” Robinson says.

EXPLORE: CISA is helping develop new cybersecurity protections for the government.

The Benefits of MDR for Government

There are many security benefits for government agencies that choose to avail themselves of MDR. A 2020 report from IDC on the topic notes that MDR is appealing because it provides CISOs and IT leaders the ability to be more proactive in their cybersecurity and incident response.

“Armed with the knowledge that some attacks will inevitably make their way into an organizations’ infrastructure, CISOs are coming around to the realization that having a proactive rapid response solution is just as important as having a strong defensive perimeter,” the report notes.

Michael Suby, Research Vice President for Security and Trust, IDC
MDR service benefits organizations that lack in-house talent to utilize the EDR tool to the extent they require to meet their cyber risk mitigation objectives.”

Michael Suby Research Vice President for Security and Trust, IDC

MDR, IDC notes, uses EDR, threat intelligence feeds, human-led threat hunting, remote incident response services (including containment and removal of incidents where data is suspected to have been exfiltrated or destroyed), web-based consoles and dashboards, and more.

Arctic Wolf adds that MDR provides “security advisors who act as extensions of end-customers’ IT and security teams.”

“A security operations center (SOC)-as-a-service offers MDR capabilities and more,” Arctic Wolf adds. “It uses a cloud-based SIEM platform to collect and correlate log data and network flows from network sensors deployed on customer premises. It includes experienced security engineers who focus on threat detection, forensics analysis, and prioritizing incidents for customers. Vulnerability assessment and compliance reporting is also part of the comprehensive service.”

RELATED: How can agencies stay on top of evolving security threats?

EDR vs. MDR: The Key Differences

There are key differences between EDR and MDR. “EDR focuses on detection and containing attacker at the endpoint, also known as host,” Mandiant notes. “This narrow focus is a subset of Managed Detection & Response (MDR) which detects and stops attackers across all threat vectors including endpoint, network, cloud and email.”

Although EDR has and will continue to advance in adaptability and automation, Subley says, “knowledgeable and experienced security analysts elevate the security efficacy of an EDR tool.”

Some organizations may “lack the talent to extract the full extent of EDR capabilities they need,” he adds, and therefore MDR should be considered as an alternative.

“In MDR, either the EDR vendor or a third-party managed services provider or managed security services provider supports the organization with human talent and experience as part of a service agreement,” Subley says.

metamorworks/Getty Images