Few industries are as fond of acronyms as the cybersecurity sector. One commentator counted more than 70 of them being used by security professionals at a recent conference. From SIEM to IDS/IPS and DLP, CISOs, CISMs and CISSPs employ an ever-expanding array of TLAs (three-letter acronyms) to describe the tools and technologies they rely on to combat the TTPs of APTs in the SOC.
There’s a reason for this: acronyms condense complex concepts into short phrases that are easy to pronounce and remember. Here at BTB, we (like most cybersecurity service providers) rely on acronyms to describe our service offerings. After all, they’re industry-standard terms.
However, if an industry’s reliance on acronyms makes it hard for clients — or the general public — to understand what’s included in particular services and solutions, what’s truly innovative, what’s actually needed to enhance effectiveness, and what’s just marketing fluff, its use of TLAs may have gone too far. In this article, we’ll step in to provide some additional background to help our readers understand the various types of threat detection and response technologies and service offerings that are currently on the market. In a world of many acronyms, our goal is to help you keep things straight.
EDR vs. XDR
The term “Endpoint Detection and Response” (EDR) was coined by market research firm Gartner in 2013. The goal was to describe a new category of tools that had been developed to give defenders better visibility into activities taking place on endpoint devices. The rationale for creating these tools was simple: more than two-thirds of cyberattacks and data breaches begin with the compromise of an endpoint device. And the antivirus software that was in widespread use at the time primarily relied on signature-based detection, meaning that it scanned files for character strings or pieces of code associated with known malware.
During the 2010s, attackers were increasingly hiding their malicious activities within scripts that would execute directly within memory (file-less attacks) or using other methods to evade signature-based detection. EDR tools introduced new ways of collecting more comprehensive data to help security teams keep tabs on what was taking place on endpoint devices. They also took advantage of advanced technologies like machine learning and behavioral analytics to identify attacks that might otherwise remain undetected.
The cybersecurity market is constantly evolving. EDR solutions joined the ranks of the core technologies that most security operations programs were leveraging, with Gartner estimating that more than half of all enterprises would have EDR tools in place by the end of 2023. But as EDR became commonplace, the technology’s limitations became broadly apparent: in order for cyberattacks to have devastating and far-reaching consequences, attackers needed to move laterally across the entire environment. To detect these activities quickly, security teams needed comprehensive visibility that extended far beyond the endpoint to capture and analyze data from multiple security solutions and log sources. Extended Detection and Response (XDR) was born to meet this need.
As a concept, XDR has become popular among vendors who have made use of the term to promote all-in-one, single-vendor solution sets. Gartner has defined XDR as a “vendor-specific threat detection and incident response tool that unifies multiple security products into a single security operations system.” As such, XDR does have the potential to reduce the complexity of security infrastructures, lowering costs along the way. And it certainly can enhance visibility — especially when compared with EDR tools.
MDR and MXDR
Managed Detection and Response (MDR) is in an entirely different solution category and evolved to fulfill a separate set of needs. Traditionally, Managed Security Service Providers (MSSPs) have taken responsibility for monitoring security tools and networks and alerting their customer each time an anomaly was detected. In many cases, this model led to customers receiving a barrage of security alerts — many of which were false positives — without helping them investigate or respond to these alerts. A Managed Detection and Response (MDR) provider takes on greater responsibility, not only generating security alerts each time there’s an incident (or potential) incident, but triaging, analyzing, containing, and remediating the incidents.
If XDR is a technology solution, then, MDR is a service offering. Some vendors are bringing the two categories together by creating yet another new category, MXDR, which stands for Managed Extended Detection and Response. The idea behind MXDR is that XDR platforms require skilled professionals to manage and operate, and this talent is in short supply and high demand. MXDR combines the technology with the expertise needed to run it, and packages both into a single service offering.
BTB’s Perspective: MDR, XDR, and RADAR
Here at BTB, we’ve been taking an XDR-style approach (that is, monitoring log and telemetry data from a broad array of point solutions and endpoint and network log sources) since our earliest days as a company, our tagline is ‘No BS’ (No Blind spots) for a reason. This means we were taking advantage of XDR’s benefits long before XDR was imagined as a market category.
The primary difference between our viewpoint and Gartner’s is that we don’t advocate for a single-vendor approach. Yes, we can — and do — work with customers who have opted for a single-vendor strategy. But we also have customers who’ve taken a best-of-breed approach. There are advantages and disadvantages to both; what’s most important is to ensure that you are collecting the most relevant logs for your security posture and monitoring them effectively on a consistent and ongoing basis.
From our perspective, if MDR is about responsibility and XDR is about visibility, RADAR (Rapid Advanced Detection and Response) is about outcomes. We bring 24/7/365 expert security monitoring together with a flexible and robust modular technology platform that aids our team in identifying and eliminating security threats at speed.
Yes, we do keep up with the latest industry trends. But our focus is on eliminating blind spots, keeping costs and headaches at a minimum by integrating with the tools you already have in place, and achieving better real-world results.
Interested in learning more about how we consistently enable our clients to achieve stronger security postures? Contact us to schedule a free, no-obligation demonstration and see RADAR in action today.