What is XDR vs EDR vs MDR? Breaking down Extended Detection and Response

00:00

dwell time refers to the length of time

00:02

an attacker is able to roam free on your

00:04

network without being detected it's a

00:06

number calculated by adding the mean

00:08

time of detection with the mean time of

00:10

repair according to fireeye the average

00:13

global dwell time in 2020 was 56 days

00:16

that means that on average an attacker

00:17

had nearly two months inside a network

00:19

before being cut off

00:21

edr and xdr are tools that attempt to

00:24

shorten that dwell time by detecting and

00:25

responding to threats quicker while edr

00:28

focuses on detection and response at the

00:30

endpoint level xdr expands on that to

00:33

include other critical areas of our

00:34

network like our firewall and cloud

00:36

applications in this video we'll take a

00:38

look at what exactly edr and xcr do and

00:41

how mdr uses these technologies to

00:43

provide a service

00:45

before we go any further please take a

00:46

moment to hit a like on this video to

00:48

give me a boost in the youtube algorithm

00:50

and subscribe if you want to stay on top

00:51

of our latest cyber security and tech

00:53

related videos

00:54

to comprehend xdr and mdr we need to

00:57

first understand what edr is and the

00:59

problem it's trying to solve

01:01

edr stands for endpoint detection and

01:03

response and it's an endpoint client

01:05

that's not just focused on the

01:06

prevention of breaches but in detection

01:08

and mitigation that happens after the

01:10

execution of malware has already

01:11

occurred in other words detecting

01:14

malware that the antivirus engine didn't

01:15

detect and the tools for containment or

01:17

mitigation when those are detected let's

01:19

start by breaking down an infected

01:21

endpoint into two stages pre-infection

01:24

and post-infection

01:25

pre-infection is where your traditional

01:27

anti-virus tools generally live this

01:29

might use tools like virus signatures

01:31

and machine learning to prevent known

01:32

malware from ever executing on the

01:34

machine

01:35

however we as cyber security

01:37

professionals know that this is not very

01:39

effective even the best antivirus

01:40

engines are only known to block between

01:42

50 to 60 of the real world threats that

01:45

we see on a daily basis this is where we

01:47

move to post-infection or post-execution

01:50

tools and in this stage is all about

01:52

detecting and responding to threats that

01:54

have already been executed on the

01:55

machine

01:56

for example we know traditional

01:58

antivirus is looking at signatures of

01:59

known malware those signatures can

02:01

easily be modified just enough to sneak

02:03

past antibiotic signatures however if we

02:05

look at the behavior of the malware

02:07

itself it does not change no matter how

02:09

much the malware is obfuscated this is

02:11

where detection portion of

02:13

post-infection comes into play by

02:15

looking at the behavior of an unknown

02:17

file once it's executed if that behavior

02:20

is highly suspicious or known bad then

02:22

we want to diffuse or contain it as much

02:24

as possible this is where we generally

02:26

attack ransomware by trying to stop the

02:28

unknown file from ever encrypting files

02:30

on the disk

02:31

next we move on to the response stage

02:33

which is where we automate playbooks and

02:35

quarantine users isolate devices or roll

02:38

back changes depending on what our

02:39

playbooks may dictate a key component of

02:42

the edr process is the ability to use

02:44

forensics to facilitate the threat

02:46

hunting process this could be as simple

02:48

as searching your edr clients for a yara

02:50

rule or a specific process or combing

02:53

through recorded events on the endpoint

02:55

itself this can vary from vendor to

02:57

vendor but most edr tools record

02:59

forensic data when the file passes the

03:01

pre-execution phase the forensic data

03:04

could include metadata like os processes

03:06

that were modified when a file was open

03:08

this is fundamentally how many edr

03:10

vendors were able to assist in finding

03:11

the impact of the solarwinds breach by

03:13

looking through common metadata across

03:16

the infected endpoints the ultimate goal

03:18

of the post-infection phase is to

03:20

minimize the dwell time between when an

03:22

incident occurred and when that breach

03:23

was ultimately contained and remediated

03:26

as mentioned previously in 2020 the

03:28

average dwell time was 56 days which is

03:30

actually down 28

03:32

from the previous year in part because

03:34

of the adaptation of edr across so many

03:37

organizations

03:38

while endpoints are a critical component

03:40

of the attack surface it's really a

03:42

small part of the big picture that makes

03:44

up our network modern networks have iot

03:46

devices cloud applications firewalls and

03:50

many other areas that must be considered

03:52

that brings us to xdr or extended

03:54

detection and response

03:56

gartner defines xdr as a sas based

03:59

vendor specific security threat

04:01

detection and incident response tool

04:03

that natively integrates multiple

04:05

security products into a cohesive

04:07

security operation system that unifies

04:09

all license components put another way

04:12

xdr ingests data from multiple security

04:14

products in order to correlate telemetry

04:17

data that would otherwise be difficult

04:18

to find manually by having integration

04:21

with these various products xcr gives

04:23

you the ability to respond to threats

04:25

either automatically or manually

04:27

at a high level there's three main

04:29

components that make up xdr the

04:31

integration the analysis and the

04:33

response

04:35

the integration piece is a critical

04:36

component to any xdr platform and that's

04:39

the level to which the xcr solution can

04:41

ingest and work with the products on

04:43

your network this means not only

04:45

monitoring telemetry data like syslog

04:46

and snmp but also having deep

04:48

integration via api to respond to

04:51

threats when incident is detected

04:53

with the telemetry data being ingested

04:55

by all the relevant sources on your

04:57

network xdr then normalizes and

04:59

correlates that data between all the

05:01

different data types and vendors this

05:03

part of the process is the analyze or

05:05

detect phase and it's usually powered by

05:08

some version of an artificial

05:09

intelligence tool to find outliers in

05:12

the breadcrumbs of data the ai engine is

05:14

trained to look for behaviors from all

05:16

the telemetry data ingested throughout

05:18

the network and here lies the beauty of

05:21

xdr what would be nearly impossible for

05:23

a team of sock engineers to do manually

05:26

xdr can calculate these breadcrumbs in

05:28

real time eventually finding patterns of

05:31

behavior that otherwise would have gone

05:32

undetected when the ai engine determines

05:35

that investigation is deemed to be a

05:36

security risk the response phase can

05:38

automatically remediate the issue by

05:40

responding to the relevant security

05:42

devices depending on the playbook that

05:44

you have configured for example this

05:45

could include blocking an ip at your

05:47

firewall quarantining a user at the

05:49

switch port or blocking a domain on your

05:51

mail server

05:53

ultimately xdr is about an ai system

05:56

that can take in telemetry data make a

05:58

decision based on the supervised

06:00

learning it has received and then

06:02

respond to the relevant device to

06:03

mitigate the risk on your network while

06:06

edr and xdr are focused on specific

06:08

technologies that detect and respond to

06:10

threats on your network mdr is a service

06:13

handled by a third party

06:15

gardner-defined mdr or managed detection

06:18

and response as a 24 7 threat monitoring

06:21

detection and lightweight response

06:23

service to customers leveraging a

06:24

combination of technologies a report

06:27

just released by forester in q4 of 2020

06:30

goes a bit beyond garter's definition to

06:32

define the key components of the mdr

06:34

service as security analytics proactive

06:37

threat hunting and automated incident

06:39

response using soar or manual response

06:42

using predefined playbooks the same

06:44

report goes on to say this

06:46

the quality of the mdr service depends

06:48

on its ability to incorporate extended

06:50

detection and response visibility from

06:52

not just edr software but also network

06:55

analysis and visibility tools network

06:58

traffic analysis and analysis of

07:00

security log data in other words the

07:02

ability to use xdr effectively because

07:05

the mdr market is still somewhat being

07:07

defined providers can vary greatly in

07:10

the services they provide

07:11

forester groups four segments that

07:13

measure the level of capability provided

07:15

by mdr providers today

07:17

the first level is what i would call the

07:18

base level services this will include

07:20

gartner's definition of basic mdr

07:22

services like proactive threat hunting

07:24

investigation and response the next

07:26

level would be a managed edr service

07:29

where the mdr provider is managing the

07:31

edr client and providing the base level

07:33

services on top of that so this will

07:36

include the threat hunting the

07:37

investigation and the response as well

07:40

the advanced service will include

07:41

incident response as a service which

07:43

will also offer traditional boots on the

07:45

ground personnel to assist with

07:47

incidents

07:48

the common theme around all three of

07:49

these topics that we discussed in this

07:51

video is detecting and responding to

07:53

threats quicker edr is usually the

07:55

starting point in our journey towards

07:57

lowering the dwell time because

07:59

endpoints are generally the biggest risk

08:00

in our attack surface however good

08:02

coordinated attacks usually involve more

08:05

than just the endpoints and that's why

08:06

xdr is the next evolution edr and xdr

08:10

are not mutually exclusive but

08:12

complementary both provide insight into

08:14

what's happening on your network that

08:16

would otherwise be difficult or

08:17

impossible to do manually the reality is

08:20

that a lot of organizations don't have

08:21

the manpower or expertise to take on edr

08:24

or xdr themselves and for this more and

08:27

more msps are providing mdr as next

08:29

level of managed services

08:32

well that does it for this video guys

08:33

hope you found it informative please

08:35

drop a line below and let me know what

08:37

you think about edr xdr and mdr let me

08:40

know if i missed anything or if you have

08:41

any insight into anything that we

08:43

discussed here today if you haven't

08:45

already please take a moment to

08:46

subscribe to stay on top of our latest

08:47

releases here at the cso perspective