Not all managed detection and response (MDR) services are the same. One of the types available is EDR-based MDR.
EDR stands for endpoint detection and response. EDR technologies go further than traditional endpoint security controls to enable organisations to move from a reactive to a proactive security stance that enables detection of even advanced, previously unseen threats. They collect and analyse behavioural data from endpoints and users to identify patterns of activity that could be anomalous or malicious, providing context regarding how the threat has impacted the network so that remediation can be prioritised to focus on the most critical events.
EDR technologies can provide tremendous value, but they are complex in nature, often needing more knowledge and expertise to handle than standard tools that have traditionally been available to security teams. Research from Sophos has found that organisations have struggled to use such tools, with 54% saying that they are unable to get the full benefit from their investments, a figure that cuts across organisations of all sizes.
Some providers of EDR technologies have taken note of this, along with the skills shortage that is plaguing many organisations in their efforts to harness new technologies. They have expanded their offerings and added services into the mix, enabling them to offer MDR services to customers. They provide services on a 24×7 basis to organisations that include threat detection, investigation, analysis and response to supplement in-house teams or to provide a completely outsourced service to those lacking internal resources.
Most have extended their coverage way beyond endpoints to include the network and, increasingly, cloud coverage to cater for hybrid environments that are becoming the norm in many organisations. They can integrate into a number of tools, including malware analysis, network forensics, SIEM systems, threat intelligence, security automation, orchestration and response tools, application blacklisting and whitelisting, DLP tools, access controls and user behaviour and analytics systems.
In terms of services, such MDR providers can offer actionable guidance to their customers regarding threats that have been detected and the appropriate response to take. Most have teams of security experts on hand to provide personalised services according to the situation each customer finds themselves in. Most will undertake services such as threat hunting on behalf of customers to root out threats that may fall through the cracks and provide additional protection against advanced threats.
In the upcoming first edition of its MDR services market guide, Bloor has looked deeply into the EDR-based MDR services offered by Carbon Black, Cybereason, Cynet, Digital Guardian, Fidelis Cybersecurity, Nyotron, SentinelOne and Sophos. More vendors will be considered in future updates.