MAGNIFY CYBER SECURITY BLOG

EDR/NDR/XDR/WTFDR? Confused 

06 April 2021

In the world of cybersecurity, acronyms abound. Many of which represent technologies and concepts that are seemingly indistinguishable from one another. Take EDR, NDR and XDR. With every vendor having a “Detection and Response” story, understandably, we have seen customers confused as to how these technologies work and where the overlap is. It’s time we explained the differences, removed the fog, and identified the gaps and, therefore, the blind spots.

Evolution of Detection and Response  

Organisations across all industry verticals have seen an uptake in interest from regulators, suppliers and government to prove their operational resilience. No matter your organisation’s size, having basic security controls and the willingness to use them to prevent or close incidents is more than ever, top of mind. Much historical expenditure focused on prevention mechanisms, but poor implementation drove the creation of dedicated teams to spot when the prevention mechanisms had failed and put mechanisms in place to respond. In recent times the focus has narrowed to the endpoint drawn from the realisation that many major incidents originated from threat actor groups. So, how can we ensure we spot the right things from 1000s of vulnerable end-user devices? And if we spot it, can we do something about it directly? Thus, EDR was born. 

Endpoint Detection and Response (EDR) 

Seeing the widespread adoption of EDR, network security vendors realised that the focus on traffic had been lost. Increasing encrypted traffic internally made it more difficult to inspect, and cloud migration didn’t easily expose network-level information for inspection. Both existing and new vendors with significant investment backing entered the market to revitalise network-oriented detection and response. Moving up the OS Model and becoming application-aware meant that more visibility than ever before was possible. To complement this, some solutions included the ability to throttle or suspend individual network connections (provided the correct integrations were applied). As a result, NDR was born. 

Network Detection and Response (NDR) 

Unfortunately, some organisations are ill-equipped to take advantage of NDR because they outsource their IT/security. In this case, rather than hiring a team to implement and run an internal solution, it’s easier to work with an existing outsource supplier or take an MDR service. But MDR services are not alike; some constrain this to only endpoint (Managed EDR) or only network (Managed NDR); yet others offer an alternative to SIEM, which historically included compliance and online protection. You must conduct research before making any decisions and write a set of requirements that includes the scope you intend to protect. Remember, the more third and fourth parties involved, the more troublesome it will be to get the defence and response functions working seamlessly across the suppliers. 

If there was a Managed EDR or Managed NDR service that’s looking at only a few of the traditional controls, you should ask: 

  • What happens if the managed service detects something? Is it my problem to deal with?  
  • What about other things I think are important? Why are we separating it 

This opened a door for vendors with broad-spectrum coverage, and they introduced the term XDR. 

Secrutiny_EDR NDR XDR WTFDR

Extended Detection and Response (XDR) 

XDR looks to include controls other than simply network or endpoint and allow an element of automated enrichment and orchestrated response like a SOAR platform. You should be looking at email, proxy and cloud as well as endpoint and network, and if you have a digital presence that needs special consideration of its own to provide broad coverage and control. Moving to an XDR solution was intended to reduce the dwell time and get ahead on mitigation to reduce impact. If this is an outsourced service, you must be prepared to cede some control to your managed service provider to get the value of the routine dispensing of remediation. 

Vendor-Led Integrations and OpenDXL 

There are two schools of thought for XDR if you are buying and integrating yourself.

  1. Vendor led solutions from Cisco, Checkpoint or Palo Alto where through acquisition, they have completed the jigsaw puzzle for you.
  2. Open frameworks led predominantly by Anti Malware vendors like McAfee, such as OpenDXL, where you choose and build your own pick and mix of solutions 

If you’ve outsourced your network and wish to manage the risks yourself, you’ll probably find it challenging to deploy vendor-led network solutions, as managed service providers are not keen on customers defining how the network will be controlled. With OpenDXL, you can custom build a set of solutions based on the security controls already in place. But unless you already have significant investment in one of the technologies or are prepared to swap them to create a complete set, it will be expensive.

What’s the Solution? 

When making strategic plans to begin a journey of improvement, there are a few considerations to consider, like investing in MDR/XDR or zero trust. More on Zero Trust coming soon in our April session. While great to do both, the resources required to deploy overlap can be expensive. The approaches of MDR/XDR and Zero Trust also have differing goals. (i) Managing or outsourcing your network and endpoint data and using automated countermeasures could open the door to a rapid response function. (ii) If your organisation has one of these characteristics:

  • Makes extensive use of the cloud. 
  • Has adopted identity solutions.
  • Has extensive machine to machine connections.
  • An historically flat network.

You’ll find it easier to shrink the problem by considering micro-segmentation, privilege management and identity-based connections to your organisation’s critical applications. 

Overall, it’s important to think about the wider technology estate – on-premise, cloud, SaaS – and how your current approach treats them. If youre strongly cloud-focused, consider zero trust vs XDR. If you run your own SOC, put time into considering incident and case management; if you run your SOC and are mostly on-premise, then XDR could be the way forward. If you have a hybrid or outsourced SOC, get their opinion and direction of travel before making final decisions. But, whatever you choose, ensure you understand what’s included and excluded.