Apr 13 2021

XDR and MDR: What’s the difference and why does it matter?

Category: MDRDISC @ 8:33 am

Extended detection and response (XDR) is a designation used when you do not have the ability to cover a wide range of threat vectors.

Simply put, XDR encompasses more than one type of detection, but it can be as little as two in some cases. But threats can come via desktop, web, SaaS applications, cloud providers, and so on, and you need more than a couple of detection capabilities to secure you systems.

So, why XDR and why now? Many providers only have a couple of threat vectors covered, and if they do not manage them for you they cannot claim to provide a managed service. Instead, they call it XDR — a great marketing term to hide the lack of coverage they provide.

Gartner defines XDR products as platforms that automatically collect and correlate data from multiple components. XDR promises to make security teams more efficient, productive and effective via centralized historic and real-time event data in common formats, and with scalable, high-performance storage, fast-indexed searches and automation-driven responses.

However, XDR solutions are pulling data from a variety of solution sets possibly comprised of even more tools, and they are flooding analysts with an overwhelming amount of threat data to be analyzed.

XDR represents a natural evolution of endpoint detection and response (EDR) solutions. It seeks to provide an all-in-one platform which includes endpoint protection, cloud access security brokers (CASBs), secure web gateways (SWGs), secure email gateways (SEGs), network firewalls, network intrusion prevention systems (NIPs), unified threat management (UTM) and identity and access management (IAM).

It takes a proverbial village of acronyms to describe what XDR is, exactly. But here’s one thing that none of this cybersecurity-speak covers — people.

XDR investments are set up for failure because they overlook the human factor. XDR is just a tool. To derive any of the tool’s value potential, you need talent empowered with the intelligence required to parse through it, apply the analytics, sort real incidents from the noise, and prioritize responses. Without them, using XDR amounts to simply dumping everything you can possibly collect about threats in a big pot and letting it simmer. Plus, attackers will continue to find new approaches to get through.

It’s similar to the more traditional industry staple, security information and event management (SIEM), which arrived as an answer for organizations with several different analysts and consoles, each one looking for smoking guns.

Through SIEM, companies sought to eliminate these inefficiencies by aggregating all consoles and putting everything in one place (including the smoking guns). Thus, at their core, SIEM and XDR are conceptually the same and hindered by the same problem: you need people on board who know what to do with these tools to get anything out of them.

In addressing this missing factor organizations are turning to what will be the last of our acronyms: MDR (managed detection and response). This security as a service (SaaS) offering provides companies access to outside analysts who command expertise in all XDR capabilities for comprehensive coverage, detection, and response. They remove the burden of triage from in-house IT teams with the ability to continuously and effectively receive and prioritize events. They reduce false positives while investigating high-risk incidents before they escalate, with up-to-date intelligence across all customer deployments.

In other words, proper MDR is managed XDR. As a result, the customer’s security team members don’t have to procure their own intelligence feeds and the solution is more than just a tool. They no longer handle up to 10,000 alerts a day, or suffer from alert fatigue. They are liberated from these burdens so they can focus instead on bigger-picture, strategic initiatives to improve the overall security posture of their companies.

Because of these advantages, MDR is positioned for broader adoption, as one-quarter of organizations are now using an MDR service, with 72 percent of them decreasing the time it takes to resolve attacks by 25 to 100 percent. Among those that do not currently use it, 79 percent are either evaluating or are considering the adoption of such a service.

These organizations are still getting XDR. However, as indicated, they’re acquiring a managed services version of it, which means they’re buying the external staffing and know-how that can transform a tool into a comprehensive, impact-making capability. This drives toward the inherent value of the human touch — a value which especially benefits companies that can’t afford to internally staff 24/7/365 coverage for threat detection and response.

An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work — which is why MDR may be the only acronym that your organization needs.

Purple Team Field Manual