Modern corporate cybersecurity requires ongoing behavioral analysis. Knowing whether users, hardware, software, or services are acting in unusual or suspicious ways is critical. Host detection and response (EDR) and extended detection and response (XDR) play a key role here.
But when it comes to comparing EDR and XDR, does one suit some organizations better than others? Or should both be used? Discover their abilities to make a decision.
Behavioral analysis with EDR and XDR
Analysis of user and entity behavior (EUBA), is based on the collection of relevant information and on the search for bad or abnormal behaviors, known or simply divergent from known healthy behaviors.
Known bad behaviors are tasks that a company has identified should not be performed by an entity, such as a desktop PC attempting to perform a port scan on a server in the data center, or the PC from a broker trying to run a community Discord server.
Abnormal behaviors are actions that are not categorically prohibited by policy, but are unusual and warrant further investigation – such an action could turn out to be a security breach. It could be, for example, an administrative assistant who downloads hundreds of gigabytes of contact details from the CRM, or a user account who logs in from Vladivostok instead of Toulouse.
How EDR Handles Threat Analysis
EDRs turn endpoints into elements of a threat analysis architecture and use them to gather data about the health of the endpoint and what it is doing. An EDR can record the user logged into the machine, the programs running on it at any given time, and what those programs are doing on the network or on specific services.
IT teams can deliver EDR through a standalone client or integrate it with standard host protection tools that act as antimalware, firewalls, intrusion prevention systems, and more. Being integrated or using the same tools as the Host Protection System (EPP) strengthens the response part of the EDR system. Responses can range from heavy logging to deleting a user or shutting down a device.
According to Nemertes’ Secure Cloud Access and Policy Enforcement 2021-22 study, organizations that are most successful in cybersecurity are more likely to use a combined EPP-EDR agent.
How XDR Handles Threat Analysis
XDR systems perform behavioral threat analysis. They apply methods ranging from simple model matching based on machine learning and natural language analysis to spot threats and risks. Above all, they go beyond just servers and workstations, helping to eliminate possible blind spots. XDR systems thus work on data streams from server platforms, applications, cloud services and physical or virtual network devices.
With the addition of EDR, XDR platforms also extract data from terminals. The “extended” part can be interpreted as extending the analysis to more data streams, especially from EDR systems, but does not imply a change in function or fundamental purpose.
EDR, XDR or both? And what about the MDR?
Simply put, EDR without XDR is useful and XDR without EDR is useful. But in an ideal deployment, the EDR is powered and driven by an XDR system.
Cybersecurity teams are – and have long been – chronically understaffed and overworked. Risks proliferate and the potential economic impact of a serious breach continues to grow. Expanding standard security operations to include detection and response will inevitably trigger a new cycle of “do-it-or-buy” in cybersecurity departments.
This is where managed detection and response (MDR) services come in. MDR (or “managed detection and response”) services can be an extension of a SOC existing or a more targeted offering purchased in addition to or instead of a SOC service. Typically, smaller companies do not have the resources to adequately staff and fund a SOC and would be well advised to incorporate MDR into any SOC outsourcing deal they consider. Large organizations can probably handle threat detection and response in-house if they already manage their own SOC.
Organizations that outsource a SOC may decide to outsource this type of threat response, because the events revealed by the EDR and XDR are likely to concern either an internal threat or a breach that has already taken root somewhere in the organization. In either of these situations, the SOC service may have a limited scope of action.
Organizations looking to implement an EDR system should look for products that:
- incorporate EPP functions or tightly integrate with an EPP client;
- immediately integrate into their systems SIEM or XDR;
- provide agents for all relevant operating systems;
- offer an identical functional spectrum across all platforms and devices, including desktops, laptops and mobile devices; and
- provide a wide range of potential response options.
Organizations looking for an XDR solution should consider the following, among others:
- the scope of data sources supported and ready to be integrated;
- the range of response options;
- the availability of a rich library of templates or execution manuals for responses; and
- the significant integration of artificial intelligence techniques in the analyses.
Nemertes’ research has shown that organizations that are most successful in cybersecurity are also more likely to incorporate EDR into deployments of secure edge access services, secure cloud access gateways (CASB) and secure web gateways as a service (SWGaaS). All covered and integrated with XDR.
We would love to thank the author of this article for this remarkable content
EDR, XDR, or MDR: what does your business need?
You can view our social media profiles here , as well as other pages related to them here.https://www.ai-magazine.com/related-pages/