Strengthening Cyber Resilience with XDR and MDR
Threat actors have many ways to attack and compromise systems, and cybersecurity vendors have responded with multiple solutions to detect and respond to attacks. For example, solutions such as endpoint detection and response (EDR) are crucial for helping security teams identify attacks on an endpoint.
But what happens when an attacker circumvents your endpoint controls and manages to move laterally through your network? As alerts cascade in, security analysts want a full view of the attack. But pivoting between tools is time consuming — generally slower than the pace of the attack.
This is where extended detection and response (XDR) comes in. XDR consolidates input from multiple security technologies to provide visibility into an event so that security teams can track an attack as it unfolds.
Of course, security professionals are already busy building their security infrastructure, developing playbooks and automations, and generally working to ensure the organization is robust to an attack. So, when a breach does occur, they must pivot away from this work to investigate.
This is where managed detection and response (MDR) can help minimize the amount of time your team spends investigating. As the name suggests, MDR is a managed service that uses highly experienced security analysts to monitor your security platforms to respond to events surfaced by XDR and other detection and response technologies.
How XDR Works
XDR is a highly versatile solution that consolidates intelligence from multiple, disparate security technologies to provide comprehensive visibility into events that span endpoints, identities, data, the cloud, and networks for a correlated, birds-eye view of an attack across your on-premises and cloud footprints.
When implementing XDR, most organizations start by ingesting and correlating endpoint and network events and potentially expand the scope to include identities, data, and other systems. So, instead of only getting visibility into endpoint detections, or only network detections, XDR combines and integrates detection technologies to see how an attack unfolds over time. For example, you could see a compromised user account, which led to lateral movement on the network.
XDR is often supported by AI to help correlate events and build event timelines. Response to XDR alerts can often be fully or partially automated by security orchestration, automation, and response (SOAR), which we covered in more detail in a previous blog.
Most security vendors offer an XDR solution, usually as part of a larger platform that can include EDR, NDR, SIEM, and SOAR, and may also include an MDR component.
How MDR works
Security events don’t always happen during business hours, and many organizations don’t have the resources to run a fully functional security operations center (SOC) to respond to alerts at night, on weekends, over holidays, or to cover for someone on vacation.
MDR is a way to outsource SOC capabilities to have experienced security professionals watching your systems 24/7 and using consistent, proven processes to respond to alerts on your behalf. This extensive coverage helps ensure that events are triaged as they surface.
The MDR team takes tailored actions as agreed upon by your organization and reaches out to get your team involved only when necessary. This can significantly cut the workload for security analysts who are often already busy developing architecture, rolling out services, optimizing existing services, and writing playbooks and automations. MDR gets your security team out of the disruptive grind of responding to every alert.
MDR augments your security team so the team can focus on moving the company forward rather than investigating alerts that may or may not be legitimate threats to the organization.
MDR Offers Expanded Threat Intelligence
In addition to continuous coverage, outsourced MDR teams are experts at responding to alerts and events. That’s what they do all day. They work for multiple companies in multiple industries and organizations of different sizes worldwide, so they see a lot. They can also correlate attacks in process in multiple organizations or across an entire industry. This wide-ranging, real-time perspective gives them access to threat intelligence that’s simply unavailable to internal security analysts.
Overall, MDR can give organizations a more proactive security stance, enabling them to catch and remediate attacks faster to minimize disruption.
MDR can work in a couple of different ways. Your MDR provider can hook into your existing security solutions, or you can simply hook into theirs. It depends on what the provider offers and what needs augmenting on your end.
Get Clarity on Your MDR Relationship
The most important thing about developing a relationship with an MDR provider is to get clarity on where the MDR provider’s responsibilities begin and end. It’s important to understand what your MDR provider is doing for you because if an event occurs, personnel on both sides may need to get involved. You’ll want a clear picture of how that will work before an attack occurs.
It’s also important to have performance metrics for your provider so you know they’re doing what you expect them to do.
What You Can Expect from XDR and MDR
With XDR and MDR working together, event response times should be faster. The comprehensive visibility that XDR provides into your detection platforms also gives security teams a higher level of confidence that investigations and remediations actually address the issues you’re trying to solve. In the event of a ransomware attack, you’ll be able to, for instance, trace a compromised user account to specific files accessed by that account to see the entire scope of an attack.
In contrast, without XDR, you may know what triggered an event, but you may not get the full scope of accounts or data involved in the attack. And without MDR, your response may be slow or limited in scope.
How Evolving Solutions Can Help
For XDR, Evolving Solutions can help you sort out the options, one or more of which may already be available through an existing vendor relationship. We can help ensure that the right integrations are in place to make your XDR investment work for you.
We also work with several organizations that provide MDR services and can help you investigate the best fit based on your environment and security goals.
