As someone who’s researched, written about, and closely tracked the evolution of managed detection and response (MDR) and extended detection and response (XDR), I am not surprised by the current evolution and confusion we are witnessing in both these markets. I try to break down the net-net in the below.
In the world of cybersecurity, Managed Detection and Response (MDR) and Extended Detection and Response (XDR) are distinct but related approaches. Legacy MDR focused solely on endpoints, lacking the capability to analyze other types of data. XDR initially evolved to address this limitation by considering a broader range of data sources like hybrid cloud, networks, and IoT devices. MDR started as an endpoint managed service but today, MDR providers also ingest a wide range of data, either natively or by integrating XDR. Net-net, over time, the line between MDR and XDR has become blurred with providers offering overlapping capabilities. This blur is further exacerbated by terminology like NDR (network detection and response), MEDR (managed endpoint detection and response), MNDR (managed network detection and response), and MXDR (managed extended detection and response)! In my book, any time a service provider monitors and manages a client’s environment through a security operations center (SOC) regardless of the telemetry it is a managed detection and response or MDR engagement.
MDR involves continuous monitoring, curated threat intelligence, encryption, threat hunting, threat detection and response, and limited incident response capabilities. These services differ among providers, but they collectively contribute to an organization's cybersecurity defense. MDR and XDR offer a comprehensive analysis of an organization's infrastructure. Often, both centralize threat data in a user-friendly interface, and both now promise improved threat identification and response.
XDR aims to simplify security toolsets and provide automated analytics, despite potential challenges such as disparate technology components leading to excessive noise. MDR addresses challenges presented by EDR and XDR by offering a managed service that handles the complexities of ongoing management and monitoring, by layering on human event analysis, alert triage, vulnerability management, remediation, and threat hunting and by providing automation playbooks for detection and incident response.
So, which should you purchase?
Like most answers in cybersecurity, “it depends”, but generally I would say “both”. One could say If you have a small security team and need extra eyes on glass watching your environment, choose MDR, or if you have a large security team and need to integrate multiple detection and response tools into a cohesive security operations system choose XDR. But the reality today is that any MDR provider worth its salt will be ingesting multiple telemetries and integrating multiple tools.
The better question to ask is what should I look for in MDR/XDR? For this discussion I’m rolling these together into an MDR service, including native XDR. Hence, you should look for:
Round-the-clock monitoring. A 24/7/365 SOC for continuous monitoring is now essential as threat actors don’t sleep.
As broad and diverse a set of detection telemetry as possible.
SIEM/SOAR integration (more on these separately in coming blogs).
Multiple curated intelligence feeds.
Built-in vulnerability management.
Reactive and proactive threat hunting. Threat hunting generally encompasses reactive and targeted hunting when an issue is raised. Proactive threat hunting, on the other hand, can identify previously unknown, or ongoing and unremedied threats, within an organization's network thereby enhancing an organization's security posture.
A good-sized bucket of incident response (including forensic analysis and remediation) hours (10+) that is aligned to deeper response (when needed and for additional cost).
Deep capabilities in playbook automation that apply to your environment and custom playbook creation where it doesn’t apply.
Hands on customer service.
In coming blogs, my colleagues and I will delve more deeply into these technologies and XDR optimization specifically.
Christina Richmond is the founder and principal analyst of Richmond Advisory Group a cybersecurity market research firm that provides strategic insights, advisory and market research services to cybersecurity vendors, service providers and the investment community. You can follow her on LinkedIn at Christina Richmond or on Twitter @RichmondAdvGrp.
Comments