Last Updated on June 29, 2021
Today’s threat detection tool marketplace is a muddle of buzzwords, from endpoint detection and response (EDR) to network detection and response (NDR) to managed detection and response (MDR). How do these services differ, especially as regards automation versus managed services? What specifically is MDR and what special value does it offer?
To cut through the buzzwords and hype and shake out the real value for SMBs, Chris Nyhuis, President and CEO at Vigilant, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show per usual.
According to Chris, MDR is the next evolution of extended detection and response (XDR). He and John joke that the new term reflects a hunger in the marketplace for something newer and better.
Why automation alone isn’t enough
“But it all comes down to the concept of… you’ve got to get data out of things, and you have to get it in such a way that you can trust it and then make decisions on it,” clarifies Chris. “EDR is … taking data out of endpoints. It’s more than just threat information. You have to know what’s happening in the processor. What’s the service tag? What’s the user doing? Who’s logged in? All the things you think of from an operational standpoint, which don’t necessarily constitute security detection, and combine that together. That’s when it gets really hard to do automatic detection. You have to really tune that in.”
“MDR is this concept of EDR and network detection and response (NDR) put together,” states Chris. “It’s looking at those two things. … Network detection and response, it’s goal is to get all the information passing across your network, and the points that it’s running, collect that, and investigate it.”
But depending on how that’s done, you might only be getting part of the critical data; e.g., due to packet loss. More fidelity without undue overhead costs more, but supports better conclusions.
“Think about this conversation,” Chris explains. “Say we had a lot of lag, and it was choppy, and people only heard 60% of our conversation. They’re not going to really know exactly what we’re talking about. In the case of security, if you’re only getting some of the conversation, and you put on top of that machine learning algorithms and behavioral analytics, you’re creating analytics—and behavior and decisions—off of [only] some of the conversation.”
“The other aspect of NDR is there’s a lot of disparity in how [different providers] do what they do,” continues Chris. “Some are just running the information through algorithms. Some, like us, do full packet capture; we’re storing that for a long time. We’ve got some patents around how we analyze that. You create log, event, and network metadata from that. There’s all kinds of different ways to use that information, the more data you get.”
The value of MDR
So, what does NDR give you that EDR doesn’t?
As Chris describes, EDR runs inside the device. If the device is taken over by an attacker, they’ll most likely get root/admin access. Then they can manipulate what the EDR tool sees and reports about the device.
But if you add NDR, you get a level of unadulterated information that no one can change. EDR plus NDR in a managed context gives you both the details and the bigger picture. That adds up to analytics you can trust, and a better way to spot threats.
“If I see a communication here, and this inside here is telling me it didn’t happen, there’s something wrong,” says Chris. “The other big thing here is that most malware, especially ransomware, likes to propagate. If, for some reason, the original device isn’t able to tell us that [via EDR], we’re going to see the propagation through the NDR.”
If your business is looking to improve security, reduce risk and/or move toward compliance with CMMC, NIST 800-171 or another cybersecurity framework, you’ll really appreciate this podcast episode with Vigilant CEO, Chris Nyhuis.