What does your business need?
Modern business cybersecurity requires continuous behavioral analysis. Knowing whether users, devices, software, or services are acting in unusual or suspicious ways is critical.
Endpoint detection and response (EDR) and extended detection and response (XDR) technologies play a key role in enterprise behavioral analysis.
But when it comes to EDR or XDR, is it better suited for some organizations than others? Or should both be used? Discover their decision-making abilities.
Collecting behavioral analytics with EDR and XDR
Behavioral threat analysis, also known as user and entity behavior analysis (UEBA), relies on collecting relevant information and looking for known bad or abnormal behavior. Known bad behaviors are tasks that a company has identified as an entity should not do, such as a desktop PC trying to scan a server in the data center, or a broker’s PC trying to operate a Discord community server.
Abnormal behaviors are actions that are not categorically prohibited by policy, but are unusual and merit further investigation – such an action could turn out to be a security breach. Examples include an administrative assistant downloading hundreds of gigabytes of contact information from the CRM, or a user account logging in from Vladivostok instead of Pittsburgh.
How EDR Handles Threat Analysis
EDR tools turn endpoints into elements of a threat analysis architecture and use them to collect data about the state of the endpoint and what it is doing. An EDR tool can record which user is logged into the machine, what programs are running on it at any given time, and what those programs are doing on the network or on specific services.
IT teams can deliver EDR through a standalone client, or EDR functionality can be integrated with standard endpoint protection tools that do antimalware, firewall, intrusion prevention, and more. Integrating or using the same tools as the Endpoint Protection System (EPP) amplifies the response part of EDR. It expands the options available to the system to act in response to threats when detected. Responses can range from improved logging to deleting a user or shutting down a device.
Nemertes’ Secure Cloud Access and Policy Enforcement 2021-22 research study found that organizations that perform better in cybersecurity are more likely to use a combined EPP-EDR agent.
How XDR Handles Threat Analysis
XDR systems perform the actual behavioral threat analysis. They apply methods ranging from simple pattern matching to machine learning and natural language analysis to spot threats and risks. XDR systems operate on streams of data from server platforms, applications, cloud services, and physical or virtual network devices.
With the addition of EDR, XDR platforms also extract data from endpoints. XDR is essentially a rebrand of UEBA. The “expanded” part can be interpreted as extending the analysis to more data streams, especially from EDR systems, but does not indicate a change in fundamental function or purpose.
EDR, XDR or both? And what about the MDR?
Simply put, EDR without XDR is useful and XDR without EDR is useful. But in an ideal deployment, EDR is powered and directed by an XDR system.
Cybersecurity teams are – and have been for a long time – chronically understaffed and overworked. The risks multiply and the potential business impact of a serious breach continues to grow. The expansion of standard security operations to include EDR and XDR will inevitably trigger another “do-it-or-buy” cycle in cybersecurity leadership.
This is where Managed Detection and Response (MDR) services come in. The MDR can be an extension of an existing SOC outsourcing contract or undertaken as a more targeted offering purchased in addition to or instead of a SOC service. In general, smaller organizations do not have the resources to properly staff and fund a SOC and would be well advised to incorporate MDR into any SOC outsourcing arrangement they explore. Large organizations can probably manage threat detection and response in-house if they already manage their own SOC.
Organizations outsourcing a SOC may decide to internalize this type of threat response, as events surfaced through EDR and XDR are likely to relate to either an internal threat or a breach that has already taken root somewhere within the organization. . In either of these situations, the SOC service may have a limited response scope available.
Organizations looking for EDR should look for products that:
- incorporate EPP functions or tightly integrate with an EPP client;
- out-of-the-box integration with their SIEM or XDR systems;
- provide agents for all relevant operating systems;
- provide identical functionality across all platforms and devices, including desktops, laptops, and mobile devices; and
- provide a wide range of potential response options.
Organizations seeking XDR should, among other things, consider:
- breadth of data sources included and out-of-the-box integration;
- range of response options;
- availability of a rich library of templates or runbooks for responses; and
- meaningful incorporation of AI techniques into analytics.
Nemertes’ research has shown that organizations that are more successful in cybersecurity are also more likely to integrate EDR into the secure access service edge, cloud access security broker (CASB), and cloud access security brokers (CASBs). Secure Web Gateway as a Service (SWGaaS) deployments, and XDR with their software-defined perimeter, CASB and SWGaaS services.