MDR: Making the case for managed security

Matt Lee, Pax8 Senior Director of Security and Compliance
padlock representing managed security

EDR, MDR, and XDR and what they mean for MSPs.

What Is EDR Security?

EDR (endpoint detection and response) security was first coined by Gartner analyst, Anton Chuvakin a decade ago and has been a valuable cybersecurity solution for many businesses ever since, because it offers a comprehensive view of the endpoint environment (meaning computers, mobile devices, sensors, etc.). With real-time visibility into the endpoint’s behavior and activity, EDR can detect and respond to advance threats that previously could elude traditional security solutions. EDR solutions are designed to respond to threats quickly and effectively and can automatically quarantine or isolate infected endpoints to contain the spread of the threat and remediate affected systems.

In addition, EDR solutions are highly configurable and can be tailored to meet specific security requirements. This allows organizations to customize the solution to meet their unique security needs. By providing detailed analytics and reporting that can help organizations understand the threat landscape, these organizations can make more informed decisions about their security posture at an endpoint level. Great telemetry about suspected threats and easy actions to quarantine and remove the root cause allow for effective device security posture if managed well by expert humans.

It’s easy to see why EDR threat detection solutions became popular and why they continue to furnish businesses with valuable risk reduction. (Notable market research reports currently value the EDR software market at about $2 billion, projecting it to reach approximately $7 billion in 2027 and just over $18 billion by 2031.)

How Does EDR Work?

EDR is purpose-built to go beyond detection-based, reactive cyber defense. Instead, it enables security analysts to be able to proactively identify these threats. Here’s how:

Improved Visibility: EDR collects data and analytics continuously, then reports that data to a centralized system to ensure full visibility into the state of the network’s endpoints from a single console.

More Efficient Action: The data and collection processes allow an organization’s security team to act quickly, a critical benefit as with most cybersecurity threats, time is of the essence. The faster a single endpoint compromise can be detected and stopped, the quicker the damage can be reduced, and the business can continue its operations.

Threat Hunting and Analytics: EDR enables advanced threat hunting, which actively searches for vulnerabilities and security threats instead of waiting to be triggered, and real-time analytics, which provides instant analysis (to assess what damage was done, or whether the alert actually broke a preconfigured rule) by trained eyes at an MSP or outsourced, as you will soon see with MDR.

Automation: Businesses can enable preconfigured incident rules to restrict suspicious activity. These rules can automatically perform certain incident response activities. This enables the solution to remediate certain incidents, which, in turn, reduces load on security analysts. These preconfigured “blast radius” reduction rules and actions can augment defensibility and show “due care” in our role to protect our customers’ sensitive data as well as our own.

Fast-spreading, self-propagating attacks that move rapidly between hosts, or botnets that harness the power of multiple hosts to fuel a Distributed Denial of Service attack targeting another victim network are now entrenched realities of the cybersecurity world. Worse, however, is a growing class of actors that are actively trying to bypass EDR and security controls. Company leaders can’t necessarily put all of their trust in security solutions focused on host-by-host protection. And these same alerts in an EDR that show as “remediated” may merely have stopped the next type of attack rather than neutralizing the source. This is a major factor in the decision to employ an MDR solution.

Although all endpoint threat detection systems possess automated functions, they still require close supervision and handling by trained in-house cybersecurity personnel. The skills gap across numerous areas of IT (including security) complicates this, and can make it difficult for EDR to achieve the pinnacle of threat protection and risk reduction. In a cyberthreat landscape more varied and dangerous than ever, tools like EDR can result in vast capabilities and posture, or severe limitations for organizations based upon the skills and capabilities of the humans managing the EDR console.

What Is MDR and Why Is It So Important in Today’s Threat Landscape?

Managed detection and response (MDR) is not a single solution but rather a suite of security services. Often, this includes EDR software and some elements that EDR users might find familiar, plus a few new additions: proactive threat hunting tools, systems to prioritize and amplify the most urgent cyberthreat alerts, integration into the MSP ticketing system for appropriate SLA Management, and more. Specifics depend on what a given MDR company has to offer, the maturity of their platform, and the depth of integration with the partner delivering it.

Most important of all, MDR is best defined by the first word of its unabbreviated form: “Managed.” Through the MSP, the vendor providing the MDR service offers continuous monitoring and response to the organization from a dedicated team of cybersecurity experts, allowing the MSP’s own staff to focus on the needs of their partner. The solution’s component parts give the end user considerable visibility into the threat and vulnerability landscape surrounding it without worrying about directly controlling its security operations. These factors separate MDR from SOC-as-a-service (security operations center), which doesn’t necessarily offer as much visibility — often only a basic portal for certain interactions. As a result of these factors, it’s little surprise that 30% of MSPs expect to add MDR to their offerings within the next 12 months.

Another pervasive problem that plagues IT teams is managing the massive amount of cybersecurity alerts that they must confront on a day-to-day basis. While this isn’t a new problem, it’s one that’s steadily been increasing as endpoints proliferate in the forms of IoT, remote workers, connected supply chain partners, and hybrid networks.

Establishing how best to respond to each alert requires the kind of large-scale scope and expertise that many organizations simply cannot sustain in-house and can lead to “alert fatigue” for organizations who do not use MDR. These companies must have the right skillsets leveraging the right technology at the right time to remediate it before it evolves into a potentially serious breach, no matter when it happens.

That’s where MDR steps in. With this service, organizations can provide 24/7 coverage and access to expertise that would be extremely difficult to find and staff independently. And they can do it remotely. As the word “continuous” implies, MDR experts are available nearly around the clock, and are equipped to rapidly respond based on their know-how and experience to prevent, contain, or mitigate compromise.

One of the key benefits of MDR oversight is that it frees up internal security team members and resources to go toward ongoing efforts of improving the company’s broader security posture, while MSPs can focus on growing the business.

XDR: What’s Next in Cybersecurity

Extended detection and response (XDR) is the next logical step in the evolution of cybersecurity technology for modern businesses. XDR widens the scope to look at all critical vectors across an organization’s attack surface, ranging from host devices and other endpoints to network switches and potential cloud security issues. It additionally considers the shift from a device-centric, walled-garden security method, to an identity-centric one. An identity-centric position conveys that an individual’s network ends wherever their fingerprints land. This identity focus considers the reality that modern work is migrating to the cloud, which means one’s identity can be made vulnerable far beyond their fingertips.

Certain implementations of XDR combat this risk by pairing the user’s identity and their device holistically and concurrently, both on-prem and in the cloud. This conjoining can enhance broader decisions about security cloud workloads and how to evaluate next steps after a device has been compromised.

Unlike past security tools that focus on devices regardless of the identity of the user, XDR is equipped to use identity and how it correlates to this continuous device posture, echoing key principles of the zero-trust security framework that’s emerged in recent years — specifically, how the true identity of a user can be uncertain, which is why the integration of XDR can be a critical step in assessing trust.

This has the combined effect of allowing an organization’s security team to have a complete picture of the attack surface at virtually any time and the peace of mind of knowing the MDR / XDR’s security experts have things under control and can give concise actionable instructions for the MSP and company to take.

Growth in the emerging XDR market isn’t quite as far behind EDR as you might think.

  • Grandview Research valued it at $754.8 million in 2022 and projected a compound annual growth rate (CAGR) of 20.7% between then and 2030.
  • MarketsandMarkets cited $985 million as the XDR field’s 2022 value and expected that figure to reach $2.35 billion by 2027, for a 19.7% CAGR.

Finally, MSPs are particularly well-equipped to expand to an XDR approach — and offer it to their small- and medium-sized business (SMB) customers — precisely because they are less organizationally complex than large enterprises.

How Pax8 Can Help MSPs Redefine Endpoint Protection

Due to the ever-shifting, cat-and-mouse nature of cyber threats, modern organizations must widen their protective capabilities in response, and so must the MSPs that run many of their core functions. That’s exactly where the Pax8 Marketplace can help, particularly when it comes to MDR.

Pax8 is laser-focused on supporting MSPs’ growth journeys, and we know how vital security is to such endeavors. As a highly-trusted cloud marketplace for best-in-class tech solutions, Pax8 can aid any MSP in finding the right cutting-edge security platform for its unique client base. Our options include Bitdefender, SentinelOne’s Vigilance MDR, Pillr, and Todyl. No matter whether an MSP chooses EDR, MDR, or opts for the emerging extensibility of these two solutions, it’s never been more important to guard your business’s endpoints against an ever-smarter, more aggressive phalanx of threats.

Schedule a call