One of the basic cybersecurity needs of businesses today is to detect threats to and within networks and effectively respond to threat signatures. However, choosing the right solutions that meet this need is challenging and always changing. Modern IT infrastructures are complex spanning hybrid cloud environments with increasingly distributed endpoints, so there is a wide threat surface to consider.
Furthermore, anyone tasked with researching the detection and response solutions has to negotiate a landscape of confusing acronyms. These acronyms may seem indistinguishable from each other, which makes it hard to know what solutions you need. This article breaks down the acronym soup of detection and response and helps your business make a more informed decision.
Cybersecurity is an industry awash with acronyms. Right from learning the fundamentals of cybersecurity, you’re introduced to the CIA triad (confidentiality, integrity, and availability).Within the landscape of security solutions, the acronyms just seem to become more numerous!
The reasons for this acronym soup in detection and response are twofold:
Here is a run-through of the main acronyms in detection and response.
An Endpoint Protection Platform (EPP) is a prevention-focused solution that attempts to block malware on endpoint devices. These endpoints include employee workstations, BYOD laptops, and IoT devices.
As the number of endpoints on the average network has increased and workforces have become increasingly remote, endpoint security risks have risen. In fact, a 2020 industry survey found that 68 percent of respondents saw the frequency of attacks against their endpoints increase over the last 12 months.
Typically, EPP solutions use signature-based detection coupled with personal firewalls and port control. The main drawback of EPP is that it can’t detect advanced threats that evade these front-line controls, and they don’t respond to threats…they only alert and block.
Coined by Gartner’s Anton Chuvakin, endpoint detection and response (EDR) is the name given to a type of security solution that detects and responds to threats that have got past anti-malware controls and are already in your environment.
The detection capabilities stem from continuous monitoring of endpoint events and endpoint data analytics. The response capabilities use automated rule-based decisions to respond to threats whether through containment or alerting. A drawback of EDR is that it only addresses threat detection and response on a single layer—your endpoints—so it’s not enough to defend against all threats.
Network detection and response (NDR) is a more recent innovation that you can think of like EDR but for the traffic and communication channels on your network. In many high-profile cyber-attacks, threat actors lurked on target networks, often for months at a time, probing for vulnerabilities and ways to escalate privileges.
It’s important for organizations to be able to detect and respond to these more advanced threats on their networks, not just on their endpoints. The now infamous SolarWinds attack exemplified how hackers can stealthily infiltrate a network and remain undetected for months at a time.
NDR uses centralized real-time monitoring and analysis of network traffic to detect threats. The response capabilities include dropping suspicious traffic with automated workflows or alerting security teams who can investigate threats. Once again, because NDR is focused on just one layer of defense it’s not sufficient alone.
Relying on multiple independent point solutions for detection and response on different layers of your IT infrastructure arguably makes it harder for security teams to keep up with the current threat landscape. Organizations need to detect and respond to threats targeting email, digital assets, mobile devices, network traffic, cloud-based solutions, and virtual machines.
Extended detection and response (XDR) attempts to unify detection and response across this threat landscape. XDR provides a single platform for gathering and correlating data, detecting advanced threats, and response capabilities across email, endpoints, servers, network traffic, and cloud workloads.
Managed detection and response (MDR) essentially outsources XDR capabilities to a managed provider that monitors your environment, detects emerging and active threats, and responds accordingly.
Naturally, the scope of XDR platforms is such that they generate a lot of security alerts, many of which turn out to be false positives. With the cybersecurity skills shortage showing no sign of slowing down, alert fatigue can be a real problem for security analysts.
This translates to a strong incentive to tune down different aspects of the XDR systems to combat this alert overload.The problem with tuning down is that it can lead to genuine threats going undetected. Outsourcing to an MDR is one way to combat this alert fatigue. However,MDR service providers are not immune to this either, as you will read shortly.
Managed solutions also have the advantage of being more cost-effective than setting up your own 24/7 dedicated team to detect and respond to threats.
Managed Security Services Provider (MSSP) is an old term but shouldn’t be forgotten. Traditionally, an MSSP remotely monitors your environment and alerts you about potential threats either by email or through a portal. An MSSP does the important work of monitoring a variety of security tools and logging and retaining event records. This is usually done thru a Security Information and Event Management tool (SIEM-see below). Those needs still exist and are not part of XDR.
Most, but not all, MSSP’s have dropped that acronym and use the more market driven MDR acronym. Is your MSSP using an XDR solution? Is that all they are using? A strict MDR provider that only uses an XDR is not enough. You still have other tools to monitor, plus the need to retain event records.
The key is to make sure you know what your partner is providing.
So, we’ve talked about end points, network devices, and the comprehensive XDR tools.
Security Information and Event Management (SIEM) is a key tool in the Security Operation Center (SOC). It captures alerts and data feeds from systems, tools and outside sources, normalizes and correlates them, and provides deep insight into the potential security events in real time. Most SOC’s use them as a dashboard to understand the full nature of what’s happening on your network.
With a SIEM, SOC operators then must dig deeper into the events to determine if/how to remediate the threat
Security Orchestration, Automation and Response (SOAR) is the latest tool used in the SOC. Like a SIEM, the SOAR solution takes in log and event data, but easily captures XDR inputs and outside data feeds on threats. They also allow you to create automated playbooks to respond quickly to a variety of common threats that you may be seeing in your environment. This ability to respond thru playbooks is what really sets SOAR apart.
SOAR does not, however, retain logs or allow for after-the-fact analysis. This is something you need, so a SOAR does not replace a SIEM.
The challenge for you is that, while these definitions are understood, many of the tools are adding features that cross over. XDR is a good example of converging EPP, EDR and NPR. Many SIEM tools are building SOAR capabilities and visa-versa. Some vendors are simply latching onto the latest acronym and not changing their capabilities.
I’m sorry to say that you will have to dig deep into tools and services to really understand what you are getting. But you are probably used to that.
Whether you call it MSSP, MDR or evenSOC-as-a-Service (don’t get me started), it makes sense to outsource all of this to a service provider. There are a lot of them!
Keep in mind that generic MDR providers, some with thousands of clients, must also address alert fatigue at huge scale.They also have financial considerations. That is, the more alerts they get, the more people they need, and the less profit they make.
To a generic MDR service, it doesn’t matter what you do. They look at landscapers, software companies and fast-food chains the same way. It’s just more devices to monitor. It’s true that most malware doesn’t know or care about your business, either. But the hackers do. More than ever, security events are targeted at specific industries and specific companies in those industries.
Do you want your security monitored by someone who knows nothing about you and treats you just like any other business?
A key difference that Security Pursuit offers is tailoring our solution to your business. We believe this focus allows us to balance alerts (everything gets thoroughly scrutinized) while providing aggressive response to protect your key assets. For example, we may see some early malicious indicators on a low-level device, but we may respond with quick isolation of a critical system to ensure it is protected.
We do this through a risk-balanced approach that is specific to your organization. We call it Bespoke MDR.
Security Pursuit uses the market driven MDR acronym to describe our managed service, and we use the latest and best XDR technology. However, we also capture alerts from your existing tools and normalize, monitor, and retain records through our SIEM and overlay our SOAR to provide the best possible security available. Our MDR service is among the most flexible and comprehensive in the industry.
Call us today to learn more. 720-675-7668 (ROOT)