The cyber security landscape has seen huge expansion and growth in the past 5 years and End Point Detection and Response (EDR) has been one of the biggest areas of expansion.

According to Ponemon Institute, 68% of organisations suffered one or more endpoint attacks that successfully compromised data or IT Infrastructure.

In 2018 Gartner had named EDR as a key capability for cyber security controls, by 2019 EDR was well on the way to becoming a Gartner product category by itself and leaving Antivirus behind as a legacy.

The Short journey from Antiviruses (AV) to Advanced Managed Detection and Response (AMDR)

Endpoint Detection and Response

As cyber criminals evolved their methods of attack, standard AV is no longer able to cope with these modern attacks in any form, EDR has been the cyber security response.

Fundamentally EDR takes Anti Virus (AV), shakes it up, accelerating it beyond the end point as an isolated island to be protected. EDR achieves this by creating the context between what many Endpoints are detecting, correlating all of this data and finally cross checking all of this data against the vendors Threat Intelligence source to provide deeper insights to the potential attack in play based what is known from existing attacks and what is possibly unknown using User and Entity Behaviour Analytics (UEBA).

The Mitre Att&ck Framework was born specifically because cybercriminals are becoming more sophisticated in their attacks on organisations working easily around AV running on Desktops. Where an AV solution could detect a file that was MALWARE by known fingerprint via a virus definition or by suspicious behaviour, an AV solution alone was not adequate to detect an attack running potentially “normal” commands, moving laterally on the network, seeking reconnaissance, gaining access footholds on systems and ensuring persistence.

The end goal; obtaining the necessary privileged credentials to fully discover all assets and exfiltrate or encrypt data to exhort or sell on the Dark web for profit.

Thus, Cyber criminals had moved beyond the lone machine compromise, becoming more sophisticated. EDR rose and met this new challenge, EDR would not just look for malware on an end point, EDR could also determine that suspicious activity might be occurring on the network because it could accept multiple telemetry sources and correlate these as suspicious behaviour for a Security Operations expert to analyse and confirm or accept as OK.

An AV solution can do very little to prevent a modern cyber attack where some or all of the above techniques are employed.

EDR as a solution should be a baseline for all organisations as it seems to be an essential control, so why is Endpoint Detection and Response not implemented as a Risk control for all organisations who are beyond reactive cyber security?

As is often the case with software products, promise vs reality rarely match customer expectation or promise.

This is the reality of EDR, it is difficult and it is complex, each endpoint sending 1000s of Telemetry data points to a central collector, when taken across hundreds to thousands of endpoints; becomes hundreds of thousands to millions of events to be correlated every, single, day by security teams.

Millions of correlations are reduced to thousands by good EDR software, after configuration and tuning to remove “suspicious” activities that are in fact innocent privilege escalations that occur every day on production IT infrastructure, or any of the myriad of normal day to day operations in a business.

Few options exist for the traditional EDR to manage the correlations, none are ideal:

  • Increase alert thresholds to reduce false negatives
  • Increases false alarms
  • Decrease alert thresholds to reduce false positives
  • Increases possibility of missing real compromise

For large corporations where there is an operational Security Operations Centre (SOC) with Security Operations staff handling alerts 24/7, the problem may be manageable.

Extended Endpoint and Detection Response (XDR)

Extended detection and response (XDR) is the answer to the fact attackers are becoming more sophisticated, where collecting data from end points alone may not be enough telemetry information to provide a full detection capability in all cases.

XDR adds data sources to the traditional EDR solution for a more complete picture of what has occurred when a breach happens, these sources may be: network switches, Cloud apps, Firewalls etc. XDR has also brought significantly more complexity to the data being collected and therefore time required to both deploy XDR successfully and to generate alerts from the data when correlating with other unmatched data sources.

Managed Detection and Response (MDR) Providers are the next industry step in preventing Cyber Attacks.

Organisations of all sizes and scales have the same requirement to detect and respond to a cyberattack, yet an EDR/XDR solution is simply not able to be applied equally to all Organisations.

  • The requirements needed for monitoring and maintaining an EDR solution may not stack up with the expertise required to manage the alerting generated on a daily basis.
  • An organisation may not have a desire or need to employ a team of security analysts or extend their SOC for the occasion when they are breached and need this expertise – on average less than once per year per organisation.

Gartner have predicted that 50% of enterprise EDR customers will be using Managed Detection and Response providers by 2023.

Enterprise customers, not Small to Mid sized enterprise! EDR/XDR is hard to do well without human expertise.

Graphical user interface, diagram, application Description automatically generated

EDR XDR MDR Provider

The primary difference between EDR/XDR and MDR is “provider” – MDR services provide an organisation with a service that provides all the correlation and threat intelligence , threat hunting and expert analysis for a businesses security needs.

MDR providers came into the main-stream because the cyber security industry is acutely aware that organisations understand the difficulty of EDR management for most businesses and that is that the promise does not match the reality.

Using MDR the businesses Cyber security Protection, Detection and Response is outsourced, therefore the business needs only be concerned with the running of their income generating functions, whilst having experts manage their cyber security.

There are problems with the MDR approach that makes the solution less than ideal for many organisations, including:

  • What data is being collected from the EDR/XDR clients?
    • If Personally identifiable, is data sovereignty an issue?
  • How much data is being sent from the client to the MDR provider
  • Does the MDR provider charge the client for false positives?
  • Is the scanning real time or scheduled
  • Mean Time To Detect (MTTD)
    • Slow because humans have to handle many clients
  • Mean Time To Respond (MTTR)
    • Slow because humans have to resolve issues across multiple clients
  • Remediation Process
    • What information does the MDR provider give the client
    • What needs to be paid for separately
  • Human operators have fatigue and False Positive issues, or mistakes
  • Requires Administrative rights to all machines at the client site

MDR solutions are a viable proposition for customers who do not wish to implement EDR/XDR due to its overheads, complexity, requirement for Security personnel specialisations/expertise.

Probably the most significant downside with traditional MDR solution is that the provider is simply taking on the responsibilities of managing an EDR/XDR platform with all the challenges that this may bring, taking all the shortcomings and applying this across many more end points along with the issues of correlating thousands of end point devices. An individual client can become lost in an alert storm.

Advanced Managed Detection and Response (AMDR)

The next client revolution of EDR/XDR/MDR, is the Advanced Managed Detection and Response provider (AMDR) or Artificial Intelligence Driven Managed Detection and Response provider.

Cybots AI is the first AMDR provider in the world and Cybots are leading the implementation of Artificial Intelligence in analysing telemetry, correlation then applying threat intelligence to provide Protection, Detection and Response, thereby managing this complexity completely for clients.

Diagram Description automatically generated

The AMDR takes a forensic approach to the problem of processing the vast amounts of telemetry data sources and correlation functions traditionally completed by SOC operators and Tier 1 and Tier 2 Security Operators.

First; with the end point, only metadata that needs further processing is sent for deep analysis, reducing the amount of traffic between the device and the network to the range of hundreds of kilobytes per day.

Next; Cybots AMDR implements Artificial Intelligence (AI) machine learning (ML) algorithms to process all the telemetry data before automatically applying Threat Intelligence insights from multiple sources to the suspicious data, identifying known threats and attacks based on Threat intelligence. Any advanced suspicious activity is automatically reviewed by a Cybots Tier 3 Security expert to analyse, around one in every ten suspicious actions, making AMDR FAST.

Diagram Description automatically generated

MSSP AMDR

What AMDR gives the MSSP providing the service is a much lower total Cost of Ownership and much improved MTTD and MTTR:

  1. All correlation and analysis processing completed before the MSSP or SOC operations team receive the alert.
  2. No false positives, no configuration required
  3. Initial compromise alert is generated within 60 seconds from detection
  4. 15 minutes later – Full flight plan of incident; infected end points, threat intelligence information, remediation plan – including files to isolate are in the hands of the response team
  5. Story board of incident displaying all aspects of the cyber attack are presented to the incident response team.

Client Organisation

AMDR gives organisations the ability to provide the highest level of Cyber security risk reduction by outsourcing their Protection, Detection and Response services to a AMDR provider.

  1. No false positives, no configuration
  2. No personal data is transmitted to the AMDR platform
  3. No administrative rights are given to the AMDR provider
  4. The response to a Cyber attack is 1 minute for the initial report and 15 minutes for the full remediation plan.
    1. No security specialisation needs to be hired, the AMDR provides the response plan down to the End Point and files that need to be removed.
  5. Client can use AMDR as a part of their SOC team, using the AMDR for all security Expertise.

Summary

In Summary, whether looking at EDR/XDR or MDR as a solution to an organisations protection, detection and response requirements, consider all the variables of your chosen path. 

EDR / XDR solutions have a steep learning curve with no easy path to correct implementation. When an organisation cannot implement correctly there is no “free” consultancy service to help. EDR solutions have a very high Total Cost of Ownership (TCO) with very little relief, if purchasing a 12 month subscription a client may only receive 6-8 months of useful service due to implementation timelines.

MDR provider solutions will take over EDR for the majority of clients due to the fact they hide the complexity for the client as the MDR provider manages this risk. The costs behind the MDR veil is similar to the EDR customer so be careful for charges related to false positive alerts and investigations that do not need to occur.

AMDR provider solutions like Cybots are the next generation in MDR services. Fully automated, using advanced Artificial Intelligence, no human analysis needed to perform 90% of the correlation, threat hunting or threat analysis; therefore speeding up threat hunting to minutes from first sign of compromise. Expert oversight is minimal and there is nothing to pay above the service price.

If you operate a business and your primary function is not Information Technology then a managed service approach to cyber security is likely the best approach for your organisation. Many companies moved to Microsoft Office 365, Google Cloud, Amazon AWS, Salesforce etc for the budgetary and fixed cost benefits, that it is more cost effective than having on premise hardware and software, Advanced Managed Detection and Response is the same.

Good providers of Advanced Managed Detection and Response protect your business with an expert level of coverage, regardless of whether you have 20 staff or 20,000 staff, and in most situations faster than your own staff could respond.

get the latest threat intelligence and cybersecurity news

Subscribe to our newsletter to get updates on our latest analyst reports, webinars, whitepapers and case studies related to the cybersecurity world.

more cybersecurity updates

OUR CYBERSECURITY SOLUTIONS AT A GLANCE​