What is EDR?

The best way to think about Endpoint Detection and Response (EDR), is as a next generation antivirus technology. The EDR focuses on endpoint-system-level behaviours and can store these for investigation. EDR typically involves an element of Artificial Intelligence (AI), to detect suspicious behaviour and block malicious activity. The alerts generated from EDR can allow internal security teams to further investigate potential breaches.

Why it is good?

EDR focusses on one of the biggest attack surfaces within your organisation, your people. Studies from Verizon and Tessian have shown that over 80 percent of breaches are a result of human error, so it’s an important area to focus on. The use of AI in EDR is a real advantage for organisations who don’t have a large cyber security team or none at all , as many of the functions can be automated.

How EDR falls short

The main benefits of EDR are also it’s weaknesses. Focussing on endpoints leaves the rest of the network out of check and attacking the endpoint is just one of the countless ways a hacker can access your network. As great as AI technologies have become, they are still far away from the capabilities of cyber security analysts that you would find in a Security Operations Centre (SOC). AI is rarely able to add context to alerts like a human can.

Why MDR is better

MDR, by its innate design addresses the shortcomings of EDR. A correctly designed MDR solution will take feeds from all of your critical assets including cloud environments, endpoints, internal servers and security devices. In some instances, an MDR solution will even take feeds from an EDR solution already in place. The key benefit however is the support of a SOC, where cyber security analysts can take the alerts generated by SIEM technologies and add human intelligence to these; correlating other events and investigating to determine whether the suspicious activity is a breach or not.

So, is EDR enough?

This is a tricky question, as it really depends on the type of organisation you work in. MDR gives a far superior coverage so many would say that EDR is not sufficient on its own. However, MDR is typically more expensive; as it uses humans in conjunction with AI technologies to deliver the service, where EDR typically just relies on AI. MDR can also take more time to set up as it works with more complex information sources to deliver the event information to the SOC. To add complexity to this buying decision, MDR services can be tailored to only focusing on a high priority scope, which can reduce the cost significantly.

So where does that leave us? If you are considering implementing an EDR solution, MDR should be considered at the same time. Here at e2e-assure we can guide you through the options available to you and help you make an informed decision. Drop us an email or click the link (it’s safe) to find out more.

Angus Cogan, Senior Business Development Manager