If you’re shopping or renewing a cyberliability insurance policy these days, or you’re subject to an IT audit, you’ve probably heard the acronyms EDR and MDR. The information technology industry loves acronyms, and even though EDR and MDR are often used interchangeably, they are not the same thing. We’ll demystify these new cybersecurity services, answering a few common questions so you will know what you need.
Why are EDR and MDR Solutions Used?
Both EDR and MDR solutions are used to detect intruders after they’ve entered the network and before they deliver their payload, even if they avoid detection by antivirus, firewalls, and web filtering. These phases of a cyberattack are known as Enumeration and Spread. In Enumeration, the automated software from criminals asks, “Who am I? Where am I? Where can I go? Who do I need to be to deliver the most damage?” In Spread, the malicious software pivots to stealing data, establishing persistence, hunting users, replicating itself to multiple locations on the network, and distributing toolsets and malware to deliver the payload and truly launch the attack.
It’s critical that EDR and MDR solutions recognize and stop criminal activity during the Enumeration and Spread phases, because at that point other defenses have failed and it’s the last step before you become the victim of ransomware and cyberattack.
What makes EDR Different from MDR?
Endpoint Detection Response (EDR) solutions are typically based on agent software running directly on the workstations and servers they’re responsible for monitoring. EDR does not typically monitor switches, access points, and devices that can’t have an agent installed, such as Internet of Things (IoT) appliances like HVAC controls, magnetic door lock systems, printers, etc. Criminals are highly skilled and almost everything has some microchips in it these days, so attacks can be launched from many types of network-connected devices, even if the device is not a traditional computer. In short, EDR systems, while better than nothing, have some big blind spots.
When Should You Use MDR over EDR?
Managed Detection and Response (MDR) is typically superior to EDR, because they monitor not only workstations and servers, but also network traffic as a whole. MDR systems can usually spot patterns and unusual activity faster than EDR systems.
What is SOC?
There’s one more acronym you need to know- SOC, or Security Operations Center. In most cases, a SOC refers to a call center of people working 24 hours a day, 7 days a week, 365 days a year to monitor the exceptions and actions noted by EDR and MDR systems. Even if you have an EDR or MDR system, we believe it’s essential to have humans who can read and interpret the telemetry and pay attention to the automated responses of the EDR/MDR system. If the EDR / MDR makes a bad call and prematurely shuts down your network, a human needs to review what happened, make sure the coast is clear, and re-enable traffic to minimize business disruption from false positives. On the other side of the coin, If an EDR / MDR-detected threat is insufficiently neutralized, you can still be at risk. Humans need to be able to monitor emerging threats, orchestrate the defense, and call for additional resources if needed.
How Does Pegasus Identify Threats in Realtime?
Pegasus SNAP-Defense is a Security Operations and Incident Response platform that will not only detect and halt breaches in their earliest stages, but will also automatically generate dynamically updated compliance reports; greatly simplifying the compliance and regulation portion of doing business and allowing you to focus on other areas that need attention. Pegasus SNAP-Defense is effectively an MDR with EDR and SOC built-in, so we check lots of cybersecurity boxes, keeping your business running with safety and efficiency. SNAP-Defense is competitively priced and offers significantly more capabilities and value than competing solutions by offering:
- Multi-Point Threat Detection
- Realtime Threat Response
- Risk and Compliance Reporting
- Summary Report
- Compliance Report
- Privileged Activity Report
- Security Events Report
- Network Report
- Privileged User Visibility
- 365 Defense