This post is about understanding EDR & MDR – The dynamic Duo of Cyber Security
In today’s digital age, organisations of all sizes are at risk of Cyber Threats. Many organisations are turning to endpoint detection and response (EDR) and managed detection and response (MDR) solutions to protect their systems and data.
In this Tech Tips series, we will explain what EDR and MDR are, how they are similar and how they differ and provide practical examples of how they might be used in a Windows environment.
➡️What is EDR?
Endpoint detection and response (EDR) is a software solution that runs on an organisation’s endpoint devices, such as laptops and servers, to detect and respond to security threats. EDR software typically includes features such as behavioural analysis, threat intelligence, and incident response capabilities. EDR solutions are generally deployed on-premises and managed by the organisation’s I.T or security team.
➡️What is MDR?
Managed detection and response (MDR) is a managed service offered by a third-party provider. These providers monitor an organisation’s network and endpoint devices for security threats and respond to any detected incidents. MDR providers typically use a combination of software tools, such as EDR, and human analysts to monitor for threats. MDR solutions are typically deployed in the cloud and are managed by the provider.
➡️What is a typical EDR use case?
An organisation has deployed an EDR solution on all its Windows endpoint devices, such as laptops and servers. The EDR software is configured to monitor for suspicious behaviour, such as unusual network connections or changes to critical system files. At some point, the EDR software detects that a laptop has connected to an IP address that is known to be associated with a malicious website. The EDR software then generates an alert and automatically quarantines the computer to prevent further damage. The organisation’s I.T team is notified of the incident and begins an investigation to determine the cause of the infection and take appropriate actions.
➡️What is a typical MDR use case?
An organisation has engaged an MDR provider to monitor its Windows endpoint devices for security threats. The MDR provider uses a combination of software tools and human analysts to monitor the organisation’s network for suspicious activity. One day, the MDR provider’s software detects that a Windows server has been compromised by malware. The software generates an alert, and the human analysts investigate the incident and determine whether the malware is spreading to other systems on the network. The MDR provider’s team quickly isolates the affected systems and contains the malware before it can cause significant damage. The team then works with the organisation to determine the cause of the infection and take appropriate actions.
🦉Wrapping it Up
EDR and MDR are similar in that they are both designed to detect and respond to security threats. However, they differ in how they are deployed and managed. EDR is typically deployed on-premises (or connecting to a Cloud Console) and managed by the organisation’s IT or security team. In contrast, MDR is deployed in the cloud and operated by a third-party provider. Both solutions can effectively protect an organisation’s systems and data. Still, it’s important to understand the differences and choose the right solution based on the organisation’s specific needs.