The comparison may seem legitimate, especially when people think about these products as if they belong on a value chain, but that is hardly the case. If anything, they both serve a specific purpose, and cybersecurity companies design such solutions to fit the shape and needs of the business. Managed Detection and Response (MDR) vs. Endpoint Detection and Response (EDR) is not the right question. Instead, companies should better ask which one is right for the company.
One of the most common mistakes many companies make, especially when they are just starting their journey, is finding the most complex security tool on the market or an all-in-one solution. Both initiatives are wrong. The selection of a security solution must match the company profile, which usually means that a custom approach is always recommended.
The fact that many small and medium-sized businesses believe that cybersecurity ends with installing a simple endpoint security solution only makes the problem worse. Cybersecurity is usually a complex, multi-layered approach, even for small businesses. This depends heavily on the company̵
About the author
Liviu Arsene is Global Cybersecurity Researcher at Bitdefender
Detecting and responding to endpoints sounds like a solution that can detect and intercept threats. However, it is more of a detective who uses clues to solve crimes. Using the same analogy, you can think of endpoint protection software as a police officer patrolling for signs of random crime. However, when both of them work together, organized crime will stop.
A company that does not have an EDR available for its security team will never know how an attack took place, where it started, how it spread, and more importantly, how serious the threat was within the company. If an organization uses EDR in its infrastructure, all of these details are available for later review of an incident, even if the attackers were successful. The value of this tool cannot be discarded as it can help the company understand what tactics and techniques it is vulnerable to and then take the appropriate steps to close those blind spots.
MDR fills a large gap in the market
When an organization crosses a certain threshold, the number of events and other security issues becomes too large for internal teams to address. You can continue with existing teams, which can lead to employee burnout, or set up a Security Operation Center (SOC). Unfortunately, the latter is usually expensive and is only suitable for large companies with sufficient resources.
MDR is the right solution for companies that want to delegate part or all of their security requirements to a dedicated team. Companies can use the skills and know-how of these experienced security experts and even plan response measures for predefined attack scenarios. The main difference from an EDR solution is that security professionals continuously monitor events for faster intervention and more aggressive threat hunting.
A major benefit of using EDR or MDR is the ability to determine the extent of an intrusion. Malware or other threats will likely attempt to spread sideways within the infrastructure. Without a forensic tool, it would be nearly impossible to determine what happened after the infection or whether attackers succeeded in compromising and filtering sensitive data.
With the right tools, an on-site or managed security team can see everything from the initial attack vector and track events in other directions within the infrastructure. This is extremely useful as it is a great way to find advanced threat actors or other vulnerabilities that would otherwise remain hidden.
Mean detection time (MTTD) and mean recovery time (MTTR) are two performance metrics, especially when organizations need to determine the loss or potential damage of an attack. Both EDR and MDR help shorten these times and limit the financial impact of an attack.
Dwell time is also about the time hackers spend in the infrastructure. When a business is injured, threat actors typically spend a lot of time moving sideways before taking action. An MDR solution in particular can be very useful in detecting such events, primarily when used in conjunction with endpoint protection.
After all, human risk analysis, threat detection, and general security resilience tactics are typically a package of MDR solutions that organizations can use to secure endpoints and all infrastructure.
The real question is not MDR vs. EDR. Companies should just ask which of the two – or maybe both? – is right for you. Their skills are undeniable in a fully digital world and should be present in both a company’s vocabulary and its security strategy.
A violation, a DDoS attack, a successful phishing campaign or simply negligence on the part of employees are no longer a question of the “if”. You are a certainty waiting to happen, and EDR and MDR are weapons in an impending battle, companies like it or not.