Modern enterprise cybersecurity requires ongoing behavioral analysis. It is critical to know whether users, devices, software or services are acting unusually or suspiciously.
Endpoint detection and response (EDR) and extended detection and response (XDR) technologies play key roles in enterprise behavioral analysis.
But when it comes to EDR vs. XDR, is one a better fit for certain organizations than others? Or should both be used? Learn about their capabilities to decide.
Behavioral analytics collection with EDR and XDR
Behavioral threat analytics, also known as user and entity behavior analytics (UEBA), relies on gathering relevant information and sifting through it for known bad or anomalous behaviors. Known bad behaviors are tasks an enterprise identified an entity should not be doing, such as an office PC attempting to port scan a server in the data center, or a brokerage trader's PC trying to operate a Discord community server.
Anomalous behaviors are actions not categorically forbidden by policy but are unusual and worth further investigation -- such an action might turn out to be a security breach. Examples include an administrative assistant downloading hundreds of gigabytes of contact information from the CRM, or a user account logging in from Vladivostok instead of Pittsburgh.
How EDR handles threat analytics
EDR tools turn endpoints into pieces of a threat analytics architecture and use them to gather data about the health of the endpoint and what it is doing. An EDR tool might record what user is logged into the machine, what programs are running on it at any given moment and what those programs are doing across the network or on specific services.
IT teams can deliver EDR via a standalone client, or EDR functionality can be integrated with standard endpoint protection tools that do antimalware, firewalling, intrusion prevention, etc. Being integrated with or using the same tools as the endpoint protection (EPP) system amps up the response part of EDR. It expands the options available to the system to act in response to threats when detected. Responses could range from enhanced logging to removing a user or shutting down a device.
Nemertes' Secure Cloud Access and Policy Enforcement 2021-22 research study found organizations that are more successful in cybersecurity are more likely to be using a combined EPP-EDR agent.
How XDR handles threat analytics
XDR systems perform the actual behavioral threat analysis. They apply methods ranging from simple pattern matching to machine learning and natural language analysis to spotting threats and risks. XDR systems work on data streams from server platforms, applications, cloud services and physical or virtual network devices.
With the addition of EDR, XDR platforms also pull data from endpoints. XDR is basically a rebrand of UEBA. The "extended" part can be interpreted as extending to analysis to more streams of data, especially from EDR systems, but does not indicate a change in fundamental function or purpose.
EDR, XDR or both? And what about MDR?
Simply put, EDR without XDR is useful and XDR without EDR is useful. But in an ideal deployment, EDR feeds into and is directed by an XDR system.
Cybersecurity teams are -- and long have been -- running chronically understaffed and overworked. Risks are proliferating and the potential business impact of a serious breach continues to increase. The expansion of standard security operations to include EDR and XDR will inevitably spark another round of "DIY or buy" in cybersecurity leadership.
That's where managed detection and response (MDR) services come in. MDR can be an extension of an existing SOC outsourcing contract or undertaken as a more focused offering bought in addition to or instead of a SOC service. In general, smaller organizations don't have the resources to properly staff and fund a SOC and would be well advised to fold MDR into any SOC outsourcing deal they explore. Large organizations can likely manage threat detection and response in-house if they already run their own SOC.
Organizations outsourcing a SOC may decide to insource this kind of threat response because events surfaced via EDR and XDR are likely to be either about an insider threat or a breach that has already taken root somewhere inside the organization. In either of these situations, the SOC service may have a limited scope of response available.
Organizations pursuing EDR should look for products that:
- incorporate EPP functions or tightly integrate with an EPP client;
- integrate out of the box with their SIEM or XDR systems;
- provide agents for all relevant OSes;
- provide identical function across all platforms and devices, including desktop, laptop and mobile; and
- deliver a broad set of potential response options.
Organizations seeking XDR should, among other things, look at:
- breadth of data sources understood and out-of-the-box integration;
- range of response options;
- availability of a rich library of templates or runbooks for responses; and
- meaningful incorporation of AI techniques into the analytics.
Research from Nemertes has shown organizations that are more successful in cybersecurity are also more likely to integrate EDR with secure access service edge, cloud access security broker (CASB) and secure web gateway as a service (SWGaaS) deployments, and XDR with their software-defined perimeter, CASB and SWGaaS services.