Denys Rudyi - Fotolia
Managed detection and response is an increasingly popular offering from software and services vendors alike. The growth in popularity, however, has been followed by an expansion of offerings. Along with MDR, there's now MEDR, MNDR and MXDR, just to name a few additional MDR services.
Let's take a look at the differences between these managed options and explore which company profiles are more suited to adopting one MDR security service over another.
Defining managed detection and response
At the highest level, MDR is an umbrella term that encompasses the entire MDR security services space. It has gained traction with organizations that want or need to outsource portions of their cybersecurity programs. While MDR offerings can include software automation, most are a hybrid of human expertise and technology.
At minimum, MDR services generally offer the following benefits:
- Threat hunting (detection). Security experts proactively look for threats before they become an actual problem. Unlike an incident response team, which is tasked with validating alerts from a security operations center or SIEM by investigating the underlying root cause for an alert, threat hunters look for signs of compromise or attack before an alert appears in the SOC.
- Threat intelligence. Information about threats is collected, analyzed and disseminated to help teams identify and respond to attacks before damage occurs, or to help recover as quickly as possible.
- Automated and manual response. Once a threat has been detected, action must be taken to neutralize it. Like the MDR service itself, the response may be based on human intervention or an automated response. In general, tasks such as removing malware or patching are handled automatically, while more complex tasks -- for example, forensic assessment of compromise on an endpoint -- require human intervention.
What are MEDR, MNDR and MXDR?
With a high-level understanding of what MDR is, here are three of the most common associated acronyms:
- Managed endpoint detection and response (MEDR). The focus for this service is specifically on endpoints. Vendors that have endpoint protection agents will often augment their offering by providing managed detection and response specifically for their software.
- Managed network detection and response (MNDR). Not everything happens on an endpoint. MNDR focuses on the network infrastructure, including servers, email, routers and firewalls. Offerings include on-premises, hybrid or all-cloud MNDR.
- Managed extended detection and response (MXDR). Want detection and response for both endpoint and networks? Or to extend coverage to IoT devices or operational technology networks? That's where MXDR comes in. Threats can be correlated across endpoints and the infrastructure, and services often include direct support for in-house SOC activity.
Which MDR service fits your company?
There's rarely a one-size-fits-all solution in security. But there are a few questions to ask when deciding which service is best for your current organization and needs, including the following:
- Are your endpoints covered? Remote work and zero-trust architecture highlight how critical endpoints are to an organization's overall security posture. If you don't have a strong endpoint protection program in place, MEDR is a wise place to start.
- How's your SOC? If you have a SOC up and running but don't have time to track all the alerts generated, augmentation with either MEDR, MNDR or MXDR could help. One of the benefits of using MDR for SOC augmentation is extending and enhancing your existing team. These MDR services are instrumental, especially if the team is underwater looking at alerts and doesn't have the time to perform active threat hunting.
- Are you understaffed? If your company is unable to support full-time security staff, MXDR may be the best fit. In this case, an MXDR team acts in partnership with your in-house or outsourced operations team to continuously hunt for threats, monitor for attacks and respond as necessary.