MSS, EDR, MDR: What’s the Difference and Which Do You Need?
As cybersecurity threats grow more sophisticated, a combination of MSS, EDR and MDR can help organizations bring intelligence to their security posture
The cybersecurity threat landscape is constantly evolving, with threats becoming more sophisticated and persistent. With digital transformation occurring across industries and more internet-connected devices of every variety inundating enterprises, the attack surface continues to grow exponentially with more endpoints than ever to protect. Most IT and security teams are struggling to keep up, especially when faced with a global workforce shortage.
A number of organizations have turned to managed security services (MSS), which provide security management, monitoring and maintenance. But while MSS can help organizations monitor for, identify and respond to alerts, this approach falls short in that an MSS is predominantly focused on known threats. The most dangerous threats are those that we aren’t aware of and have never seen before. An MSS is a reactive service, based on what is known and what is seen in an organization’s environment.
How is it possible to defend against the unknown? By first baselining environments and users and then proactively looking for anomalies that may signal maliciousness. This is where the strength lies in endpoint detection and response (EDR) technologies that many enterprises and government agencies have begun to adopt. EDR merges real-time behavioral analytics with the latest threat intelligence to pinpoint and eliminate new malware strains or adversaries patiently waiting in the shadows to strike.
Too often, however, organizations purchase sophisticated EDR solutions but fail to use them to their full capabilities. They treat it like any other technology in their ecosystem and bolt it into their existing infrastructure, only using a fraction of what they are truly capable of. It’s like buying a Ferrari when you’re only going to use it to commute and never experience what the car can really do.
Managed detection and response (MDR) is the next logical step. MDR combines people, processes and technology to deliver advanced threat hunting and remediation by a team of skilled cybersecurity professionals. Through the right combination of technology and managed services, MDR enables organizations to identify patterns, behaviors and new threats in their environment that were previously unknown. With MDR, organizations can use their EDR solutions to their fullest potential, not simply monitoring for threats but proactively discovering and eradicating them, then launching investigations to keep the doors closed.
For example, without MDR, an organization’s security team might identify an email that infected a user’s computer with malware. Their anti-virus solution cleans up the endpoint, they believe the incident is resolved and they move on. But with MDR, the team can go further—performing forensics, reverse-engineering the malware and investigating the incident in-depth. The team might uncover that this was no opportunistic spam email campaign but rather a highly targeted attack using malware specifically crafted to breach this organization and version of anti-virus. With MDR, the organization can go the last mile, killing the threat and cleaning the machine from the kernel all the way up to the operating system and file system.
For decades, the cybersecurity industry has focused predominantly on the network. We’ve only dabbled at protecting the endpoint and the applications. Until recently the industry had not created anything that was truly next-generation security for the endpoint. But MDR provides the real-time threat detection and response capabilities that organizations have needed for a long time. In the past, conducting thorough incident response and full forensic investigation on a compromised endpoint was laborious and slow, requiring the deployment of security consultants and assets to various locations. Much of the work could not be done remotely. With MDR, forensic investigations and analysis work on the endpoint can be performed anywhere there is an internet connection.
In the face of today’s persistent threats, monitoring and reactive response are no longer enough for most enterprises. EDR and other threat detection and response technologies have the potential to be the cybersecurity “holy grail” the industry has long waiting for, but only for those who can effectively wield its power. That will mean placing it in the hands of the truly capable.
