EDR and XDR: What Do They Do?
Dwell time refers to the length of time an attacker is able to roam free on your network without being detected. Its number is calculated by adding the mean time of detection with the mean time to repair. According to Fireeye, the average global dwell time in 2020 was 56 days. This means that, on average, an attacker had nearly two months inside a network before being cut off.
EDR and XDR are tools that attempt to shorten the dwell time by detecting and responding to threats quicker. While EDR focuses on detection and response at the endpoint level, XDR expands on that to include other critical areas of our network like our firewall and cloud applications. In this blog, we’ll take a look at what exactly EDR and XDR do – and how MDR uses these technologies to provide a service.
What is EDR?
To comprehend XDR and MDR, we need to first understand what EDR is – and the problem it’s trying to solve. EDR stands for “Endpoint Detection and Response,” and it’s an endpoint client that’s not just focused on the prevention of breaches but on the detection and mitigation that happens after the execution of malware has already occurred. In other words, detection of the malware that AV engines didn’t detect – and tools for containment or mitigation when those are detected.
Infection endpoints can be broken down into two stages: pre-infection and post-infection. Pre-infection is where your traditional antivirus tools generally live. They might use things like virus signatures and machine learning to prevent known malware from ever executing on the machine. However, we (as cybersecurity professionals) know this is not very effective.
Even the best antivirus engines are only known to block between 50-60% of the real-world threats we see on a daily basis. This is where we move to post-infection or post-execution. This stage is all about detecting and responding to the threats that have already been executed on the machine.
For example, we know a traditional antivirus is looking at signatures of known malware. Those signatures can easily be modified just enough to sneak past AV engines. However, the behavior of the malware itself does not change no matter how many times the malware was obfuscated. This is where the detect portion of post-infection comes into play by looking at the behavior of an unknown file once it’s executed.
If that behavior is highly suspicious or known bad, then we want to defuse or contain it as much as possible. This is where we attack ransomware by trying to stop the unknown file from encrypting files on a disk. Next, we move on to the Responding stage – where we can automate playbooks to quarantine users, isolate devices or roll back changes to a previously known good state.
A key component of the EDR process is the ability to use forensics to facilitate the threat hunting process. This could be as simple as searching EDR clients for a specific process or YARA rule or combing through “recorded events” on the endpoint itself. This can vary by vendor, but most EDR tools will record forensic data when a file passes the “pre-execution phase.” This forensic data could include metadata like OS processes that were modified when a file opened. This is fundamentally how many EDR vendors were able to assist in finding the impact of the Solarwinds breach – by looking for the common metadata across the infected endpoints.
The ultimate goal of the post-infection phase is to minimize the dwell time between when an incident occurred and when that breach was ultimately contained and remediated. This dwell time is the sum of the “mean time to detect” and the “mean time to repair” – both of which are addressed by the tools available in our EDR solution. According to Fireeye, in 2020, the average dwell time was 56 days, down 28% from the previous year – in part because of the adoption of EDR across organizations.
While endpoints are a critical component of the attack surface, it’s really just a small part of the big picture that makes up our network. Modern networks have IoT devices, cloud applications, network devices, email servers – and many other areas that must be considered. That brings us to XDR – or Extended Detection and Response.
Gartner defines XDR as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Put another one way, XDR ingests data from multiple security products in order to correlate telemetry data that would otherwise be difficult to find manually. By having integration with these various products, XDR gives you the ability to respond to threats either automatically or manually.
At a high level, there are three main components that make up XDR: Integration, Analysis, and Response. The integration piece is a critical component to any XDR platform – and that’s the level to which the XDR solution can ingest and work with different products on your networks. This means not only monitoring telemetry data like syslog or snmp, but also having the deep integration to respond when an incident is detected.
With the telemetry data being ingested by all the relevant sources on your network, XDR is normalizing and correlating the data between all the different data types and vendors. This part of the process is the Analyze or detect phase and is usually powered by some version of AI to find outliers in the breadcrumbs of data. The AI engine is trained to look for behaviors from all the telemetry data ingested throughout the network. And here lies the beauty of XDR – what would be nearly impossible for a team of SOC engineers to manually do in real-time. XDR can calculate in almost real-time, eventually finding patterns of behavior that otherwise would have gone undetected.
When the AI engine determines that an investigation is deemed to be a security risk, the Response phase can automatically remediate the issue by responding back to the relevant security devices depending on the playbook that you have configured. For example, this could include adding a blocked IP to your firewall, quarantining a switch port on a switch, or blocking a domain on your mail server.
Ultimately, XDR is about an AI system that can take in telemetry data, make a decision based on the supervised learning it has received, and then respond to the relevant device to mitigate the risk on your network.
While EDR and XDR are focused on specific technologies that detect and respond to threats on your networks, MDR is a service handled by a third party. Gartner defines MDR (or Managed Detection and Response) as “24/7 threat monitoring, detection, and lightweight response services to customers leveraging a combination of technologies”.
A report just released by Forrester in Q4 of 2020 goes a bit beyond Gartner’s definition to define the key components of an MDR service:
- Security analytics
- Proactive threat hunting
- Automated incidence response using a SOAR or manual response using pre-defined playbooks.
The same report goes on to say that:
“The quality of MDR services depends on its ability to incorporate extended detection and response (XDR) visibility from not just EDR software but also network analysis and visibility (NAV) tools, network traffic analysis (NTA), and analysis of security log data.”
Because the MDR market is still somewhat being defined, providers can vary greatly in their services. Forrester groups four segments that measure the level of capabilities provided by MDR providers today:
- The first level is what I would call “base level” services: this will include the Gartner definition of basic MDR services like proactive hunter, investigation, and response.
- The next level would be a managed EDR service – where the MDR provider is managing the EDR client and providing the base level services on top of that.
- The advanced services will include Incident Response as a Service, which will offer traditional “boots on the ground” personnel to assist with incidents.
The common theme around all three of these topics we’ve discussed in this blog is detecting and responding to threats quicker. EDR is usually the starting point in our journey towards lowering the dwell time because endpoints are generally the biggest risk in the attack surface. However, well-coordinated attacks usually involve much more than just the endpoints – and that’s why XDR is the next evolution. EDR and XDR are not mutually exclusive but complementary. Both provide insight into what’s happening on your network that would otherwise be difficult or impossible to do manually. The reality is that a lot of organizations don’t have the manpower or expertise to take on EDR or XDR themselves. For this, more and more MSPs are providing MDR as the next level of managed services.