Buzzwords and acronyms abound in the MSP industry, an unfortunate byproduct of marketing years in the making. Cybersecurity is a hot watercooler topic at any business. Well, now probably more likely a virtual happy hour than a watercooler, but nevertheless cybersecurity remains top-of-mind.
To sleep at night, MSPs feel they must enhance or expand their security offerings beyond the standard layers, like; firewalls, firewall filtering, active directory protocols, DNS Filtering and antivirus/malware detection. One of the ways many MSPs feel they can satiate their cybersecurity concerns involves buzzword-y new acronyms floating around involving “EDR” or endpoint detection and response. But what is EDR really and what can it do for MSPs and their clients?
But first, besides EDR, there’s also ADR, MDR, xDR and the industry can surely expect newer blank-DR acronyms coming in the next few years. What are all these acronyms and how do they help MSP protect their clients? Here are a few definitions:
EDR (Endpoint Detection and Response) – Technically, every security agent sitting on an endpoint is an EDR solution. The information the agents feed back to administrators determines what action to take and when. ADR (Automatic Detection and Response) – Newer technology allows the agent to automatically make a decision without human intervention. Ideally, ADR automatically remediates a situation and reports to the administrators on action taken. xDR – This newer acronym refers to agents across a network communicating to make a remediation decision or report decision across multiple endpoints. MDR (Managed Detection and Response) – A best-of-breed solution using EDR, ADR and possibly xDR tools in various combinations, MDR allows a human team to make decisions and respond to situations. While more complex and administrative heavy, MDR closes the gap that arises when suspicious applications are being monitored and observed, but not reacted to by an ADR or xDR solution. Human-driven MDR ferrets out the suspicious and reacts. Here are five things MSPs should consider when evaluating EDR solutions:
1. All security tools with an endpoint agent are basically EDR.
Their job is to detect malicious code, applications, scripts or other malicious files and make a status determination on the fly. Most security agents use various methods like physically scanning file hashes, scanning file content, watching behaviors, looking at scripts, detecting known attack surfaces and other techniques to try to ascertain if a newly encountered file is good or bad.
How the security agent reports its activity depends on the EDR tool. So, while many security tools claim they offer an “EDR” solution, the key is to determine the level of threat, suspicions and action taken in reporting or alerting that adds value for MSPs.
2. The “R,” or response, is key to a successful EDR solution.
While many security tools report and alert, the level of response is the most important aspect of any security practice. If the security agent provides minimal information for decision making, it’s of limited use to the technical personnel responsible for intervening.
On the other hand, technicians can take advantage of security tools with consoles that display alerts, reports and visibility into whether an agent responded, how and the agent’s current status. Too often tools don’t provide necessary insight for reviewing or comparing threat data or approaches – like the MITRE attack framework or other sitesContinue reading