What is the difference between endpoint detection and response (EDR), extended detection and response (XDR), and managed XDR (MXDR)? And which approach makes the most sense for your organization?
Sorting through these cybersecurity acronyms can offer insights and ideas about the strategy that would most rapidly and easily increase an organization’s security posture.
Years ago, traditional cybersecurity focused on protecting everything within the business enterprise and its perimeter. This task was fairly achievable when workplace computers were confined to a physical office space and data centers remained on-premises. Corporate firewalls afforded significant protection. However, mobile and cloud computing changed the way businesses operate, and this dealt a fatal blow to perimeter-based security.
In the 2000s and 2010s, many of the applications that organizations relied on migrated to the cloud. This took them off-site and beyond the control of local IT teams. Data related to these applications was often stored in the cloud as well, further diminishing the effectiveness of the now antiquated firewall. Workplace technology also evolved, becoming a mix of bring-your-own-device (BYOD) technology and business workstations. The old security model was the recreation of a medieval castle, defensively positioned against intruders, but that model failed when the workplace became an open marketplace bustling with countless devices, networks, and users – all with direct connections to the outside world.
Allowing professionals to work on multiple devices, from nearly any location, can do wonders for productivity. However, for traditional cybersecurity, it was a nightmare. Once organizational resources and devices moved beyond the firewall, perimeter-based defense was over. Cybersecurity vendors saw the writing on the wall and shifted focus from firewalls to endpoint security. Endpoint detection and response (EDR), which sought to protect organizations at the device level, took center stage.
EDR involved more than simply adding extra layers of security to each device. Internal EDR security operations are centralized in a platform that manages and monitors each endpoint. Professional security analysts within the organization operate the platform, requiring ‘round-the-clock protection by specialists working 24x7x365. And as it turns out, these specialists spend far too much time sorting through massive numbers of low-priority alerts. This option is also expensive and difficult to staff. There are far more companies in need of cybersecurity analysts than there are candidates to fill the positions. In fact, the cybersecurity industry has been facing a massive skills shortage for the past five years.
Another challenge facing EDR has been the massive proliferation of unmanaged devices now accessing workplace resources. Monitoring every business-owned PC, laptop, tablet, and smartphone is a monumental challenge—one for which traditional “castle defense” cybersecurity systems are not well suited. And now, employees’ personal technology, traversing unknown networks, is also allowed access to the enterprise. This makes the task of maintaining security even more difficult. The growth of dual-use devices paired with the cybersecurity skills shortage has made implementing effective EDR too difficult for many organizations.
A significant number of IT and security teams turn to security incident and event management (SIEM) solutions to support broad threat detection; however, they often discover significant challenges. These include problems with data-ingestion threat detection and response. And the challenges can be amplified because of limited visibility, limited threat correlation across multiple vectors, or both.
Cybersecurity is constantly shifting, as threat actors probe for new, less protected vectors to perpetrate their malicious deeds. Once the limitations of EDR became apparent, many security vendors began the migration from EDR to XDR, to build a more cohesive and holistic response platform by aggregating and analyzing threat telemetry across a spectrum of solutions. In other words, they sought to organize and contextualize incoming threat information, rather than having dozens of solutions bombarding security operations center (SOC) analysts with separate, disconnected alerts.
And while this is a natural extension of EDR, the XDR approach still requires an internal team of dedicated IT or cybersecurity professionals to be successful. And the approach also adds to tool sprawl, at a time when many CISOs are trying to simplify their security stacks.
Today, organizations are managing an average of 76 security tools, which can be overwhelming to the IT staff tasked with operating them. All of these things set the stage for the next evolution of cybersecurity: managed XDR.
Managed XDR extends SIEM capabilities and offers organizations the full protection of an XDR platform with the human expertise and the processes required to identify and contain attacks. And managed XDR provides this without the prolonged job searches and expensive cybersecurity salaries required to run an in-house XDR-enabled security operation. With managed XDR, organizations receive 24x7x365 access to external cybersecurity threat experts who monitor the enterprise, correlate telemetry across devices, and provide actionable intelligence to rapidly prevent threats. This approach also minimizes alert fatigue for internal staff. Managed XDR offers the benefits of a high-end security solution, and a round-the-clock team, at a price that small and mid-size businesses can afford.
Adding AI for Advanced Protection
The most advanced MXDR platforms bring more than human expertise to your organization. They also harness the power of Artificial Intelligence (AI). While securing endpoints through a centralized platform offers incredible security benefits, there are still gaps with this approach. For example, what about endpoints that stop communicating with the platform? Some devices may “drop off” of an XDR platform due to misconfigurations, update errors, or connectivity issues. It is important that every device remains protected, even when its connectivity to the XDR platform is compromised.
Artificial intelligence (AI) offers an elegant solution to this problem. Advanced AI can recognize malicious files and indicators of compromise (IoCs) through extensive training on expansive data sets. The BlackBerry® seventh-generation Cylance® AI has trained upon billions of file features, allowing it to identify threats with a 99% success rate. By deploying AI-driven security agents directly on the endpoint, devices remain protected from malware and other threats regardless of connectivity. This approach offers organizations an extra layer of continuous security that is not available on many “cloud-only” XDR platforms.
Another significant benefit of using AI-powered endpoint protection is its ability to stop future threats. Since Cylance AI is trained to recognize malicious indicators common to malware, it can also detect and prevent zero-day threats with extremely high efficacy. New malware is being created at a breakneck pace, but the ways it operates largely remain the same from one generation to the next, despite even the most sophisticated efforts to hide and obfuscate those operations. AI is phenomenal at seeing patterns of code, behavior, exploitation, and other features that malware of today and tomorrow will likely use. In testing, unmodified Cylance AI agents over two years old were able to reliably detect and prevent modern threats – an ability BlackBerry calls predictive advantage.
Managed XDR and predictive AI give organizations the human and holistic security needed in their environments from the endpoint to the network.
To learn more about the evolution of managed XDR and the current state of cybersecurity, read the BlackBerry® 2022 Threat Report.