EDR vs. MDR vs. XDR: What’s best for your MSP practice? 

Selecting a security platform that provides the right level of protection based on your customers’ needs and your IT team’s skillset is vital. A determined attacker can find a way in, whether it’s via stolen or brute-forced credentials, exploiting unpatched vulnerabilities, or leveraging another vector. This is where threat detection and response solutions and practices come in. 

Ideally, MSPs should complement their cybersecurity best practices and preventative controls with monitoring tools for their clients’ networks, endpoints, cloud infrastructure, and email. These detection and response tools should identify with high confidence when something doesn’t look right. They maximize the time overburdened IT analysts have to do more valuable work, who would otherwise be swamped by investigating false positives. By streamlining the detection and response processes, MSPs can help customers become more resilient against the evolving cyber threat landscape.  

Which detection and response offerings are suitable for your MSP business?

Keeping up with the latest security terms and acronyms can be nearly as challenging as defending against cyberattacks. Regardless, most MSPs are familiar with EDR (endpoint detection and response), MDR (managed detection and response), and XDR (extended detection and response). But which is most suitable for your organization? Let’s examine each one. 

EDR

EDR is the baseline monitoring and threat detection tool for endpoints, that is, any servers or client devices (e.g., desktops, laptops, tablets, smartphones) that connect to a computer network. EDR relies on software agents installed on these endpoints to capture telemetry and send it to a centralized repository for analysis. Depending on the solution, many EDR agents perform real-time analysis to identify risks. Some of the key components of an EDR solution include: 

• Endpoint monitoring—It collects and aggregates data about the protected system, analyzes it to detect potential threats, and sends alerts to security teams. 
• Active protection—When an EDR tool detects a threat, many automatically respond by interrupting the attack, isolating it, and containing the malware. 
• Artificial intelligence—AI enables EDR solutions to analyze large data sets and discover patterns and trends indicating a potential intrusion or other anomalies. 
• Log monitoring—Some EDR solutions analyze the raw log files, such as Windows event logs, and make critical findings available to security teams that would otherwise go unnoticed by other EDR solutions. 
• Digital forensics—Before an organization can respond to an attack, it needs to know the cause and scope of the problem. Some EDR solutions allow security analysts to investigate and provide audit information.  

MDR

MDR is a managed security service handled by a third party. Gartner defines MDR as a 24/7 threat monitoring, detection, and lightweight response service to customers leveraging a combination of technologies.  

Depending on the security provider, multiple disparate technologies offer visibility, detection, and response capabilities. For example, some of the technologies behind an MDR service include: 

• Security information and event management (SIEM)—A real-time solution that analyzes the data generated by applications and network hardware. 
• Network traffic analysis (NTA)—A method of monitoring network activity to identify anomalies, including malicious activity or policy violations. 
• Endpoint protection platform (EPP)—EPP solutions are typically cloud-managed solutions deployed on endpoint devices that utilize cloud data to assist in advanced monitoring and remote remediation. 

MDR vendors provide a turnkey service by leveraging a curated stack of security technologies melded together from many disparate vendors, strictly deployed across their customer portfolio. Their SOC then largely takes the security reins from the MSP and performs most response efforts on their behalf. It’s frequently an all-or-nothing service. Either you’re invested in all of the MDR vendor’s services or none of them. Although the provider and MSP share the reins, responsibility is largely shifted to the MDR provider, who co-owns the client relationship with the MSP.   

XDR

Extended detection and response is a platform that, like MDR, is also a turnkey. XDR natively offers SIEM, EPP, and NTA functionality, providing protection for all IT assets from a single vendor. Unlike most MDR services, XDR also offers security orchestration, automation and response (SOAR) functionality and more extensively integrates with commonly used security tools, resulting in a cohesive security operations platform. By integrating with multiple products, security professionals can respond to threats efficiently by removing unnecessary context switching. XDR ingests telemetry from various security products to correlate events that would otherwise be difficult to recognize manually and provides a centralized view of their security posture. Internal SOC analysts and MSSPs can leverage XDR for unified prevention, detection, and response.

XDR platforms often provide features such as: 

• Consolidated threat monitoring—By streamlining security data ingestion, analysis, and workflows across an organization’s entire security stack, XDR enhances visibility around hidden and advanced threats and unifies the response. 
• Centralized user interface—XDR integrates security solutions and business applications into a single platform to streamline and reduce management requirements. 
• Automated response—Like EDR and MDR, XDR can investigate, isolate, and remediate specific attacks on covered systems. 
• AI and machine learning enhancements—Like EDR and MDR, XDR tools typically include AI and machine learning to detect anomalies and initiate specific incident responses. 
• Reporting—With the centralized view, XDR can often provide more compelling and holistic reports, giving its customers better situational awareness. 
• A la carte packaging – XDR is often packaged to cover specific attack surfaces, allowing MSPs greater choice in what is monitored and to what degree. 

XDR customers can choose the path of completely handing over their security reins to an XDR provider or utilize XDR to enable their internal teams and provide defense-in-depth. 

Some XDR vendors, like Barracuda, include SOCaaS (sometimes referred to as Managed XDR) to augment the MSP’s internal response team, making it an ideal solution for MSPs that often lack the specialized skills needed for incident response, need 24x7x365 coverage, help to eliminate false positives, or prefer continued ownership of the customer relationship. Leveraging XDR with SOCaaS, MSPs can continue to fully own the customer relationship and be their clients’ cybersecurity hero.   

All three solutions, EDR, MDR, and XDR, have various similarities. Each option includes threat detection and response functions. They also provide some form of automated responses based on data input and threat intelligence. Yet, there are critical differences between them. For example, EDR is explicitly designed to protect endpoints. For effective cybersecurity, it must be combined with additional tools that protect other parts of each customer’s network; therefore, EDR is not enough for most MSPs. While MDR offers more complete coverage than EDR alone, the all-or-nothing packaging can make the service prohibitively expensive or misaligned with the level of service the MSP wants to offer. Forfeiting response capabilities or co-owning the client relationship with the MDR provider can be treacherous for some. For MSPs who want complete coverage, similar to MDR but with greater integrations, continued ownership of the customer relationship, and a centralized view, XDR is a better fit.

Photo: Studio Romantic / Shutterstock