The Limitations of Managed Endpoint Detection and Response (EDR)

A Brief History of Endpoint Detection and Response (EDR): Fulfilling a Need

Emerging in the early 2010s, endpoint detection and response (EDR) represented an answer to new and emerging threats that evaded endpoint protection platforms (EPP) and legacy anti-virus solutions. Increasing use of fileless and unknown attacks shifted focus from prevention of the expected to detection and response of the unexpected. Recognizing a new market need, native endpoint vendors expanded their portfolios with new tools, later coined “EDR." These managed EDR services provided always-on recording of activity with integrated threat hunting and isolation capabilities.

As organizations adopted EDR, inherent problems became apparent. Given the complexity and vast amounts of data captured by EDR solutions, security teams were quickly overwhelmed with management and efficient use of the tools and capabilities. This resulted in the emergence of managed service offerings to alleviate resource limitations and operational inefficiencies. As of 2018, 30 percent of organizations have adopted EDR technologies with 65 percent reporting outsourcing or planning to outsource managed EDR services. This market is forecasted to grow at 22.9 percent year-over-year, constituting over $3.4B in security spend.

From Endpoint Detection and Response (EDR) to Managed Detection and Response (MDR)

Much like the evolution of EDR, the emergence of MDR represented an answer to new and emerging threats that evaded not only existing technologies but also to resource and expertise limitations. Used by organizations as early as 2011, MDR became an official industry term in Gartner’s Guide to Managed Detection and Response in 2016. Recognizing that prevention will fail, MDR sought to strategically use technology in combination with powerful analytic capabilities and integrated threat hunting to minimize threat actor dwell time.nolo

Unfortunately, given the infancy of the category, criteria for what constitutes an MDR provider was and continues to remain vague. As a result, solutions that have a similar goal in minimizing threat actor dwell time (EDR) attached themselves to the MDR category. This has resulted in widespread confusion and the risk of choosing a vendor that does not provide comprehensive coverage of a customer’s on-premises and cloud networks. In the most recent Guide to Managed Detection and Response, Gartner has specifically called out endpoint detection and response (EDR) vendors that represent themselves as MDR vendors with the following insight and caution:

“Managed EDR is often associated with MDR when it’s just one style, a style that may have limited visibility of threats in a customer’s environment depending on the assets and environments that need to be monitored. While there are some dedicated managed EDR providers, the MDR market is dominated by EDR vendors offering services to software buyers.”

Endpoint Detection and Response (EDR) Limitations within Managed Detection and Response (MDR)

While the importance and value of EDR cannot be disputed, it is one component of a holistic managed detection and response (MDR) solution. In the most recent Ponemon State of Endpoint Security Risk study, organizations on average reported 34 percent of all endpoints connected to the network were not secured. Given the complexity and cost of endpoint protection, this statistic is understandable. The average organization spends $124 per endpoint on security spread across an average of seven endpoint security agents. Often a trade-off between budget and resource limitations and the number of endpoints that should be protected result in gaps that leave networks susceptible to attack.

EDR alone provides a very narrow view of the network. For threat hunting, the broader the set of data (including endpoint, as well as cloud, network data, log, vulnerability, etc.) the greater the information available to correlate and arrive at conclusive decisions that enable rapid response. This is akin to a crime scene where surveillance camera footage, eyewitnesses, DNA, etc. all represent different breadth and depth of evidential data. The greater the data to correlate the evidence, the quicker law enforcement is able to determine the perpetrator and arrest or detain before another crime is committed.

Looking at a defense-in-depth model, information gathered at each layer represents an opportunity to detect a threat actor and enforcement point to initiate response before successive layers and data are compromised. In the case of endpoint detection and response (EDR), it may highlight a breach, but visibility is myopic to that endpoint. If the source is external, EDR is limited as the data is blind to network data.

Ultimately, visibility into multiple layers that can link between different stages of the attack is necessary. Looking at the cyber kill chain, EDR has substantial strengths in detection across exploitation, installation and internal reconnaissance stages. However, EDR remains blind to other stages of the attack. The visualization below represents the primary components (including EDR) and their subsequent strengths and weaknesses in a holistic MDR solution.

As the cyber kill chain shows, endpoint detection and response (EDR) tools are a powerful component of a holistic MDR solution, however limited in singularity. As managed EDR services and vendors continue to portray themselves as MDR vendors, organizations are encouraged to consider risk contextual to their threat landscape and network presence. Understanding the differences between MDR vs EDR will help organizations determine what they need.

To help organizations make informed decisions, the chart below represents criteria that all MDR providers can be objectively plotted against as well as a capability comparison outlining eSentire MDR versus managed EDR services.

To learn more about EDR and the other types of MDR, read the Definitive Guide to MDR eBook.