Cyber Horizons

XDR: Going further with MDR

Published on 27 May 2022

As powerful and popular as it is, Endpoint Detection and Response (EDR) has its limits, even if you entrust its management to a specialist. As the name suggests, the EDR focuses on endpoints and detects abnormal behavior as it takes place, so we can’t talk about global protection.
This does not include the corrupted file stored on shared storage services such as Google Drive or Microsoft SharePoint, nor the attack to take control of the Active Directory. It is still impossible for the EDR to block a network stream to protect itself from malware, so what can be done to prevent such scenarios?

XDR for extended network protection

Extended Detection and Response or XDR is a SaaS tool for detecting and responding to cyber incidents that extends the scope of the EDR to include the network, directories , cloud tools, firewalls, services protected by a CSPM, etc.
It natively integrates various security features into a coherent operational system that unifies the components (Gartner) and adapts to the challenges arising from risk mapping.

Its correlated actions are therefore the promise of seeing everything, doing everything, everywhere.
XDR is more effective in identifying threats, especially complex ones from multiple vectors, because it has various detection capabilities (signature antivirus, next-gen unsigned antivirus, anti-exploit, anti-ransomware, fileless prevention, global vision, etc.).

It also increases the speed of reaction by making it possible to isolate the threat more quickly (isolation of workstation, user, removal of access rights on user files, interruption of flows, etc.). By extending the scope of the EDR, XDR gives a global vision and secures more upstream and downstream terminals. At the level of firewalls, it can, for example, detect and block flows from servers known to be malicious. By acting at the NGAV level, it also makes it possible to block malware present on the IS before the attack is triggered. Finally, XDR detects and mitigates threats earlier in the cycle (kill chain) by integrating email or DNS monitoring tools.

The MDR for a Service-Oriented Approach to XDR

Because it addresses a wider scope, an XDR project involves asking even more questions than when deploying an BDU. It is indeed necessary to question the best way to cover the entire fleet, to manage the remediation or to ask how far to automate. Like managed EDR, which allows you to take advantage of the full power of EDR, Managed Detection and Response (MDR) makes it possible to exploit the full potential of XDR. Beyond the tool, the MDR service must have clearly defined capabilities to meet the current challenges of operational security. This translates into an industrialized approach to the service mode that includes a dashboard, analytics, an SLA (Service Level Agreement) and a co-pilot who acts as the CISO’s cyber defense advisor. Most MDR services offer features that can detect, investigate, and respond to threats. For this, the teams involved in service management must be qualified for monitoring, detection and threat hunting, threat intelligence and incident response.
Thanks to MDR services, you benefit from the expertise of professionals, an organization and a technology that, combined, improve the security of your infrastructures.

What approach for an efficient “XDR-as-a-Service”?

Like EDR, XDR must therefore be integrated into a global service to deploy its full power. Because of its coverage and its extensive capacity for action, it implies an even stronger need for support, hence the relevance of the MDR.
However, even among MDR enthusiasts, we can distinguish two very different approaches: the first, described as “technological”, consists in the company choosing a tool and then delegating its management while the second, service-oriented, favors the choice of a trusted partner.

“Whether you choose one or the other of the approaches, which is the sensitivity of each CISO, the real challenge is to rely on a partner who will be able to make the most of the tools and bring real expertise.”

Benjamin Leroux
Benjamin Leroux • Marketing and Innovation, Advens

The promise of functional coverage of the XDR partly explains the current craze for this type of tool. However, they remain very young, so it will be interesting to follow their evolution and adoption, especially compared to the fleet of SIEM solutions already in place. Indeed, we must guard against a technology approach to security that too often boils down to the stacking of tools. One of the ways to really increase detection and response capabilities is therefore to opt for managed solutions: management by a specialist guarantees both the proper integration of the service and above all an efficient operation of your XDR, which has become MDR.