This has been driven by the fact that traditional antivirus struggles to cope with the increasing sophistication of modern malware, and is certainly unfit to handle new types of cyber threats.
Today, for many organizations, EDR is increasingly being seen as a critical line of defense in a company’s security posture, and in some areas even mandatory. This is due to a few key factors in the marketplace, including:
1. Compliance adherence and regulatory requirements
MSPs and their customers are facing an increasingly tight regulatory landscape, and many of those regulations are requiring (either directly or by implication) the use of EDR. Although GDPR doesn’t go as far as to mandate the use of EDR, the ability to have such visibility is crucial to ensure protection of PII and setting systems and procedures in place to minimize the risk of a breach.
Equally the recent NIS2 Directive doesn’t mandate it. However, with its amended incident reporting requirements—including initial notification within 24 hours of becoming aware of certain incidents or cyber threats—companies that don’t deploy EDR will struggle to get visibility over active threats in their environments. On top of this, companies without EDR may also find collecting the necessary details to properly report the incident is more complex and delay the process, putting them at risk of complying with the directive requirements. In the US, however, CISA’s Executive Order on Improving the Nation’s Cybersecurity does actually stipulate a mandatory requirement for EDR solutions to be implemented.
2. Cyber Insurance
Cyber insurance is a growing focus of attention for businesses, and for MSPs this extends to helping their customers not only manage the application process, but also to rolling out the systems and infrastructure to ensure they can comply with any specific insurance requirements. Increasingly, insurers are looking for EDR deployment as it offers them a guarantee around risk reduction control for the insured business.
3. Supply chain security requirements
Over the past few years, we’ve seen a growing number of supply chain attacks, so this is yet another key area of focus for businesses. If your organization supplies services to another organization, or your organization uses the services of other businesses, to continue to operate securely, then you need to have full visibility over your infrastructure and be able to spot and mitigate issues quickly. This helps ensure they don’t populate across other companies’ networks and products. Traditional AV won’t give you this, so EDR is one of the natural core requirements in a good defense-in-depth strategy.
It’s more than just check-boxing
When it comes to thinking about the role and importance of EDR, I like to use the analogy of a castle; although it has high walls, it has loads of entry points, including those coming from within (insider threats). Yet it would be unusable from a functional point of view, to have a castle with no doors, windows, or bridges, and where no one would be allowed to enter or leave. Unfortunately, for many organizations this is what happens if they don’t get the balance right between security, functionality, and business requirements.
Of course, it is also not possible to have every window, door, and person within the boundaries of a castle monitored by a soldier 24/7/365. And the same is true for businesses. This is why the security industry collectively, has evolved from the notion of assume breach and detect all attacks (when it’s not possible to prevent them), to being able to predict attacks as they are either in process or where and when they might occur. This means working towards mitigation, or reduction of surface attack, and ultimately being able to resist attacks and effectively, and efficiently, recover from them (the principle of Cyber Resilience).
This is essentially what EDR is about.
However, monitoring and predicting threats 247/7/365 is a complex process, and one that can be hugely costly to build an infrastructure to support—not just in terms of technology but also in terms of hiring the security analysts required to run it.
This is where Managed Detection and Response (MDR) can really support businesses.
How does MDR take security to the next level?
There are two simple scenarios where MDR really helps organizations take their security to the next level.
1. Providing a fully fledged Security Operations Center (SOC) on tap
The reality is that the vast majority of organizations won’t have the resources (financial and human) to fully staff a mature SOC, that will be able to maintain and operate their full security stack (including EDR) 24/7/365.
Thanks to the cloud and economies of scale, MDR, like many other “managed” services, allows MSPs to outsource their security operations to a third-party security specialist. This way, MDR becomes a highly cost-effective service that can be crucial for organizations looking to secure their businesses and be compliant with whatever their business requires.
2. Scaling your team’s ability
Even if an organization has a fully staffed and mature SOC, their focus will ultimately be narrower, as there will always be a need to align, on a daily-basis, to the business needs (new or existing ones).
By using an MDR service those teams can “scale” further, without putting pressure on budget, training, retention, etc. This allows them to focus on what matters most for them, whether that’s business process improvements, infrastructure improvements, maintenance processes efficiency, or playbooks.
A good example here is how the MDR provider can focus on triage and initial investigation, before handing over a curated set of recommendations to the customer.
How does MDR help tackle emerging threats?
Overall MDR provides benefits that even smaller SOCs would struggle to achieve, including:
- Proactive threat hunting with data at scale, that results in actionable insights
- Broader threat knowledge thanks to a bird’s-eye view across hundreds or thousands of different organizations, industries, and geographies
- Access to economies of scale, allowing them to employ higher skill-level analysts and bleeding edge security tools, thus helping to keep pace with the continually evolving adversarial tactics and techniques
