Need some assistance in writing a piece. Which is better EDR or MDR?
Looking for a clear cut comparison between three but google inundates me with unhelpful marketing nonsense.
Also what’s a practical reason a business would switch from one *DR to another *DR?
Videos
Hello community!
Lately, I've noticed a lot of discussions and cases on Reddit and elsewhere about bypassing EDR and Antivirus solutions. There are reports of servers being encrypted despite the presence of XDR/MDR functions from manufacturers, etc. This raises several questions for me, especially about moving all security stacks to Microsoft 365, particularly for clients with a Business Premium subscription. I'm having trouble forming a clear opinion on this.
On one hand, it seems like putting all your eggs in one basket, right? On the other hand, solutions combining AV+EDR with a service like BlackPoint seem more robust to me. Or maybe it would be wiser to have one provider for AV, another for EDR, and yet another for MDR? I also have questions about integrating an MDR solution within the same solution as AV and EDR.
I'm not sure if there's already a thread on this topic; if there is, I'd appreciate the link! What do you think?
Thanks for your insights!
We've seen quite a lot of posts lately on 'which AV should I get' or 'Huntress vs S1 vs X', so I thought as an update to my post here, I'd put together a bit more information as people seem to need something like this.
Let's start here: AV and EDR are not the same. Huntress is technically neither with their base product, their "Process Insights" product is an EDR, though. All these are the same class of thing (Endpoint Protection), but they all have very different design, and there's a fourth item - MDR/MTR. We'll go through these together.
Antivirus (say, Webroot, Norton, Intercept X, AVG, Microsoft Defender Antivirus, etc) is a no fly list. Effectively, imagine a piece of software has 'done something bad', so we don't let it run anymore. This is a list we call 'virus definitions'. For the most part, if you're on that list, you're bad, and if you're not, you're ok (from the perspective of the AV). The biggest problem with this is that something has to have been seen before, and also be classified as a direct threat, say like a virus deleting files, or a worm editing the registry.
To combat this, AV vendors came up with heuristics. These are 'indicators of badness' so to speak. Effectively, we do our best to try and analyze what something is doing and if it looks like other things we know of on our list, we block it. It's an improvement, but it's not perfect, and it's not complete enough.
Notably: Encryption is a completely normal computer activity. So is data transfer. Ransomware and data exfiltration look like both of these, and AV is effectively worthless against them. To make things worse, these are the most common software based threats nowadays, and over 75% of them (according to Sophos and Blackpoint) are only seen once.
To be blunt: AV has zero use nowadays against modern attacks and threats. It went away when Bitcoin helped monetize attackers and resource them. The threat actor industry went from cute spirals on your monitor and hackstivism to a real, $1.5 trillion business with real threats and real attackers. If you're using Webroot and you keep getting ransomware, that's why.
Enter NGAV.
Next Generation Antivirus is supposed to be the 'prevention' portion of EDR. It's heuristical analysis, ai, and machine learning. It doesn't do the detection of EDR, but it should be relatively effective against malware, fileless attacks, ransomware, and some data exfiltration (though some of those 'live off the land' attacks where nothing is downloaded, and say, Powershell is used to send data out, would benefit quite a bit from EDR. Here are writeups by Crowdstrike and Sentinel One on the topic. Though this isn't a recommendation thread, NGAV is very commonly paired with EDR, or is a literal component of it. It would be difficult to run NGAV alone, and you'd miss the benefits of EDR's monitoring.
Thank you @0Weird0 for the information on that section, his comments (correcting mine) are below in the thread, with sources.
Enter EDR.
EDR is an AI/behavioral analysis engine, for the most part. Rather than identifying 'this file is bad', it actively analyzes processes on a system and uses those metrics against its own baseline learning and cloud intelligence to determine the intent of running items to determine if they should be allowed. EDR is incredibly effective. It basically solved the ransomware problem overnight, so long as it's in use and properly configured.
Notable EDRs in no order of recommendation: Sentinel One, Sophos EDR, Crowdstrike, Carbon Black, Process Insights, Microsoft Defender for Endpoint (Please note Microsoft's extremely awful naming convention" Microsoft Defender Antivirus is the AV that comes with Windows. Microsoft Defender for Endpoint is the EDR that requires a 365 subscription.
EDR is designed to protect against ransomware, and in doing so, it was easily modified to protect against other things, like data theft, credential hijacking, malicious javascript, etc. It's fabulous at detecting things it's not seen before, which are most, if not all, modern attacks, as they're customized for their victims. It also generates a lot of data.
Enter MDR/MTR
These products are EDR with a security team monitoring them (a SOC). Most organizations don't have threat hunters, process analysts, threat experts, or remediation specialists designed to protect and monitor the absolute mountain of data that EDR provides, so manufacturers and third parties have setup teams to do just that. There are several levels of what a 'SOC' is. Huntress' is on the lower end - they'll send you an email with instructions (or a button) if something goes wrong, and isolate a machine from a network to stop a spread. Sophos, for example, is a much more involved (and thus expensive) SOC, where they'll fully remediate systems, dig into where threats came from, analyze the network, and actively call you and work tickets if need be. There are also third parties like Blackpoint that are vendor agnostic, ingesting large amounts of data from multiple sources and putting human eyes on it.
There are other SOCs too, and various other levels of involvement; this is not intended to be a recommendation, but a short list: Arctic Wolf, Microsoft Threat Experts, Sentinel One's Vigilance, Blackpoint, and Crowdstrike/Carbon Black also have their own SOCs.
Humans are very important here - from either an MSP or a single organizational standpoint, all the data in the world does nothing if you don't react. Sure, we may have stopped the ransomware with the EDR, but how did the attacker get in? What else did they do? If you're an MSP and you don't staff for this, that's normal, but if you don't know, you're doing your clients a disservice. If you're a standalone enterprise, it's your job on the line if attackers repeatedly penetrate a system. Modern threats require modern solutions.
So what's Huntress do?
Huntress looks for remnants with their core product. Footholds and 'persistence' they call it, that allow attackers back in, even if you've cleaned the initial threat. They're looking for the 'pivot and escalate' portion of an attack. They do now also have an EDR in Process Insights, and it remains to be seen how impactful that is. They're trying to compete with the popular Sentinel One/Huntress combo today.
Important edit: Andrew from Huntress has corrected me. Huntress includes Process Insights, their EDR, in all offerings now. They should be included in the EDR section, as well as the above note about persistence. Also as a note - Huntress has a stellar reputation around here. This is still not a recommendation of anything, but they don't deserve misinformation in a root post. Thanks Andrew.
So what's XDR?
Think EDR, but with getting information from other sources. It's having the telemetry from things like switches, firewalls, SIEM, Microsoft Graph, etc as well as endpoint telemetry. It's still a bit of a marketing term, since what's included with XDR is still variable from manufacturer to manufacturer, and though it absolutely is a security uplift, determining how much more secure the network is with XDR vs EDR is not standardized yet.
Hopefully this helps someone. This information is written 2/7/2023 (edited thus far on 2/8/2023 from updates in these threads) for anyone finding this on Google - security changes rapidly and it may not be accurate in the future. Also please note - no recommendations here, no "whos' better" type stuff, just a primer on endpoint protection and SOCs, hopefully.
Discuss! Below should be great discussion, eventually, on things I've missed or differing opinions. That's why Reddit is awesome.
Hi, we are currently looking to replace our XDR solution on some endpoints by MDR/EDR. Could someone explain the differences specifically for N-ABLE? I am trying to understand it but some explanations are really vague and say „it depends on your providor“. Has anyone experience on this? And has the time to explain it a bit? Thank you
Hey everyone, just trying to work out how to configure the next iteration/upper tier of my stack, thought I’d tap r/MSP.
Right now, we’re running Huntress on our Windows endpoints, but we’re looking at a client that might need a year’s worth of logs to meet compliance requirements. Naturally, I started considering a SIEM. I’ve already enrolled in Blumira’s NFR and am running it in the lab. Looks like a solid product. Then I wondered if Huntress was not the right tool, but more something like Blackpoint’s MDR would be a better fit. That said, it doesn’t seem like Blackpoint does AV, so I would either need to switch the AV on my endpoints, or run Blackpoint and Huntress in tandem.
I also understand that Huntress has an MDR for MS365. I haven’t tried it, but how does it compare to Blackpoint? Or does it compare?
This is what I’m wondering, are all of these solutions a little redundant? I’d like to find the right balance between log retention, labor reducing AV/EDR/MDR, cost efficiency and this new potential client.
Any insight would be appreciated.
Curious how folks are really using MDR providers day-to-day.
Do you trust them to handle detection/response in cloud and SaaS apps (like Okta, M365, AWS, etc), or is it mostly just endpoint/network stuff? Why or why not?
Can they actually respond to incidents on your behalf, or do they just escalate to your internal IR team?
How deep do they go on investigations? Can they reach out to employees directly (e.g., Slack messages to verify behavior) or are they limited to log review?
And how do you evaluate whether your MDR is doing a good job? What are the red/yellow/green flags?
Like the question states, does the EDR brand matter if you have an MDR in place? This is assuming the EDR and MDR is reputable, highly regarded.
We are currently evaluating MDR vendors and many of them support several EDR platforms.
We have the Microsoft E5 and have access to MDE because of that we are entertaining the changing from our current EDR. Our current EDR has no issues, but we are looking at it from a cost savings standpoint. From articles we have read; MDE and our incumbent are scored relatively the same on several websites and reviews, some even hade MDE slightly higher.
Even the MDR companies we are interviewing score them the same and have pros/cons to both. To the point, it feels like we are splitting hairs to determine which way we are going, with the cost savings as the biggest reason for the move. On the other side, the biggest hold up is that we have some team members that don't want to go all in on the MS Security bandwagon, we already do Defender for Office.
This discussion spawned a separate discussion that I'd like to get input on. If you have a reputable EDR and back that up with a solid MDR, does the EDR even matter? MDR groups are building out their own detections to enhance what your EDR is already doing, at least that's the value add there in my opinion.
Good afternoon. I am evaluating my options in regards to managed EDR for my clients.
I currently use SentinelOne but the experience has been less than stellar. I am unsure if that is due to the intermediary vendor's involvement or not. But feedback on cases is ignored, and questions remain unanswered more often than not.
I have received many reccomendations for Huntress, but there is a glaring hole of coverage over any of my linux endpoints. I do not see how this is not simply an exclusionary feature when it comes to consideration. Thoughts on this point are especially appreciated.
What products have you all used for Managed EDR? For the most part my endpoints are Windows and Linux, maybe a spattering of macs.
edit: I was really hoping for more direct feedback on the lack of linux options in huntress as well as the wonderful recommendations and feedback people are leaving. Is there a reasonable way/reason to fill that gap with another vendor? Or is it as I stated and just a security hole that unfortunately excludes them? etc.
Thank you!
We are in the process of demoing and looking for a new EDR vendor. Due to some specific guidelines, we are no longer qualifying for Huntress's MSP program. We have been happy with the platform otherwise.
We are looking at the following currently and I wanted to get some community feedback on experiences good, bad, or otherwise. In no particular order:
- Blackpoint Cyber - liked the demo and the product. Pricing is good. Heard some good things about their platform and product. Looking to do a trial and see what we think.
- Todyl - Like the platform and options they offer. Pricing is a bit more since the SIEM is required for the O365 components. Sales guys seemed a bit like used car salesmen desperate for a sale. Main turnoff for me but demo looked solid and the options they offer are good once bundled together. Like the flexibility in licensing.
- Field Effect - Doing a demo next week. Newer but heard some positive things.
- Red Canary - We have MDfB through BP licensing. Looking to discuss the managed component and see how they stack up.
How does everyones experiences stack up?
Dear all,
we are a company with around 480 people, 150 Servers, 350 Clients but no IT Security Team. We are currently using Sophos Intercept X but are not really happy with it. The Dashboard is not very user friendly, the Threat Report is very hard to read and we don't get a lot of information about the threat, a lot of false positives and in general I think that Sophos is not a high tier security software.
I got the project to look for an alternative that will replace Sophos. We want EDR, MDR and maybe an XDR solution. First we thought about a SIEM but I think we need a SOC Analyst or something else who is reading SIEM logs all day long to understand what is going on in our environment. I read that some XDR solutions, like from Cybereason is a newer and better SIEM. What is your opinion on that? What can we connect with modern XDR solutions? Is it possible to connect switches and Firewalls (Sophos XG btw) to it? We definitely want to have our Azure and M365 connected.
What are some tools to check out? We had already a demo from Cybereason which was ok but I definitely want to have a demo from Croudstrike and SentinelOne. Are there other good solutions in the market? And does it even make sense to go for one tool? For me it makes sense to have everything combined.
Thanks for your input.
The place I work at currently uses ESET Protect as the endpoint protection platform and before renewing our licenses we are deciding if we need to switch from ESET into something like SentinelOne or Defender 365. We’re in the process of ramping up the organisation’s security as well starting next year and that is one of the reasons why we’re considering this switch as well.
Our ecosystem consists mostly of Windows PCs and servers, very few Linux servers, and also some Android devices, we got Office 365, and also got some infrastructure in Azure cloud as well. The top two contenders for me right now are Defender 365 (because of the footprint MS has on us and also because the whole ecosystem will integrate well), and SentinelOne. Crowdstrike (even though I like the product) didn’t make it because our higher-ups are still uneasy with their outage incident.
How are your experiences with these two products? Would love to hear about out-of-box protections, fine-tunings and integrations, support, and administration.
And also regarding ESET, they’ve served us well over the years. I think the company is looking for something ‘modern’ but I did my research and it seems like all these products do the exact same thing.
We are looking to upgrade. I would like to hear of people's experiences with various EDR/MDR/XDR products, both good and bad.
What are some common things you look for when choosing an EDR/MDR/XDR solution? Based on these websites they're all the greatest thing ever.... Not sure how to decide...
Thanks!
Who is doing what and what has been your experience? Also, what solution are you using?
Sentinelone here and it's has been fine. We are not doing much on the client side anymore so we haven't run into performance issues that others may have reported.
We use Carbon Black for EDR. A year or two ago, if you purchased computers from Dell, you could include the cost of Carbon Black in the computer price. A lot easier to tell board a computer is $20 more than make a big purchase for an EDR.
What do MSPs do to stay competitive in the MDR landscape?
I'm struggling with finding "no vendor influenced" information regarding the differences between EDR, NDR & XDR. I would appreciate if any of you can point me to the right source or even share with me your point of view from the operational perspective.
Why we deploy both of them if XDR is more powerfull ??! It’s not better and more simple to deploy only XDR ?!