As the threat landscape is growing in frequency and complexity, this article will help you learn more about the various technologies you need to consider adding in your tech stack to protect clients against attacks and advanced threats, and to understand whether these solutions could be a fit for your existing portfolio.Hacking attempts are involved in more than 60% of successful breaches, according to Verizon’s 2022 Data Breach Investigation Report. Your clients might already be at risk as such attack techniques can easily penetrate traditional antivirus and anti-malware technologies capable of detecting known threats and known malicious behavior patterns. MSPs and businesses they protect require advanced security solutions and services like EDR, SOAR, XDR and MDR to adequately address the risks and complexity of modern attacks.The risk for an organization is significant, as the average cost of a data breach is expected to reach $5 million in 2023, according to the Acronis Cyberthreats in the second half of 2022 report. That said, it’s worth noting that the risks are faced by both businesses, and, depending on local legislation, MSPs themselves, who may have legal obligations to protect client data and may be liable in case of breaches or, even if not, might suffer reputation impact.EDR is becoming a mature and mainstream technology and is no longer limited to organizations with highly mature security programs. Such technologies and services based on them are becoming accessible to a broader set of service providers and downmarket organizations due to technological innovations like guided incident analysis and response.
This guest blog is courtesy of Acronis. Read more Acronis guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.
Why do MSPs and their clients need advanced security solutions and services?
The sophistication of the threat landscape during the early 2010s led to a string of developments and advanced security technologies capable of detecting and remediating more complex threats, attacks and hacking techniques.In general, more advanced security and endpoint protection solutions, with detection and response capabilities, enable you to:- Proactively stop threats — Known threats and malicious behavior patterns can be automatically detected and blocked with essential technologies like signature- and behavior-based detections. It’s worth mentioning that except in advanced security solutions these technologies are also available in traditional anti-malware solutions, or also known as next-generation antivirus or NGAV.
- Detect security incidents and in-progress attacks — Monitoring the IT environment and correlating events that might otherwise look benign and not displaying known malicious behavior; but when put together, could indicate a malicious attack like zero-day exploits. Such security incidents can bypass NGAV defenses and can only be detected by advanced solutions.
- Analyze the security incidents — Such advanced security technologies enable IT teams with visibility into how an attack happened, what was the impact, and how it’s progressing, in order to know how to respond.
- Remediate and respond to attacks — You can also leverage these technologies to contain the threat at the affected assets, preventing lateral movement and remediating the impact of the attack, thereby minimizing its cost.
- Report on security incidents — Demonstrate your value to clients and fulfill regulatory requirements to report sensitive data breaches within a strict time frame (e.g., 72 hours for GDPR), guaranteeing these requirements are met with speed and confidence.
NDR, EDR, XDR, SOAR, MDR: How they emerged and their differences
This string of advanced security technologies with detection and response capabilities that started in the early 2010s later led to each of them being established as market categories by analyst firms such as Gartner and Forrester and enterprise cybersecurity market leaders like Palo Alto Networks. Here, we’re going to look at the most common ones and their differences.Network detection and response (NDR)
Network detection and response (NDR) technology emerged in the early 2010s to combat the unknown threats and attacks that were not using known patterns and thus were capable of bypassing NGAV technologies. NDR solutions sit between the internal corporate network and the public network. They continuously monitor network traffic flow and packets and use behavioral analysis methods to detect malicious attempts on a network level.NDR can be delivered both in the form of hardware appliance and software for the network sensors along with an on-premises management console or software-as-a-service (SaaS). The architectural complexity of NDR might introduce provisioning challenges for MSPs.Endpoint detection and response (EDR)
Endpoint detection and response (EDR) is an active, endpoint security solution capable of both identifying in-progress attacks, compromises or breaches — and then remediating them.Around 2013, the momentum of “zero trust” increased awareness of advanced persistent threats (APTs) and lateral movement, moving the security perimeter closer to the endpoint with continuous monitoring of the cyberattack chain. The idea was to reduce the impact of attacks and stop them in their tracks.At the time, existing security information and event management (SIEM) solutions were perceived as passively monitoring the environment without providing active remediation capabilities. At the same time, NDR solutions were sitting closer to the edge and far from the endpoint.The highly-intensive manual management, with little security improvement, prompted a market evolution towards EDR (e.g., Gartner converged their endpoint protection platforms (EPP) and EDR categories into one). The term "endpoint threat detection and response" was first coined in 2013 by Anton Chuvakin of Gartner for "tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts / endpoints."The primary EDR capabilities:- Detect attacks and security incidents on endpoints
- Enable investigation of the security incident
- Contain the incident and the endpoint and remediate it
