EDR, XDR, NDR, SOAR, MDR: What are the Differences and Why Should you Care?

An abstract design of a terminal display, warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warnings and single character exclamation marks. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, anti-virus failure, etc…

As the threat landscape is growing in frequency and complexity, this article will help you learn more about the various technologies you need to consider adding in your tech stack to protect clients against attacks and advanced threats, and to understand whether these solutions could be a fit for your existing portfolio.

Hacking attempts are involved in more than 60% of successful breaches, according to Verizon’s 2022 Data Breach Investigation Report. Your clients might already be at risk as such attack techniques can easily penetrate traditional antivirus and anti-malware technologies capable of detecting known threats and known malicious behavior patterns. MSPs and businesses they protect require advanced security solutions and services like EDR, SOAR, XDR and MDR to adequately address the risks and complexity of modern attacks.

The risk for an organization is significant, as the average cost of a data breach is expected to reach $5 million in 2023, according to the Acronis Cyberthreats in the second half of 2022 report. That said, it’s worth noting that the risks are faced by both businesses, and, depending on local legislation, MSPs themselves, who may have legal obligations to protect client data and may be liable in case of breaches or, even if not, might suffer reputation impact.

Why do MSPs and their clients need advanced security solutions and services?

The sophistication of the threat landscape during the early 2010s led to a string of developments and advanced security technologies capable of detecting and remediating more complex threats, attacks and hacking techniques.

In general, more advanced security and endpoint protection solutions, with detection and response capabilities, enable you to:

  1. Proactively stop threats — Known threats and malicious behavior patterns can be automatically detected and blocked with essential technologies like signature- and behavior-based detections. It’s worth mentioning that except in advanced security solutions these technologies are also available in traditional anti-malware solutions, or also known as next-generation antivirus or NGAV.
  2. Detect security incidents and in-progress attacks — Monitoring the IT environment and correlating events that might otherwise look benign and not displaying known malicious behavior; but when put together, could indicate a malicious attack like zero-day exploits. Such security incidents can bypass NGAV defenses and can only be detected by advanced solutions.
  3. Analyze the security incidents — Such advanced security technologies enable IT teams with visibility into how an attack happened, what was the impact, and how it’s progressing, in order to know how to respond.
  4. Remediate and respond to attacks — You can also leverage these technologies to contain the threat at the affected assets, preventing lateral movement and remediating the impact of the attack, thereby minimizing its cost.
  5. Report on security incidents — Demonstrate your value to clients and fulfill regulatory requirements to report sensitive data breaches within a strict time frame (e.g., 72 hours for GDPR), guaranteeing these requirements are met with speed and confidence.

NDR, EDR, XDR, SOAR, MDR: How they emerged and their differences

This string of advanced security technologies with detection and response capabilities that started in the early 2010s later led to each of them being established as market categories by analyst firms such as Gartner and Forrester and enterprise cybersecurity market leaders like Palo Alto Networks. Here, we’re going to look at the most common ones and their differences.

Network detection and response (NDR)

Network detection and response (NDR) technology emerged in the early 2010s to combat the unknown threats and attacks that were not using known patterns and thus were capable of bypassing NGAV technologies. NDR solutions sit between the internal corporate network and the public network. They continuously monitor network traffic flow and packets and use behavioral analysis methods to detect malicious attempts on a network level.

NDR can be delivered both in the form of hardware appliance and software for the network sensors along with an on-premises management console or software-as-a-service (SaaS). The architectural complexity of NDR might introduce provisioning challenges for MSPs.

Endpoint detection and response (EDR)

Endpoint detection and response (EDR) is an active, endpoint security solution capable of both identifying in-progress attacks, compromises or breaches — and then remediating them.

Around 2013, the momentum of “zero trust” increased awareness of advanced persistent threats (APTs) and lateral movement, moving the security perimeter closer to the endpoint with continuous monitoring of the cyberattack chain. The idea was to reduce the impact of attacks and stop them in their tracks.

At the time, existing security information and event management (SIEM) solutions were perceived as passively monitoring the environment without providing active remediation capabilities. At the same time, NDR solutions were sitting closer to the edge and far from the endpoint.

The highly-intensive manual management, with little security improvement, prompted a market evolution towards EDR (e.g., Gartner converged their endpoint protection platforms (EPP) and EDR categories into one). The term "endpoint threat detection and response" was first coined in 2013 by Anton Chuvakin of Gartner for "tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts / endpoints."

The primary EDR capabilities:

  • Detect attacks and security incidents on endpoints
  • Enable investigation of the security incident
  • Contain the incident and the endpoint and remediate it

EDR is becoming a mature and mainstream technology and is no longer limited to organizations with highly mature security programs. Such technologies and services based on them are becoming accessible to a broader set of service providers and downmarket organizations due to technological innovations like guided incident analysis and response.

Security orchestration, automation, and response (SOAR)

With the initial introduction of EDR, while even large organizations struggled with adoption due to resource intensity, security orchestration, automation, and response (SOAR) emerged. Gartner first coined the term "SOAR" in 2015 and defined such platforms as combining the capabilities of security incident response, security orchestration and automation, and threat intelligence platforms in one offering. SOAR platforms collect data about security incidents and enable automatic response with little to no human involvement.

The goal of using a SOAR is to collect data from multiple sources in a centralized place and streamline response capabilities through automation.

Unfortunately, the cost and complexity of SOAR technologies make them more well positioned for service providers with high level of in-house security expertise, and businesses in industries with high-security and compliance requirements and the IT budget for a SOAR-based service.

Extended detection and response (XDR)

Coined by Nir Zuk, Palo Alto Networks CTO, in 2018, extended detection and response (XDR) solutions automatically monitor and correlate events across multiple layers (e.g., email, endpoints, cloud workloads, identity, network). The emergence of XDR was due to the need for telemetry and incident management beyond the endpoint. XDR differs from EDR primary because of the extended scope of assets that XDR solutions protect.

Even though XDR allows greater visibility and broader response capabilities, it has introduced more adoption and noise challenges — especially in MSPs and downmarket, that rarely have the resources, time, or budget to implement. Unfortunately, XDR still remains more suitable for MSSPs and SPs with high security specialization and high in-house security expertise — even though technology innovations and consolidation trends drive broader accessibility.

Managed detection and response (MDR)

Managed detection and response (MDR) basically refers to a service provided on top of a detection and response solution (EDR/XDR/NDR/SOAR) managed for the customer by a third party. MDR services emerged initially with only the vendors who had the resources and unique knowledge to operate their solutions at scale.

These days, more and more service providers are entering the market with their own MDR services, and some even benefit from vendor MDRs to streamline their own practice and processes. Unfortunately, vendor MDR services offered directly to businesses also create channel conflict with service providers — as vendors fight with them for their client base.

Why is now a good time to consider launching your own MDR?

As the complexity of the tech stack has risen along with the complexity of the threat landscape and technological introductions, there has emerged an identified market need to reduce resource intensity and complexity to operationalize and manage security technologies, services and sprawl.

Advanced security solutions’ complexity, time to value, resource requirements and costs, and their having been brought down by tech innovations such as guided or automated analysis and response, along with market-wide consolidation trends, have moved market-leading vendors to consolidate single-vendor plays to respond to market demands and provide more holistic protection (e.g., spanning from detecting and remediating the threats to actually ensuring business continuity, data protection and recovery).

There has never been a better time to consider launching a high-margin MDR service for protecting clients — as they are now also accessible for businesses of any size.

This guest blog is courtesy of Acronis. Read more Acronis guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.