Skip to main content

Is MDR vs. EDR the right question?

(Image credit: Shutterstock / binarydesign)

The comparison might seem legitimate, especially if people think about these products like they belong on a value ladder, but that’s hardly the case. If anything, both serve a very specific purpose and cybersecurity companies design such solutions to fit the shape and needs of the company. Managed detection and response (MDR) vs. endpoint detection and response (EDR) is not the right question. Instead, companies should better ask which is the right one for the organization.

One of the common mistakes many companies make, especially when they are just starting their journey, is to either look for the most complex security tool available on the market or for an all-in-one solution. Both of these initiatives are wrong. The selection of a security solution has to conform to the company’s profile, which usually means that a custom approach is always recommended. 

The fact that many small and medium businesses believe that cybersecurity ends with the installation of a simple endpoint security solution compounds the problem. Cybersecurity is usually a complex, multi-pronged approach, even for small companies. It depends very much on the risk profile of the company and their online exposure.

About the author

Liviu Arsene is Global Cybersecurity Researcher at Bitdefender

EDR is a tool complementary to cybersecurity

Endpoint detection and response sounds like a solution designed to detect and intercept threats, but it’s more like a detective that solves crimes by looking at clues. Following the same analogy, you can look at endpoint protection software as a police officer patrolling for signs of random acts of crime, but it’s when both work together that organized crime is stopped.. 

A company that doesn’t have EDR available for their security team will never know how an attack happened, where it started, how it spreads, and, more importantly, what was the reach of the threat inside the company. When a company deploys EDR in its infrastructure, all of these details are available for later inspection of an incident, even if the attackers were successful. The value of this tool can’t be dismissed, as it can help the organization understand what tactics and techniques it’s vulnerable to, and then take the appropriate steps to plug those blindspots.

MDR fills a wide gap in the market

When a company crosses a certain threshold, the number of events and other security issues becomes too large for internal teams to deal with. The choice is to continue with existing teams, which can cause employee burnout, or they can choose to build a security operation center (SOC). Unfortunately, the latter is usually expensive and only suits large companies with enough resources. 

MDR is the right solution for companies that want to offload some or all of their security needs to a dedicated team. Organizations can leverage the skills and knowhow of these seasoned security experts and can even plan response actions for predetermined attack scenarios. The most significant difference to an EDR solution is that security experts are continually monitoring events, allowing for faster interventions and more aggressive threat hunting.

EDR and MDR benefits that are not immediately obvious

A major benefit for using either EDR or MDR is the capacity to determine the extent of an intrusion. Malware or other threats will likely try to spread laterally inside the infrastructure. Without a forensic tool, it would be almost impossible to determine what happened after the infection or whether attackers managed to compromise and exfiltrate sensitive data.

With the right instruments, a security team, on-premise or managed, can see everything from the initial attack vector, , and follow the events in other directions inside the infrastructure. It’s extremely useful because it’s an excellent way to find advanced threat actors or other vulnerabilities that would otherwise remain hidden.

Mean Time To Detect (MTTD) and Mean Time To Restore (MTTR) are two metrics with a lot of power, especially when companies have to determine the losses or potential damages of an attack. Both EDR and MDR are instrumental in reducing these times and limiting the financial impact of an attack.

Also, dwell time is all about the amount of time hackers spend inside the infrastructure. When a company is breached, threat actors will usually spend a lot of time moving laterally before taking any action. An MDR solution, especially, can be very useful in detecting such events, mainly if used in conjunction with endpoint protection. 

Finally, human risk analytics, threat hunting and general security resilience tactics are usually a package deal with MDR solutions, allowing companies to secure endpoints and the entire infrastructure. 

The real question is not MDR vs. EDR. Companies should only ask which of the two – or maybe both? - is the right one for them. Their capabilities are undeniable in a fully digital world and should be present in both a company’s vocabulary as well as in their security strategy.

A breach, a DDoS attack, a successful phishing campaign or just employee negligence are no longer a matter of “if”. They are a certainty waiting to happen, and EDR and MDR are weapons in a fight that’s coming, whether companies want to or not.