MDR vs XDR: It Still Comes Down to Detection and Response
MDR or XDR…—we keep rebranding defense, but it all still comes down to detection and response, says Erin Sweeney of ReliaQuest. In this podcast, she discusses the latest evolution—including open XDR—and how enterprises are deploying it to proactively manage risk and advise the business.
In this video interview with Information Security Media Group, Sweeney discusses:
- The challenges that prompt the constant rebranding of managed detection and response.
- What approach enterprises need to deliver a comprehensive picture of their security program.
- How ReliaQuest is helping customers tackle upcoming challenges by unifying detection and response across their existing technology investments.
There are almost countless combinations of technologies and services in the cybersecurity marketplace. Deciphering the kinds of response and detection products, the technology they use, and their compatibility can be tricky. In this article we’ll lay out definitions, uses and benefits of managed detection and response and extended detection and response.
What is MDR?
A co-management approach to security services
MDR stands for managed detection and response and refers to a security service in place of or to supplement your internal security operations team. It involves a co-managed approach where the service provider (using its security technology) works in partnership with a customer to monitor or detection threats, provide alerts with greater context than you’d see from a traditional mssp solution, and going even a step further, help with responding to threats. The extend of response can vary in between different levels of incident response, but most always short of digital forensics.
What is XDR?
An evolution of Endpoint Detection and Response technology
XDR stands for extended detection and response, which refers to a cybersecurity tool, platform or operating system with communication capabilities between all security tools, networks, endpoints, and technologies used across an organization’s entire security operation. It can also involve the managed service aspect of MDR where a provider’s security operations team or SOC handles threat monitoring, alert triage and response on your behalf. XDR’s response capabilities should include security automation for tasks by deploying content from playbooks. All the above are true with ReliaQuest’s GreyMatter Open XDR security operations platform.
XDR vs Open XDR
Open XDR should mean unification not adding more to the vendor sprawl
Do we really need to add something else to the technology sprawl? Doesn’t that just mean more alert fatigue for my team? Most XDR solutions can talk out too many different tools bringing data, however, usually it is an application built to work solely around one platform or a set list of tools. It can only speak to the vendor’s products. It’s not “open” or able to work with any vendor, in other words vender agnostic. It wouldn’t be able to pull in data from Splunk, QRadar or LogRythm?
GreyMatter uses a universal translator making it an Open XDR Platform. It doesn’t have to discriminate between the tools you use. Open XDR works with any tech or tool you have. Sound “too good to be true”? It’s possible. The purpose is visibility into your security ecosystem through one tool that gathers all communication within your network and that also allows to execute actions. No switching and no more inconsistencies, limits or barriers for tools working with each other.
How ReliaQuest’s managed solution makes security possible
Extended detection and response powered by the SOC
With a true Open XDR you have a platform that speaks to all your tools while normalizing all data collected. You’re ready to take action. Do you know how to? Do you have the time or the team? Which alerts are even worth going after? You need lots of expertise and help.
On top of GreyMatter’s abilities, the force of your security team is multiplied by all the engineering efforts that go on behind it, a partnership with our SOC to manage your security operations. Detection engineers write content for the SOC that gets deployed into GreyMatter. Skilled detection SOC analysts deploy content, making sure that it works within your environment. Hunts and breach and attack simulations are run by the threat hunting team. You have access to a platform constantly updated for improvements by architects making sure the it operates efficiently. Want to see how automation, orchestration, and attack simulation are being done? You can view the content and context of all investigations across your environment, much more so than a traditional MSSP or MDR model.
It’s a true partnership that you don’t se from a service provider where you have an entirety of access allowing transparency into the execution, as well as visibility into your entire ecosystem because of the open xdr architecture able to communicate and correlate with any tool.
Most firms will sell a response service as “incident response”, but it isn’t the true definition. The ReliaQuest SOC investigates activity, conducts alert triage for false positives, deploys content from playbook created from experience with hundreds of security environments, and helps you get started on an action plan to remediate.
Security automation capabilities in GreyMatter’s Open XDR artictecturhe
Because it plugs into all your different tools, a true Open XDR solution can start to plug into automations as well. XDR incorporates SOAR concepts, network visibility concepts, and pulls in data from all these locations into a single pane of glass to correlate events across tools that you otherwise wouldn’t have.
It allows the ability to automate actions that you would get out of a SOAR. When you’re an individual security team and you don’t have MDR or an XDR, but you do have a SIEM, SOAR and EDR, you also have tons of data that isn’t presented in the same way. Open XDR receives logs from both SIEM and EDR together into the same presentation where you can correlate events. You could shift your EDR logs to your SIEM, but if you’re working with Splunk this will blow out your license and you start spending millions of dollars. GreyMatter can collect all of it and show it within one pane of glass. Then integrate it back into your SOAR or directly into your active directory to start automations to take action against malicious behavior.
Eg. Banning a hash
Malware has started spreading within your environment. It’s all sharing the same hash and we can prove it through an investigation. We ban the hash and conduct your entire investigation and remediation efforts within GreyMatter. Then you open up Automate, enter the hash, and GreyMatter calls out to the EDR to update across the entire system to block the hash.
ReliaQuest’s GreyMatter – An Open XDR, Saas Approach to security
ReliaQuest offers the innovation, speed, and ease of SaaS. GreyMatter is a true Open XDR security operations platform that provides security at the level it should be to address today’s cybersecurity challenges of vendor sprawl and skills gap. It unifies your entire exiting security stack, getting the most out of your current investments and giving you the capability of growing in the future in whichever direction you need to go because of its vendor agnostic integration.
Sweeney leads product marketing for ReliaQuest after an 11-year tenure at Splunk, where she held a variety of roles across solution, industry, field, and customer success. While there, her efforts helped drive the growth of the company from a start-up with $8 million in annual revenue to a $2 billion publicly traded cybersecurity industry leader. Prior to Splunk, Sweeney held marketing roles at Vocus (now Cision) and EFI.