Endpoint Protection: EDR And MDR For Small Businesses

In this article, we’re going to cover two important cybersecurity offerings: Endpoint Detection and Response (EDR) And Managed Detection and Response (MDR). Let’s start by looking at them at a very high level:

  • Endpoint Detection and Response (EDR) is software that identifies and responds to threats on endpoints. It goes far beyond what antivirus (AV) can detect and therefore provides much more robust security. However, it is also difficult to manage without a dedicated cybersecurity team that is able to analyze its results and take defensive action as needed.
  • Managed Detection and Response (MDR) combines a managed service offering with EDR software. MDR attempts to address the gap left by EDR – the team required to manage its configuration, investigate alerts, and triage incidents whenever they occur. However, the actual management and response provided is highly dependent on the vendor, as we’ll cover below.

With this brief introduction, let’s take a deeper look at EDR and MDR to learn how they work and why they are so important to small business cybersecurity.

What’s an endpoint?

In order to understand what EDR is, let’s first take a look at what an endpoint is. Endpoints are devices connected to a network, such as desktops, laptops, servers, and mobile devices. They are often distinguished from networking devices like firewalls, switches, and routers – however, confusingly, these devices can also be considered endpoints depending on the situation.

In any case, when we talk about endpoints, in the context of a small business, we are typically talking about workstations like desktops and laptops, along with servers and mobile devices. For some small businesses, endpoints also include virtual machines (VMs), cloud applications, and web applications.

What is EDR and How Does It work?

EDR aims to provide comprehensive security on endpoints by continuously monitoring, detecting, analyzing, and responding to suspicious activities.

It works by collecting and evaluating data from an endpoint to determine if there is a chance that any activity is due to malicious activity.

First, EDR gathers and analyzes a large amount of data from the endpoint, including details about running processes, services, and applications, network connections and traffic, file modifications, registry changes, and user activities. It pays particular attention to remote activity, as most attacks are remote in nature. It looks at what is happening with the operating system, including the way that applications work with the operating system.

In essence, EDR tries to track everything of significance that happens on the computer. By gathering and analyzing a comprehensive set of endpoint activities, EDR can identify patterns and anomalies that can indicate an attack.

Response capabilities are another important aspect of EDR. After detecting a potential threat, EDR takes action automatically to mitigate the risk. These actions might include isolating the affected endpoint from the network, terminating malicious processes, and blocking suspicious network connections. By automating these responses, EDR minimizes the time between detection and containment, reducing the potential damage caused by the threat.

However, it needs to be understood that unlike the alerts generated by antivirus (AV), it often isn’t clear whether or not an alert is a ‘true positive’ or ‘false positive’. A ‘true positive’ is an alert due to malicious activity, while a ‘false positive’ is an alert due to normal activity. The reason is simple – an AV analyzes a file or software to determine if it’s malicious. If it is malicious, then the AV can take action by deleting or quarantining the file. But when EDR sees something that might be malicious, it’s unclear what needs to be done. Depending on how it is configured, it might take immediate action – for example, blocking an IP address that seems to be doing something shady. But much of the time, EDR is configured to generate alerts rather than taking a lot of action, because many of the things that EDR alerts on are just standard activities – and it’s impractical to cripple an organization’s productivity by blocking all kinds of activities from occurring.

We’ll cover this in more detail in the section below on the limitations of EDR.

EDR versus AV

Unlike traditional antivirus (AV) software, EDR isn’t limited to scanning for malicious files on the hard disk. Instead, EDR goes much further, enabling it to have dramatically higher rates of detection (of malicious activities).

We’ve seen that a big part of EDR is that it tracks the activities of every service, process, and application running on the endpoint. It looks at what’s happening in memory (not just on disk) – as well as network traffic and attempts to analyze everything happening at the lowest level of the operating system.

In terms of analysis, EDR uses a combination of rules, threat intelligence and machine learning to generate alerts on potentially suspicious activities including things that are very hard to detect normally. Let’s look at a common example, that of an attacker built-in functionality to perform a ‘living off the land’ (LOTL) attack. In this type of attack, a hacker uses applications that are built in to the operating system.

For example, on Windows computers they can use many tools that will fly under the radar – check out this screenshot LOLBAS project to get an idea of what’s possible. On the left, we can see common Windows executable files that are often installed by default. These aren’t malicious applications; they are necessary for the normal operation of Windows. But they can also be abused in order to attack a Windows computer.

LOLBAS - A website used for offensive security. The binaries and scripts listed on this site can be used to defeat many types of defenses, but EDR is generally effective.

A typical computer running on a small business or home network – without the protection of EDR – will not only be defenseless against these types of attacks – the entire attack will most likely be completely undetected.

This is where EDR comes into play. By monitoring the system closely, the use of any of these applications will automatically be analyzed and flagged, generating an alert. This approach makes it significantly more capable at detection than AV.

There are many other examples that we can look at, but the theme is the same. We aren’t trying to bash antivirus. Antivirus is very good at what it does, and EDR doesn’t take its place. It supplements it. But antivirus is only capable of detecting one specific thing, which is unstealthy malware.

Another important factor is that because EDR uses continuous monitoring of the operating system, it can detect and respond to a wide variety of malicious actions in real time. Compare this with traditional AV, which will only detect known malware – which may or may not be placed on the disk at any point throughout the attack. Skilled attackers are very aware of the limitations of AV and routinely evade it.

The main point is that while AV can be evaded by attackers using a wide variety of techniques, EDR makes things much more difficult for them. To evade EDR, attackers need to be very stealthy, highly motivated, and extremely skilled.

When combined with other defenses that we’ve covered like adopting strong security-based behaviors and configurations and segmenting using a firewall, small businesses can improve their security posture and make themselves virtually unhackable, even to attackers with world-class skillsets.

The Challenges of EDR

We’ve seen that EDR is a critical tool that detects malicious activity very well.

However, there are limitations and challenges to EDR that need to be understood.

First, EDR needs to be carefully configured and actively managed. The threat landscape is constantly changing, and EDR needs to be carefully tweaked for each individual organization. Configuring and managing EDR isn’t a trivial thing; it should only be undertaken by skilled cybersecurity experts to ensure that it’s being done correctly.

Second, there is a balance between any automatic response taken by EDR and an organization’s productivity. On any given computer in normal use, many things occur all the time that may or may not be malicious from the perspective of EDR. If the EDR is configured to take dramatic action – for example, banning IP addresses, deleting users, or terminating processes – the organization would quickly be crippled. As a result, it’s much more practical to use EDR to generate alerts which then need to be triaged by an actual human being.

Third, true positive alerts need to be triaged by a skilled cybersecurity practitioner. There isn’t much point in getting the alert if you don’t have the cyber trade-craft knowledge to respond appropriately.

Large organizations know this and staff a Security Operations Center, or SOC (pronounced ‘sock’). A SOC is staffed 24/7 by skilled defensive cybersecurity operators, and part of the SOC’s responsibility includes the immediate triage of alerts generated by EDR.

Unfortunately, this approach isn’t generally feasible for small businesses. Most organizations have limited financial resources and typically lack the cybersecurity knowledge to correctly configure and utilize EDR.

This is where MDR comes into play.

What is MDR?

MDR stands for ‘Managed Detection and Response’, and it combines EDR with a management service, typically supported by a Security Operations Center (SOC).

MDR picks up where EDR stops, providing configuration and management behind the scenes as well as some form of response on behalf of the customer. For example, with MDR when an alert is generated, the service provider will perform an initial triage of the alert and try to determine whether it needs to be further escalated and examined.

MDR Doesn’t Always Mean Fully Managed

In theory, MDR sounds great; if the MDR will take care of managing the EDR and the alerts that it generates, then the problem is solved and the customer can rest easy at night, knowing that they are getting true enterprise-grade endpoint protection.

In reality, the actual response taken depends highly on the vendor.

Some will perform a full investigation and immediate response, including actions needed to actually address the threat properly.

But most MDR services provide a limited response and still expect the company to provide some level of support and response themselves. They may serve as the first ‘layer’ of response, but typically expect the end user/company to take further action, immediately.

This means that the primary contact can expect to receive phone calls in the middle of the night or whenever an alert requiring response occurs. Part of their contract with the MDR provider is that they will be available and have the resources and skills required to take any action recommended by the MDR provider. Some MDR providers are happier to ‘walk the customer’ through the necessary response, than others.

Some MDR providers view an inability or delayed response by the customer as a potential breach of contract.

At Guardian Angel IT, we try to address this by providing ‘fully managed’ MDR. This means that – except in rare cases – we will fully triage any alerts on behalf of the customer.

However, we don’t want our own customers to get the wrong idea. Behind the scenes, we work with the very best MDR provider that we have personally validated. When an issue occurs that requires immediate triage, we get the call in the middle of the night, not the business owner.

Choosing an EDR/MDR Product For Your Small Business

We highly recommend that small businesses should install EDR or MDR on every endpoint, including mobile devices and tablets that connect to the company network.

When it comes to small businesses, we believe that endpoint protection is an underused technology. There are reasons for this, but they are beyond the scope of this article.

Confusingly, sometimes businesses are marketed an XDR (extended detection and response) or other solutions billed as having ‘endpoint protection’. Different product bundles can be marketed similarly and claim to be ‘better than EDR’ but upon investigation, don’t include a dedicated EDR agent on every endpoint. Customers are commonly taken advantage of because they lack the technical understanding to discern the difference between product offerings.

When choosing an EDR/MDR product, we recommend that customers do their research and be ready to use a different vendor if they aren’t satisfied. You should also carefully read the terms of service and discuss them with the vendor. Most reputable vendors will supply a document that includes exactly what they are responsible for, and what the customer is responsible for.

We hope that this article has been educational and that you now understand the difference between antivirus (AV), endpoint detection and response (EDR), and managed detection and response (MDR).

Hopefully you’re considering using endpoint protection in your own organization. If you are, check out our Security Essentials service bundle. It combines ‘fully managed MDR’ along with a bunch of other awesome security features like patch & update management and over 10 DNS-based security tools to provide comprehensive protection for your organization’s computers.