Insights

We simplify these four common cyber security acronyms to show you what the key differences are between EDR, XDR, MDR and MXDR.

The cyber security market is filled with terms and acronyms often many of which fall in and out of use rapidly as the market changes and technologies advance at a rapid pace.

To add to the confusion, vendors and providers can sometimes use these terms interchangeably, apply different meanings or add marketing terms, making it even harder to understand the terminology and exactly what it refers to.

With cyber security a top priority, organisations are having to regularly evaluate their security technologies and stay ahead of emerging threats. Traditional security approaches have become outdated and no longer fit for purpose, instead organisations are embracing a Zero Trust approach to protect themselves in a modern working world with cloud services, remote working and increased devices.

As part of a more modern approach to cyber security, organisations are having to review new technologies. Alongside this, many need to plug the growing cyber skills gap and may also be looking at managed security services. Four terms are currently widely used in the market and you have likely seen – EDR, XDR, MDR and MXDR. We want to break down what each one means and how they differ.

EDR – Endpoint Detection & Response

EDR is an advanced and proactive security technology that monitors endpoints (e.g. servers and devices) for threats. Through cyber threat intelligence (CTI), machine learning and automation, EDR technologies can detect advanced threats that would evade traditional antivirus (AV) and endpoint protection. As Microsoft partners, we recommend Microsoft Defender for Endpoint – Microsoft’s EDR platform.

XDR - Extended Detection & Response

XDR takes EDR a step further. Rather than just focusing on endpoints, XDR gives a more holistic security view – extending threat detection from just endpoints to additional sources, such as:

• Identities
• Devices
• Email
• Cloud apps
• Infrastructure
• Data
• Network

XDR technology also provides more capabilities to security analysts than they had with older solutions. For example: continuous threat hunting, threat intelligence, vulnerability management, prioritisation, and guided response.

Microsoft’s XDR platforms include Microsoft 365 Defender (endpoints, identity, cloud services, apps, data) and Microsoft Defender for Cloud (servers, on-premise/hybrid/cloud, networks).

MDR – Managed Detection & Response

MDR is very different to EDR and XDR. Rather than being a technology, it’s a service.

Normally this would be provided by a Managed Security Service Provider (MSSP) and fits under the broader term ‘Managed Security’.

Traditional MDR services use EDR technologies alongside SIEM/SOAR platforms to remotely monitor, detect, and respond to threats on endpoints like servers and devices.

However, an MDR service using EDR technology are limited in the coverage they can provide i.e. servers and endpoints. Therefore, this can leave other areas of the IT estate vulnerable, requiring additional security products or services to cover those other aspects e.g. networking.

As discussed above, this is why XDR technologies were developed, which leads us onto MXDR.

MXDR – Managed Extended Detection & Response

MXDR is the next evolution of an MDR service. MXDR is also a ‘Managed Security’ service like MDR. The main difference is that the security provider uses XDR technologies to extend the coverage of the service across various IT environments that simply couldn’t be covered by a traditional MDR service using EDR technology.

Because of the enhanced capabilities of XDR technology and the much wider range of response actions it enables security analysts to take, MXDR services are significantly faster and more effective at providing threat protection and post-breach response than traditional MDR services.

You can read our ‘What is MXDR’ article for a more detailed explanation of what MXDR is, and you can read more about the benefits of MXDR here.

The list of cyber acronyms goes on…

These three acronyms are extremely popular at the moment, but there are many more common acronyms in the cyber security landscape. Here are some of the other common ones you will likely see:

• CSOC/SOC – Cyber Security Operations Centre / Security Operations Centre – A centralised function that combines people, processes, and technology to provide security services
• SIEM – Security Information & Event Management – Software platform that centralises aggregated security data from across various resources to provide real-time event analysis
• SOAR – Security Orchestration, Automation & Response – Security software to co-ordinate, automate and execute security tasks for quick response
• IAM – Identity & Access Management – Policies and technologies to support strong identity security and appropriate access controls
• MTTA – Mean Time to Acknowledge – The average time it takes for a security analyst to begin working on a triggered incident
• MTTC – Mean Time to Close – The average time between an incident being created and closed
• MTTD – Mean Time to Detect – The average length of time it takes to detect a threat
• MTTR – Mean Time to Respond – The average length of time it takes to respond to a threat
• CVSS – Common Vulnerability Scoring System – A standardised scoring system for rating the severity of a vulnerability (0-10)

What’s the future for EDR, MDR, XDR and MXDR?

Recent advancements in cyber security have forced both attackers and defenders to innovate and increase their levels of sophistication as they attempt to outpace each other.

Inevitably, the time has come where traditional EDR technology, and the MDR services using it, can no longer offer sufficient protection to many organisations from cyber threats.

If an organisation is serious about dramatically reducing their cyber risk, XDR technology is going to play a big part in achieving this. XDR provides a unified security solution, reduces complexity, consolidates security technologies, and significantly increases threat detection and response capabilities.

For most organisations, maintaining an in-house 24 x 7 x 365 Security Operations Centre (SOC) isn’t feasible, which is why managed security services such as MXDR have become so popular, and will continue to be so for the foreseeable future.

SIEM & XDR combined

Even greater capabilities come when combining SIEM and XDR and this is a major focus of Microsoft, which you can read more on here.

Because of their security vision, technical maturity and integrated remediation capabilities (as most organisations use Microsoft for end-user productivity), we have built our Managed Security Services on Microsoft 365 Defender and Microsoft Sentinel.

You can read more on the reasons for this and the benefits in our Q&A with our CTO, Mark Taylor.