Vendor-agnostic, services-driven MDR needed to cut noise, improve security posture

Andre den Hond, Senior Systems Engineer, Arctic Wolf South Africa.

---

Efforts to combat growing cyber security risk have increased complexity and alert fatigue for many organisations, which is now driving moves from EDR to XDR to MDR. However, unless the MDR is vendor-agnostic and services-driven, it may still not have the desired effectiveness.

This is according to Andre den Hond, Senior Systems Engineer at Arctic Wolf South Africa, who says vendors in the market are moving to offer XDR and MDR in line with changing market needs. However, unless they use vendor- and product-agnostic XDR and MDR, the new solutions may not perform optimally, and previous cyber security investments may be wasted.

Den Hond explains that there are significant differences between EDR, XDR and MDR.

“Endpoint detection and response (EDR) is very much a product centric approach, focused on the endpoint itself,” he says. “EDR solutions could be likened to next-generation anti-virus tools. They protect and monitor endpoints such as desktops, laptops and servers, record activity and forward the information to a centralised server or cloud resource, where the data is analysed. Once the EDR tool has detected a security incident, it carries out some form of remediation. The challenge with depending on EDR alone is that you aren’t covering the entire attack surface.”

He notes that the initial indicator of attack comes from endpoints only around 15% of the time.

“This is driving consolidation across vendors and tools to enable customers to look across the entire environment. Extended detection and response (XDR) is a product or tool that allows the vendor to ingest data from multiple sources, such as the network and firewall, not just the endpoint. XDR gives broader visibility, but it is also a tool-centric play,” he says.

“Human expertise is crucial for improving the security posture, which is leading to broader adoption of managed detection and response (MDR),” Den Hond says. “MDR uses EDR and XDR to aggregate logs across the entire attack surface, perform continuous monitoring and threat hunting across all sources, and trigger incident response in the event that malicious activity is confirmed.”

Gartner expects that by 2025, 50% of organisations will be using MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities.”

MDR addresses key challenges cyber security teams face today, including complexity and alert fatigue, den Hond says.

“Every time a new threat emerges, organisations rush out and buy the next, greatest security tool. The problem with this is that you end up with security tool sprawl and too much complexity in the environment. All these tools need to be managed and supported, with constant analysis of alerts. Most organisations don’t have resources and expertise to constantly work on tools and investigate these alerts,” he says.

Outlining the sheer volume of alerts, den Hond says around 41% of customers experience over 10,000 alerts a day. “Most of these are just noise, and because organisations don’t have sufficient expertise in house to investigate them, most of the time the alerts get ignored,” he says. “They have all these brilliant tools, but cyber breaches still happen because there are too many tools, too many alerts and not enough resources to analyse and investigate alerts.”

The Arctic Wolf security operations XDR platform in AWS supports around 4000 customers, and ingests close to three trillion events a week. “Of these three trillion events, we ticket on average between one or two tickets per day per customer,” den Hond says.

“Services centric MDR carries out correlation and investigation to ensure an alert is a true positive, then engages with the customer to perform containment of the malicious activity, support remediation, and then improve security posture in the area of vulnerability,” he explains.

Den Hond notes that EDR and XDR vendors are responding to market needs by moving into the MDR space. However, the service element is typically very focused on the vendor’s product set and may even aim to drive further sales for the vendor. MDR should be vendor agnostic to support all vendor solutions optimally, and give the organisation flexibility and choice in the tools they use,” he says. “Effective MDR should be service driven, and focus on improving the customers’ security posture using and enhancing their existing security stack.”