The Differences Between MDR, MSSPs, and Managed EDR
The information security world uses a lot of acronyms. Even if you know what they mean, you still need to understand the difference between them. In this article, we will explain the difference between MDR (managed detection and response), an MSSP (managed security services provider), and Managed EDR (endpoint detection response).
As the world's leading technology research company, Gartner coins many of these terms. While vendors may understand their own space better than research analysts do, Gartner’s definitions provide a foundational understanding. Gartner defines MDRs as providers of services for organizations that want to improve their threat detection, incident response, and monitoring capabilities.
Their definition of an MSSP is much more robust. Gartner defines MSSPs as providers of the remote monitoring of IT infrastructure, security events, or the management of IT security technology. Those familiar with these subjects may notice that there is a lot of overlap between the two. At first glance, they may seem very similar, but there are important differences.
Once we understand the differences between MSSPs and MDR providers, then we can go on to tackle the difference both have from Managed EDR service providers.
Cynics may say that an MDR is just an MSSP that knows how to properly detect and respond to threats. They may also assert that over the next few years, MDR will simply become another MSSP service specifically focusing on advanced threat detection and remote incident response.
Managed Security Services Provider
MSSPs tend to act like regular MSPs (managed service providers) but with security and they typically manage an organization’s basic security functions. An MSSP will monitor known threats 24x7x365, they will handle security management, basic monitoring, and security infrastructure, things like firewalls and web gateways. Also, they typically provide support to their customers via email and live chat. MSSPs are a good choice for organizations who want to outsource their security functions, but who are not facing an extremely challenging threat landscape from nation-state actors with advanced hacking capabilities. If you choose a more advanced MSSP like Digital Hands, they will have already integrated most MDR and EDR capabilities into their service offering.
Managed Detection and Response (MDR)
You can think of MDR service providers as threat detection and response specialists. They are usually better at threat detection and response than an MSSP, providing more advanced threat detection on endpoints as well as cloud infrastructure, server infrastructure, and firewall traffic. MDR service providers like to use artificial intelligence and machine learning to provide a much deeper level of security analysis than an MSSP would.
MDR teams typically consist of highly skilled cybersecurity professionals who leverage advanced technologies and a wide range of tools to provide in-depth threat monitoring, threat analysis, and incident response capabilities. They are a good choice for organizations with lots of IP and data assets to protect and are usually leveraged as a force-multiplier for their own in-house cybersecurity teams.
They also offer a much more personal level of support, over the phone or in person. MDRs do not specialize in attaining regulatory compliance but will provide compliance reporting if asked.
Now that we have a decent handle on the key differences between MSSP and MDR, let’s look at EDR. At this point, it's well worth seeing what Gartner has to say on the subject because Gartner coined the term.
Endpoint Detection and Response (EDR)
Gartner used to define EDR as Endpoint Threat Detection & Response (EDTR) but then shortened it to EDR (endpoint detection and response). This is likely because detection is so obvious it’s not worth stating.
EDR almost explains exactly what it does in its own name, but it’s important to properly understand it. Cynics would tell you that managed EDR is very similar to MDR, with the difference being that EDR providers ignore threat detection on anything that isn’t an endpoint. This is not far from the truth.
EDR specifically focuses on advanced threat detection and responding to incidents on the endpoint. EDR tools typically work via the installation of some sort of agent on the endpoint which then monitors and records all endpoint and network events before sending that data back to a central repository. That’s where all threat detection, investigation, analysis, and reporting happens. EDR tools detect and respond to external attacks and internal threats. However, not all EDR tools work the same way.
What EDR tools have in common is that they continuously monitor and detect advanced threats, as well as further analysis of those threats. Being that most breaches begin on the endpoint and that attackers use those breached endpoints as a beachhead for lateral movement, EDR is an important capability.
An important aspect of EDR is the response part of their acronym. If you can respond to an endpoint infiltration in a timely fashion, you can probably stop that infiltration from becoming a full-blown data breach.
Endpoint agents mentioned earlier are good at recording endpoint events, behaviors, queries, and logs. These are fantastic for security teams who want to detect and investigate potentially malicious activity. They allow teams to go beyond mere indicators of compromise and get granular visibility into what is happening across your endpoint estate.
Once infiltrations are detected, it is important to know how it started and how it spread. EDR tools are very good at helping teams establish this and respond to threats much faster than they ordinarily would.
In summary, use an MSSP team to manage your basic security functions, help you keep up with security compliance regulations, and manage your security infrastructure.
Use an EDR team to properly figure out what is happening on your endpoints, proactively hunt for threats on your endpoints, and gather indicators of compromise from across your endpoint estate.
An MDR team can provide a more holistic approach than EDR teams alone can offer and extend your threat detection, visibility, and incident response capabilities out from your endpoints to the rest of your infrastructure, like your servers, cloud, mobile devices, and your IoT network of devices.
It is common to see this arrangement in large enterprises and see MSSP, EDR, and MDR teams working together towards the common goal of keeping the bad guys out, knowing when they get in, and responding to incidents when they occur. Here at Digital Hands, we tie all of these services into one coordinated solution to offer as a service to our customers so that you don’t have to hire different teams who specialize in MDR and EDR. We have a lot of experience when it comes to threat detection and response and our threat team can deliver the same quality of service that any MDR or EDR provider can.
Contact Digital Hands
Digital Hands employs a deeply experienced team of cybersecurity professionals who can answer questions about the differences between MDR, EDR, and MSSPs. Our experienced information security professionals are always happy to explain the complexity of cybersecurity in an easy to understand way. If you or your partners need a competent security services provider to ensure that you are making the right moves with cybersecurity, call Digital Hands at (855) 511-5114 today.