Tag: edr

I Need an MDR Service. What Should I Know?

Not all EDRs (endpoint detection and response) are created equal. And the same goes for the ‘Managed’ services provided by 3rd parties (the MDRs)!

This article will provide a simple summary of some things to look for when choosing an MDR vendor.

It will focus around Microsoft’s Defender for Endpoint EDR, but you can extract what you need from these suggestions and use most of it for any EDR.

Although most vendors will present an MDR service that focusus on simply an EDR solution, it could involve additional ‘XDR’ (cross platform detection and response) features (such as email, CASB, NIDS, firewall, TI, EASM, VA and CSPM), which is out of the scope of this article.

EDR Licenses

Expect to require either the Defender for Endpoint P2 license or an E5 Enterprise Security license. Many 3rd party MDR vendors will ask for this because it provides important features that are not available with the P1 license, such as bidirectional API communications (for better control of the endpoint and the incident).

Distinct Characteristics of the EDR

Each EDR vendor will have 1 or more features that they say makes their EDR better. For example, Microsoft Defender for Endpoints has AIR – automated investigation and response – so many of the detections will be auto evaluated and closed if Defender succeeded in blocking the activity.)

And you may know that Microsoft will soon release ‘Security Copilot’ which is supposed to add GPT4 capabilities for incident response. A good MDR service should be able to advise you on how to build effective queries to take advantage of that new feature when it’s available.

Distinctions between MDRs

Like the EDR software itself, the MDR vendor will likely have some differences in what they offer for supporting your security needs.

Some things to look for:

  • Ask if the vendor will work with you to tune your EDR configuration – based on both their best practices and any specific needs that you have (like only managing a subset of your sensors).
  • Which of your EDR capabilities will your vendor take advantage of? For example, in the Defender settings you can share EDR data with MCAS (Defender for Cloud), Microsoft Compliance,  Intune and O365.
  • Make sure you enable key features such as blocking mode, ASR rules, tamper protection, O365 Threat Intelligence, and device discovery.
  • Perform a quarterly review of all of your features in security.microsoft.com to ensure you’re getting the most from your EDR/XDR. A good MDR vendor will do this with you for a nominal fee.

More suggestions

  • Create attack simulations to test your EDR under conditions relative to your environment and industry (think Mitre ATT&CK).
  • Use ‘deception techniques’ to supercharge your EDR by simply creating fake user accounts and ‘desktop litter files’ with which you can use like landmines to detect unauthorized activity.
  • (for Microsoft Defender only) Consider purchasing the built-in Vulnerability Management service (look under the Devices menu). This will provide some great features like application blocking for unsigned apps.

Final Words

Don’t put too much weight into which EDR is on top with evaluation scores. Spend some time really understanding the EDRs features and the effort needed to deploy/manage your EDR/MDR.