A common question submitted by blog readers is summed up by this recent request:
“I’m seeing all kinds of information on endpoint protection; with EDR, XDR, MDR, Anti-Virus, Anti-Malware, and a ton of other terms getting thrown around. What are these things, and aren’t they all the same?”
Well, they’re not all the same, but they are all about endpoint defenses, so let’s dive in!
Endpoint defense is the practice of securing any device that sits at the endpoint (hence the name) of data flow. For most users, the endpoint is a desktop, laptop, tablet, or mobile device. For system administrators and platform managers, the endpoint might also be a server, smart device, or other compute platform. While this definition is a bit fuzzy, there are things that are definitely not endpoints – such as networking systems and hardware – that can help clarify an endpoint by ruling out anything that it isn’t.
Defending endpoints can be a complex task, which is why many different solutions to the problem have been created and evolved over the years. This, of course, can lead to a lot of different products appearing to do the same thing; when in fact, they do things quite differently from each other, or even combining methods into a new form of protection.
Anti-Virus (AV) and Anti-Malware (AM)
The most common endpoint defenses are Anti-Virus (AV) and Anti-Malware (AM) solution sets. From Windows Defender – which comes out-of-the-box on every new Windows desktop, laptop, or server – to a wide range of 3rd-party products, these tools are designed to recognize malware and prohibit it from successfully running on your endpoint.
Anti-Virus is the term for the older generation of endpoint defense software solutions. These tools primarily stop malware by recognizing malware files when they are written to disk and then blocking the ability of those files to be executed. Vendors use many different techniques to accomplish this, from identifying known malware files to identifying specific code elements that may indicate that a new file is a variant of a known malware sample. The overall operation of these tools involves scanning any new files that are placed onto the endpoint, either immediately when they are downloaded/copied, before they can be run, or both. Because of this, these solutions are typically referred to by the terms “On-Access” or “On-Write” scanning.
Anti-Malware can also include this on-write/on-access AV-type scanning but is generally used to denote that an endpoint defense tool examines the behavior of a running application to determine if it is attempting to do anything malicious. Terms such as “Machine Learning/AI-enhanced execution examination” and “Behavior-based malware detection” are common and indicate that the file itself is not the sole factor taken into account, but also what actions that file takes if/when it attempts to run.
So, what about the acronyms? EDR, XDR, MDR?
Endpoint Detection and Response (EDR) is typically an AM solution that will not only identify known malware but also attempt to stop executions that try to do things that can cause malicious impact. Sometimes used interchangeably with AM, an EDR solution will usually also have methods to defend further the systems of an environment, such as the ability to isolate an endpoint from the network if certain malicious behaviors are detected. This extension in functionality evolves Anti-Malware into a new form of protection, leading to the more descriptive name of EDR.
eXtended Detection and Response (XDR) takes things a step further and correlates information from multiple endpoints, networking devices, and other data points to attempt to detect spreading infections, threat actors attempting to take over additional devices, and other actions which can indicate the presence of a threat even when no malware files or processes have been detected on any single endpoint. Because this involves monitoring multiple devices and network-level activity, XDR is generally found in corporate environments where control over the end-user devices and other networked systems can be maintained.
Managed Detection and Response (MDR) is another evolutionary step along the path to endpoint security. MDR is a service (as opposed to a product you can download and install) that combines EDR or XDR solution sets with services personnel who can deploy these tools, configure them effectively, and evaluate what is going on – either to take action or to advise those who will be taking action. MDR may be based on a commercially available EDR/XDR solution or may be proprietary to the MDR company providing the services.
In the end, all these tools have one goal – to identify and stop malware from running on endpoints and within networks under the control of the organization or user. Individually, they have strengths and weaknesses – for example, AV solutions can easily miss newer malware while AM solutions can have high rates of false positives. Combining tools into solution sets like MDR (for hosted services) or XDR (in organizations that already have cybersecurity teams) can allow an organization to overcome the limitations of any one form of endpoint defense and strengthen cybersecurity within that org dramatically.
Of course, no matter what endpoints you are defending, or which solutions you use to defend them, you should be testing the effectiveness of all these tools and solutions regularly. Changes to the threat landscape and the environments in which your users work happen all the time, and even the best-of-breed endpoint protection platforms must be “tuned” to properly grow along with these factors. Knowing where your endpoint defenses are strong and where they have gaps will allow your team to continue tuning over time, allowing for better user experience and protection alike.
Cymulate is happy to help with your testing protocols for any endpoint defenses you have – or are considering bringing on board.