In today’s digital economy, data is the lifeblood of any business. It’s not just customer data that needs to be protected. Being locked out of systems, unable to access information, can bring a company to its knees. And this is exactly what cybercriminals are taking advantage of.
In recent years the number of ransomware attacks have increased. So have the sums of money being demanded for companies to get their data back. Attacks are continually evolving and becoming bolder. Armed only with technologies such as anti-virus, it’s challenging to keep ahead of these threats. An anti-virus solution can scan for known threats and then attempt to clear them from the system. But attacks are often multi-layered and only acting after a system breach is often not enough. The damage will have already been done, and the cost to restore data and systems becomes very high.
This is why a more advanced and proactive approach to data and system protection is becoming increasingly important. EDR, MDR and XDR can help reduce risks in cybersecurity by taking a multi-layered approach. In fact, when companies are looking to take out cyber insurance, just in case they’re subject to a cyberattack, having EDR or MDR is usually a requirement.
Cyber insurance is very high risk and anything that works to reduce that risk is attractive to insurers. Historically, attackers could stay in a company’s system for an average 290 days. But with EDR and MDR, this is reduced to an average of 45 days. This vastly reduces the risk and is a major reason why cybersecurity insurance insists on EDR or MDR be in place before they’re willing to extend insurance cover.
What is EDR and MDR?
EDR is the acronym for Endpoint Detection and Response. It tracks system activities, logs any unusual patterns or activities and responds to them. MDR is Managed Detection and Response, meaning it’s a combination of automation and human monitoring and response.
For example: Cyber criminals will often attempt to access a system through an administrator or a high-level user. They’ll gain access and could stay in a system for several months, navigating and finding out what data exists that could be leveraged for monetary gain, before launching an attack.
Ordinarily it may be considered normal activity when an admin adds a new user such as a new employee or changes user permissions. However, when this happens on a Sunday at 2AM, it’s not normal activity and would be flagged. EDR would then monitor and log activities to understand the potential for a threat and the best way to respond to it.
EDR is typically set up for companies as a managed solution. It is feature rich and requires that the company has the internal skillsets to manage settings, review activities and analyze and interpret system activities. For companies that don’t have these resources, MDR may be a better fit.
MDR advances protection in that humans are continually reviewing the logs, checking for anomalies and responding to perceived threats. Because the way attackers operate in constantly evolving, it’s important to have that human factor as part of the analysis. Humans can think beyond historical data, consider if it’s something that is a potential threat and if it needs to be escalated.
XDR is a third related term that was coined by Gartner. XDR is defined as Extended Detection and Response. This encompasses both EDR and MDR, depending on the solution that companies choose to deploy.
What is involved with securing a system following a cyberattack?
Most companies don’t fully understand the impact of a cyberattack until it actually happens to them. There is awareness in the financial or health sectors where personal identifying information (PII) is stored, that there’s a legal obligation to keep that information safe. Failing to do that would be viewed as non-compliance which could have legal implications.
An equally important implication is downtime that could result from an attack. Being locked out your system or having data held for ransom is costly enough. But restoring systems doesn’t take place overnight. It’s not enough to know where the attack occurred, defenders need to discover how the attacker gained access and when it occurred. This is to ensure that the threat is properly contained, that all access points have been shut down and that the attacker isn’t still lurking somewhere in the system, waiting for another opportunity to exploit a vulnerability they’ve found.
While defenders are working at this, the company will likely file an insurance claim. They’ll be assigned a breach coach to help them navigate the complex legal and compliance obligations following a systems breach. A forensics team will work with the company to understand how the attack occurred, analyzing logs to pinpoint timelines and access points. This information will form part of the report provided to the insurance company for the claim. Resolving a ransomware attack takes on average 21 days. During which the company will have limited access to their systems. This can have a high impact on the company’s ability to conduct business.
Cyber threat takeaway:
Realistically, every company is at risk, no matter how big or small or what security systems are in place. The primary reason is that criminals are constantly changing their tactics. As soon as one vulnerability is shut down, they’ll look for others.
It may never be possible to totally eliminate risk, but it can certainly be reduced. The best approach is to be proactive, have multi-layered defenses in place, and leverage the expertise of people who deal with threats on a daily basis. They’re the ones monitoring systems, seeing how tactics are changing, mapping activities and patterns that indicate potential threats and identifying malicious activities.
To learn more about the subject of EDR, MDR and XDR listen to the Ask Me Anything (AMA) webinar with two leading cybersecurity experts sharing their knowledge on the current state of cyber threats and best practices to counter them.