This week cybercriminals attacked the city of Dallas with ransomware, demanding a one-million-dollar payout while crippling emergency services such as 911 first responders. The question is, could this have been avoided with proper cybersecurity, and if so, where should you begin? In this comprehensive guide, we’ll explore the important differences between Antivirus, Endpoint Detection & Response (EDR), and Managed Detection and Response (MDR) solutions.
Antivirus vs EDR vs MDR
Let’s imagine we’re playing a game. You’re the teacher and are preparing your students to become cybersecurity experts. You have them study all year and now you are giving them a final test.
Antivirus is designed to detect and remove malicious software from your computer. To better understand how it does this, think of antivirus as a yes or no question on a test. The only way your student could answer correctly is if you taught them the answer. But what if they have never seen the question before?
EDR is a more advanced cybersecurity solution that focuses on monitoring and analyzing the computer to detect and respond to potential threats. Think of this as a multiple-choice question on a test. Your student might not know the answer at first, but based on the behavior of the potential threat, they can make a decision even though they have never seen this before.
MDR is the ultimate service that combines the capabilities of EDR with the expertise of a dedicated security team. Think of this like a multi-choice question on a test, but with the ability to “phone a friend” to ask for advice. MDR includes 24×7 monitoring by trained cyber-threat hunters and analyzes through XDR (Extended Detection & Response) email, firewall, and network logs in addition to the computer logs to identify threats.
The False Sense of Security: Why You Should Avoid Antivirus
Antivirus is the most basic and widely used cybersecurity tool in existence, and the issue with antivirus lies within how it detects threats. Because it does not analyze behavior, it must be told what is bad. Here are four reasons why you should not use antivirus:
- You’re late to the party: 560,000 new viruses are created daily, and with each new virus, your antivirus needs to receive an update to detect those threats. This may take hours, or sometimes days, leaving your systems vulnerable.
- You can’t prove anything: Your boss asks if a recent zero-day attack could have been used to gain access to your system. Because you use antivirus, you do not have the tools or ability to answer that question and would have no idea if your systems were compromised.
- There is no guarantee: Great security solutions offer a breach protection guarantee, sometimes upwards of 1 million dollars. This is something not offered by Antivirus.
- Lacks ransomware protection: Your security provider should have specific technology designed to detect, stop, and restore files encrypted by ransomware. These types of technologies do not exist with antivirus.
Goodbye Antivirus: Why EDR Is the New Minimally Accepted Standard
EDR offers a more proactive approach to cybersecurity by monitoring the behavior of your computers. It can detect suspicious activity that could signal an attack and respond to it accordingly. EDR often leverages AI to improve detection accuracy and provide real-time visibility into the health of all endpoints. Here are my thoughts on EDR:
- EDR vs antivirus: EDR is more effective at detecting never before seen threats over traditional antivirus. At a minimum you need EDR.
- You still need monitoring: Although more capable, you are responsible for the alerts that EDR generates. This means when potential threats are found, you receive the alerts and have to investigate.
- After hours support: If your EDR detects a threat at 1:00am, can you receive and execute next steps in that moment?
- Threat hunting: You receive an alert that computers are communicating to an over-sea’s website with a high threat level. In this scenario your team must have the expertise to properly investigate this alert and determine if this is malicious.
- EDR is only part of the solution: While EDR is a good step in the right direction, EDR only protects the device itself and does not understand any threats happening in your email, network, and 3rd party applications.
MDR: The Gold Standard for Endpoint Protection
MDR includes everything EDR while adding enhancements on how it is managed. These enhancements include a 24×7 human-led threat hunting team, full-scale incident response, and full remediation until all threats are resolved.
- 24×7 threat hunting: All alerts are sent directly to your MDR team for further investigation. If a threat is detected, you can have a pre-approved process where they execute the task to resolve the incident immediately. This is extremely powerful knowing alerts are the responsibility of your MDR provider.
- Incident response: When a threat is found, your MDR team hunts down all threats across your fleet until removed. A full report of what happened, how it happened, and if there was a data breach is provided alongside proof the vulnerability has been rectified.
- Breach protection guarantee: MDR will have industry leading breach protection guarantees, offering financial compensation in the event of a costly breach.
- Insurance benefits: Insurance providers now ask if you have a MDR solution, which you would be able to answer yes.
- Extended Detection & Response (XDR): XDR is process of your MDR team reviewing logs from all systems. This could be your network security appliance, email system, and network logs. Most MDR providers will ingest these logs and use it as an additional resource when protecting your network.
Comparing EDR, MDR, and Antivirus
When comparing EDR, MDR, and Antivirus, it’s crucial to understand their respective strengths and weaknesses:
- Antivirus is no longer acceptable and at a minimum should be replaced with EDR.
- EDR builds on the capabilities of antivirus by offering more advanced threat detection and response features. The downside is you must manage it yourself, which introduces hidden costs to this solution.
- MDR combines the benefits of both EDR and antivirus by providing a managed service that includes continuous monitoring, advanced analytics, and expert guidance.
Choosing the Right Solution for Your Organization
When evaluating MDR solutions we recommend reducing the total number of vendors required to deliver your cybersecurity solution. With that said, the more your cybersecurity vendor can take off your plate the better, so look for these features upfront:
- Device encryption: Can your provider encrypt computers to protect from data loss and meet compliance requirements?
- Block storage devices: Can your provider prevent and monitor USB and external storage devices?
- Network detection & response (NDR): Can they detect malicious traffic on devices that does not have the MDR software installed?
- Web filtering: Can they protect from malicious downloads and filter websites while both inside and outside the office?
- HTTPS decryption: Since 80% of web traffic is now encrypted, can they scan encrypted (HTTPS) traffic and look for malware?
- Data loss prevention (DLP): Can they automatically identify if staff is sending or receiving sensitive information that should not be shared or at a minimum be encrypted to meet compliance requirements?
- Zero-trust identity access: Can you deny access to all company data and resources unless the MDR security software is installed on your computers? If not, how do you know if a computer doesn’t have your security software installed, or worse, think it is installed but it is not functioning properly?
In the ongoing battle against cyber threats, organizations must adopt a multi-layered approach to cybersecurity. Understanding the differences between antivirus, EDR, and MDR is essential for implementing an effective security strategy. Avoid antivirus, at a minimum use EDR, and for the best cybersecurity strategy, find yourself an MDR provider so you can strength your cybersecurity posture in today’s digital age.
Remember that no single solution can provide complete protection against all threats, and it’s crucial to invest in additional security measures such as firewalls, user authentication protocols, and compliance initiatives.
To learn how to protect your organization, please contact us on our website.