What is MXDR, and do you need it?
Managed extended detection and response (MXDR) is an outsourced service that collects and analyzes threat data from across an organization's IT environment.
An MXDR service blends two forms of threat detection and response (TDR):
- Managed detection and response (MDR), which is a way to describe a range of outsourced TDR and cybersecurity services.
- Extended detection and response (XDR), which is a specialized TDR approach that pulls together data from far-reaching sources in an IT environment, including networks, endpoints and cloud resources.
Customers turn to MXDR services to better guard against threats that can strike almost anywhere along a broad attack surface. The tools and expertise available from outsourced providers supplement what an organization is able to assemble on its own.
MXDR is particularly well suited for cyber-physical environments. In such hybrid environments, internet of things (IoT) devices will lack the logging capabilities of traditional hosts, and network-monitoring devices might not pick up indicators of compromise. In addition, a customer gains access to an MXDR provider's seasoned professionals, which spares the organization the expense and effort required to hire and train personnel.
Threat detection and response activities can focus on specific elements of an environment. Endpoint detection and response (EDR) offers in-depth observations on changes to an endpoint's file system. Network detection and response (NDR), meanwhile, provides views of the network. NDR, however, lacks the context found in EDR data. With data detection and response (DDR), a business can learn about data changes; DDR is useful in data loss prevention efforts.
These and other threat detection technologies provide vast quantities of information. Even with the Mitre ATT&CK framework to help organize the data, it is still up to people to decide how to respond to actionable intelligence. This is why businesses turn to providers to manage aspects of their threat detection work.
Why is MXDR important, and who needs it?
MXDR services can be especially helpful with cloud applications, where endpoints of one environment interact with endpoints in other environments. MXDR pulls together security data, making it possible to connect events that could otherwise appear disparate. These capabilities examine various sessions and IP addresses in ways that might show that an anomaly or potential security event is, in fact, a serious intrusion campaign.
Organizations that use MXDR will benefit from the provider's prior experience with cyberattacks. Campaigns typically consist of signature tactics, techniques and procedures (TTPs) performed in sequence. While signatures are reactive, they are a tremendous aid to detection and response. A service provider's experts will have seen these signs before, which should result in a swift MXDR response when an organization comes under attack.
Detecting cyberthreats is a complicated task. What's frustrating is that attacks can occur without the target even knowing, resulting in attackers living on the network well after the initial intrusion. To counter this, a business will want to make use of a variety of technologies.
More tools provide greater visibility, but that also means more data. The result can be information overload. This unintended consequence requires security teams to decipher all that data and confront false negatives and false positives in an effort to identify actual threats.
MXDR services might be able to boost accuracy through a combination of artificial intelligence (AI), machine learning (ML) and human decision-making at critical moments in ways that an organization acting alone might not be able to achieve.
Effective threat detection requires a level of technical experience that is in demand and not easily found. TDR analysts must be familiar with the IT stack as well as various operating systems. Even when an organization has the right personnel to engage in TDR, the expense is significant. A managed service can augment or fully perform these duties.
Another value is the chance for an organization to boost its employees' skills. A company that fills positions in its security operations center with junior analysts could find working with an MXDR provider to be a valuable learning opportunity for staff.
MXDR vs. MDR
The base technologies in MDR spot anomalies to a file system or OS. MDRs rely on host-based intrusion detection technology coupled with antimalware tools, resulting in a service that collects anomalies and filters the signatures. This enables faster identification of potential attacks. It also decreases breakout time, which is the window between a bad actor's initial intrusion and the beginning of exploitation. A managed service still uses a human-in-the-loop approach; the only difference is the amount of space being managed.
MXDR, meanwhile, relies on a combination of host-based and network-based technologies to provide a holistic view of a company's entire environment. MXDR is better suited than MDR to investigate a wider environment, including cloud resources, IoT systems, IT infrastructure and so on, where both network and host data are fused.
Here are a few key points to remember:
- MDR is host-based and better suited for a contained endpoint environment.
- MXDR is both host-based and network-based, requiring additional analysis to provide a holistic picture.
- Both technologies rely on humans staying in the loop.
- Both make use of AI/ML, so it's important to understand the training data.
- Since both MXDR and MDR are service offerings, service-level agreements are important. This is particularly relevant since many providers are first or early witnesses of new cybercampaigns.
