What is EDR, XDR & MDR in cyber security?

In this guest article, transformative IT & cyber security platform Chorus explains what EDR, XDR and MDR is.

The cyber security market is filled with terms and acronyms which often fall in and out of use rapidly as the market changes and technologies advance at a rapid pace. To add to the confusion, vendors and providers can sometimes use these terms interchangeably, apply different meanings or add marketing terms, making it even harder to understand the terminology and exactly what it refers to.

With cyber security a top priority, organisations are having to regularly evaluate their security technologies and stay ahead of emerging threats. Traditional security approaches have become outdated and no longer fit for purpose, and instead, organisations are now embracing the Zero Trust approach to protect themselves in a world of modern work, with cloud services, remote working and more devices.

As part of a modern approach to cyber security, organisations are having to review new technologies. Alongside this, many need to plug the growing cyber skills gap and may also be considering managed security services. You have likely seen three terms which are widely used in the market currently – EDR, XDR and MDR. We want to break down what each one means and how they differ.

EDR – Endpoint Detection & Response

EDR is an advanced and proactive security technology that monitors endpoints for threats and vulnerabilities. Through cyber threat intelligence (CTI), machine learning and automation, EDR technologies can detect and remediate many advanced threats that would evade traditional endpoint protection. As Microsoft partners, we recommend Microsoft Defender for Endpoint – Microsoft’s EDR platform.

XDR – Extended Detection & Response

Extended detection takes EDR a step further. Rather than just focusing on endpoints, XDR gives a more holistic security view – extending threat detection and response from just endpoints to additional sources, such as networks, cloud services, servers and more.

Within the Microsoft ecosystem, this is provided by Microsoft 365 Defender (endpoints, identity, cloud services, apps, data) and Microsoft Defender for Cloud (servers, on-premise/hybrid/cloud, networks).

MDR – Managed Detection & Response

MDR is separate to EDR and XDR. Rather than being a technology, it’s a service. Normally this would be provided by a Managed Security Service Provider (MSSP) and fits under the broader term ‘Managed Security’.

MDR services use a variety of security tools, such as SIEM (Security Information & Event Management) and SOAR (Security Orchestration, Automation & Response) platforms, alongside EDR/XDR and more to give the right underlying technologies that are then combined with mature processes and the expertise to rapidly detect and respond to threats.

Gartner estimates that 50% of organisations will be using MDR services in 2025. There are a few reasons for this predicted growth:

Cyber security skills shortage – There is a growing skills gap meaning that recruiting and retaining highly skilled cyber security expertise is growing increasingly difficult for organisations.

24×7 protection – Cyber security requires 24×7 monitoring, detection and response, however many organisations don’t have this capability and don’t want to pay to build this internally. Partnering with an MDR provider, gives 24×7 protection – whether fully outsourced or using a hybrid model to complement your internal security team with out-of-hours support.

Internal capacity – Internal IT teams are already under great strain and adding the high-pressure job of cyber security threat detection and management will stretch staff workloads.

Cost – Building an internal cyber security operations centre is an expensive investment when you consider the technical implementation, process development and recruitment. Partnering with an MSSP for MDR services provides cost-effective access to advanced security.

The list of cyber acronyms goes on…

These three acronyms are extremely popular at the moment, but there are many more common acronyms in the cyber security landscape. Here are some of the other common ones you will likely see:

CSOC/SOC – Cyber Security Operations Centre / Security Operations Centre – A centralised function that combines people, processes, and technology to provide security services

SIEM – Security Information & Event Management – Software platform that centralises aggregated security data from across various resources to provide real-time event analysis

SOAR – Security Orchestration, Automation & Response – Security software to co-ordinate, automate and execute security tasks for quick response

IAM – Identity & Access Management – Policies and technologies to support strong identity security and appropriate access controls

MTTD – Mean Time to Detect – The average length of time it takes to detect a threat

MTTR – Mean Time to Respond – The average length of time it takes to respond to a threat

CVSS – Common Vulnerability Scoring System – A standardised scoring system for rating the severity of a vulnerability (0-10)

What’s the future for EDR?

EDR provided a more modern approach to endpoint protection, however with the rapid pace of innovation in cyber security, XDR is going to be the next ‘big thing’. One of the biggest difficulties organisations face today within security is the growing number of security tools – with more disjointed tools being integrated and ingested, complexity increases, which in turn reduces the time organisations can detect and respond to threats. XDR provides a unified security solution, reducing complexity and consolidating security technologies.

SIEM & XDR combined

Even greater capabilities come when combining SIEM and XDR and this is a major focus of Microsoft, which you can read more on here. Because of their security vision, technical maturity and integrated remediation capabilities (as most organisations use Microsoft for end-user productivity), we have built our MDR services on Microsoft 365 Defender and Microsoft Sentinel. You can read more on the reasons for this and the benefits in our Q&A with our CTO, Mark Taylor here.