The ABCs of TLAs: MDR, EDR and XDR

One of the most memorable exchanges (and there are many) from the classic mockumentary, This Is Spinal Tap, features documentary director Marty (Rob Reiner) asking rocker Nigel (Christopher Guest) about the customized number dials on his amps.

Nigel: The numbers all go to eleven. Look, right across the board, eleven, eleven, eleven and …

Marty: Oh, I see. And most amps go up to ten?

Nigel: Exactly.

Marty: Does that mean it’s louder? Is it any louder?

Nigel: Well, it’s one louder, isn’t it? It’s not ten.

The scene came back to me after a recent client exchange, when the matter of detection and response solutions arose. And the client, understandably, was confused.

“But MDR isn’t XDR, is it?” the client asked. “It’s missing the X. And what about EDR? Does X have the E? If not, does M?”

And therein began yet another discussion about cybersecurity that veered off into an explanation about TLAs—three letter acronyms.

Industry, We Have a Problem

There was a time—oh, three or four years ago—when product names revealed innovative value propositions. Endpoint detection and response (EDR), for instance, was a far different cybersecurity approach than traditional antivirus solutions, with artificial intelligence delivering preventive protection and behavioral monitoring, and providers delivering 24x7 managed coverage of your endpoint protection.

But that was then. EDR was enhanced by managed detection and response (MDR). MDR protected endpoints but added log monitoring to supplement the endpoints while delivering enhanced, around-the-clock monitoring and mitigation capabilities from a third-party team of responders. Of course, this wasn’t always a distinguishing characteristic between the two, as EDR solution providers often offered similar management capabilities, if only as an add-on service.

And now there is XDR, or eXtended Detection and Response. The industry has defined XDR as MDR but with extended visibility into networks, systems, and cloud logfiles, activities or metadata. Sound familiar? That’s because this was the original positioning for MDR. Providers rebranding their “EDR” into an MDR service significantly diluted the true definition of MDR and led to industry and customer confusion.

Now, when IT and security professionals begin researching various options on how to protect their system, they encounter an alphabet soup of self-promotional jargon. They know there must be differences between EDR, MDR, XDR, etc., but they don’t know what those differences are or what to look for. So, they abandon the search altogether or postpone it until they have more time.

This, of course, leaves the organization under protected—or even unprotected, depending on the situation—and the decision maker frustrated. They want to do the right thing and protect their business, customers, employees, and the relevant data and finances behind those assets. But there is just too much confusion.

A Better Way

Ideally, the industry should coordinate standards—or at least guidelines—that promote consistent nomenclature. When a prospective customer asks whether we offer XDR, MDR or EDR, it bypasses the more important discussion of need, something that requires a completely different set of questions:

  • How many employees do they have?
  • What type of business are they operating?
  • Do they have firewalls?
  • Do they have endpoint protection?
  • What cloud services do they use?
  • What compliance requirements are they subject to?

To truly serve the customer, we must understand what they have, what they think they have, and the environment they’re in before delivering a meaningful proposal for efficient and effective protection. And that’s irrespective of TLAs.

Many smaller organizations believe that the baseline Windows OS will offer sufficient protection, which tells you the task at hand. But the more nuanced discussions are no less important. For instance, if their EDR solution includes help desk support, who is reviewing the alerts? And how is that process currently going? Managed detection and response is not a one-size-fits-all or “set-it-and-forget-it” proposition.

There are a dozen (or more) MDR vendors whose offerings include 60% of the same capabilities, with 40% that are completely proprietary or unique to their offering. For instance, an MDR product may offer detection and response across specific items but not across the entire enterprise, while another offers complete coverage. Yet both are labeled MDR, and that isn’t right.

For the sake of our clients and to ensure the trust and reliability of our industry, let’s eliminate a marketing landscape where providers can co-opt a name while customizing its definition. It’s leading to a vicious spiral where everyone is frustrated and confused.

Without a commitment to consistency, we can look forward to yet another TLA. YDR anyone? Or should we just skip ahead two years and make it MYXDR?

What’s Hot on Infosecurity Magazine?