Pratum Blog

EDR MDR XDR

If you’re still trying to make sense of XDR, MDR and EDR, you’re not alone. The market doesn't have universal definitions of these terms, and overlap among the solutions makes it easy to drown in the alphabet soup. This blog summarizes the key differences in each solution so you can ensure that you’re using the right tools to secure your environment.

What the “DR” Part Means

The obvious common element in each solution is the DR, which stands for “detection and response.” That means these tools go beyond simply recording an event or blocking software by looking for known malicious signatures. Managed XDR and other DR tools actively assess patterns of malicious activity and shut down suspicious programs, quarantine devices, etc.

DR solutions have proven so effective at reducing attacks that most cyber insurance carriers now require them for anyone seeking to buy or renew a cyber policy. These tools have become a cybersecurity must-have because they address these growing threats:

  • Expanded attack surfaces/dispersed workforces – Organizations can no longer lock down all their data on company-owned devices inside the company building. Now you must secure your data in a world where employees are using mobile devices, home networks, etc.
  • Hackers lingering in systems – In a typical breach, hackers get into the environment months before administrators realize it. DR detects suspicious activity far sooner.
  • Growth in fileless malware – This malware type (also known as non-binary malware) can slip past most antivirus software, which looks for known file signatures. By some estimates, even the best antivirus solutions block only 50-60% of the threats.

EDR – Endpoint Detection and Response

Endpoint Detection and Response Flow Chart

EDR protects your environment’s biggest vulnerability: endpoints. In the Wild West of remote workforces, employees are using networks you don’t control; sharing devices with family members; installing whatever software they want; etc. In most environments, about 70% of all attacks start with an endpoint.

EDR provides visibility into the endpoints. It constantly logs and monitors activity in order to identify potentially malicious activity on endpoints and take action to stop or mitigate the attack. Rather than looking for file signatures as antivirus solutions do, EDR looks at the behavior of files. With this capability, EDR regularly spots zero-day threats and other attacks that security pros haven’t seen before. In addition to the protection, it looks to provide context around how the attack started and what it attempted to do.

EDR’s powerful response capabilities come from playbooks that guide the solution’s actions after spotting malicious activity. These playbooks determine when to block a file, quarantine a device, etc. Clearly, proper playbook tuning plays an enormous role in not only stopping malicious activity but in preventing a stream of false positives from overly sensitive triggers.

XDR – Extended Detection and Response

Extended Detection and Response Flow Chart

Even if you have EDR covering your endpoints, attacks will still arrive through your firewall, cloud workflows, email system, IoT devices, servers and more. XDR provides a holistic view of your extended technology ecosystem, encompassing endpoints as well as every other part, regardless of the vendor that created each component.

XDR’s critical advantage is correlation of events. XDR solutions monitor telemetry data such as Syslogs from across your environment to create a unified response. By leveraging artificial intelligence and machine learning, XDR identifies suspicious patterns amid the millions of system events that occur each day. In simple terms, XDR is designed to notice two seemingly unconnected activities in distant corners of your environment, recognize the pattern of a larger attack and take appropriate action. Without XDR, the left hand may never talk to the right hand, letting attackers lurk in your system far longer before they’re detected.

MDR – Managed Detection and Response

Managed Detection and Response Flow Chart

With MDR and Managed XDR, a third party (known as an MSSP or Managed Security Services Provider) manages the tools described above. Management goes far beyond simply responding to alerts. Top MSSPs constantly tune complex XDR solutions in response to emerging threats and your unique environment. Partnering with an MSSP relieves your organization from staffing up to run your own in-house SOC or asking an already-overtaxed IT team to take it on.

A good Managed XDR service has a team of SOC analysts constantly monitoring your environment and tuning the tool for optimal performance. The analysts review alerts and notify you when you should take action. They regularly revise proprietary playbooks and rules in response to an ever-changing landscape. (When the Log4j vulnerability emerged in December 2021, for example, Pratum’s SOC wrote new rules for our Managed XDR clients within 12 hours.) In short, a Managed XDR service gives you access to cutting-edge security tools and a team of pros who know how to get the most from the tools.

A Managed XDR service also gives you a big advantage if you face a breach and need support with incident response/digital forensics. Experienced SOC analysts can quickly leverage XDR to develop an attack story that goes far beyond merely stopping the breach. Managed XDR lets you identify all the places the attacker went and what they compromised, ensuring that you can fully stop the breach and recover data more quickly.

To learn more about how Managed XDR service can secure your environment without additional staffing, contact us today.

Information Security Policies, Procedures, and Standards

Information security policies, standards and procedures typically fall to the bottom of many companies’ to-do lists. Nobody gets excited about the tedious process of creating these kinds of documents. But it's worth making the effort to create and maintain these key documents. Investing some time now will make your organization far more secure and efficient in the months and years ahead.

What They Are

First, let’s break down what goes into each of these governance documents.

Information Policies – The “What”

Policies are the high-level statements that communicate your objectives. Think about the information security policies as the vision statement that clearly states your values in this area and what you intend to put into action. Your organizational culture will drive how you set policies, as they reflect how you view risk, what role you expect end users to play in security and more.

Information Standards – The “How Often/Much”

Standards go more in-depth and elaborate on the policies. Standards will specify details such as:

  • Who will implement the standards
  • Specific responsibilities of the associated departments
  • Groups affected by the standard
  • Who owns the individual standard

Standards lay out specifics of how each control area fits into the overall information security program. For example, if a control framework you’re following requires specific steps around firewall settings or encryption measures, your standards will explain what you’re doing about those things. When you're trying to satisfy most compliance requirements and frameworks, you’ll hear a lot about your “policies.” But standards are typically what they're looking for.

Information Procedures – The “How”

Procedures are the step-by-step instructions for fulfilling the policies and standards. For every control area your policy covers, you should have corresponding procedures explaining how the organization will carry out that policy. Procedures turn policies and standards into tangible action steps. In procedures, the business should call out specific employees and technologies that carry out each procedure.

5 Situations Where Your Work on Policies/Standards/Procedures Pays Off

1. You experience a breach – Your Incident Response plan and Business Continuity/Disaster Recovery plans will help limit the damage and restore your operations as quickly as possible.

2. You have to discipline/dismiss an employee for inappropriate use of technology – Your Acceptable Use Policy, which you had each employee sign on their first day, lets you enforce the rules.

3. Vendors demand evidence of your security program – You can share a wide variety of documents to show that you take security seriously at all levels of the organization.

4. A user accidentally gives their credentials to a hacker – A solid Access Authorization/Identity Access Management policy limits each user’s data access, limiting how much a hacker can pivot within the system.

5. An entry-level employee makes a bad choice on a firewall setting – Your Change Management policy builds in reviews to catch unintended consequences in time.

Why You Need Them

Now let’s explore why these three types of documents are important for your business.

Meet Compliance Requirements

It’s just good business to have solid policies/standards/procedures. But it usually takes outside pressure to make most organizations get serious about their policies and standards. In today’s tougher cyber insurance marketplace, for example, you may not even be able to renew a policy without having basic policies/standards in place. At minimum, creating these documents helps you get much better rates on insurance. Many large companies are also taking a harder look at the cybersecurity practices of all their vendors. So your company’s contracts may soon rely on you creating the policies/standards/procedures that prove you have a mature security posture.

Establish Continuity

It's crucial that you show your employees exactly what is expected of them. A murky vision inevitably raises questions. Creating a universal guide for everyone will unify and direct the team in times of crisis or confusion.

Allow Enforcement

A written governance program gives leaders a way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy-to-find policies, standards and procedures, you can hold everyone accountable for abiding by them. Your employee onboarding process should build cybersecurity awareness into every employee’s first day on the job. One of their first tasks should be reading applicable policies and signing a statement that they have read the documents and agree to comply with them.

Create a Security Culture

Executives should be involved in creating the policies, standards and procedures and should play a role in socializing them throughout the organization. If an executive is involved in the creation of these documents, they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the executives.

How to Get Started

1. Identify Your Needs

Your organizational size and industry niche will mandate some of the governance documents you need. A large business with numerous employees typically requires a more detailed plan than a small organization.

2. Build an Action Plan

You need to address how to get the governance program in place. Talk with your IT operations team to make sure they’re ready to follow the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key.

3. Maintain and Update

Understand that once you have your policies, standards and procedures in place, you still have work to do. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to review all these important documents annually to proactively evaluate the security controls related to the confidentiality, integrity and availability of your business’ sensitive information.

4. Test

Several policies and procedures require regular testing to confirm that everyone understands them, that they’re still current and that somebody actually knows how to do each step in the procedures. Incident response plans, in particular, require regular testing via tabletop exercises and other evaluations. During testing, many organizations realize that “restore data from backup,” for example, isn’t quite as straightforward as it sounds. That prompts them to update the plan to cover every detail in a way that makes them truly ready for quick deployment.

If you need help creating and maintaining policies, standards, and procedures, Pratum can help. Contact us today.

Silhouette of Russia

Russia’s attack on Ukraine clearly isn’t limited to tanks, planes and missiles. Russia has already and will continue to deploy cybersecurity attacks as part of a strategy to destabilize or outright shut down its opponents. Most of us don’t play a role in battling nation-state cyber warfare. But this blog covers what organizations of all sizes should know about the potential impact of these global events and how you can take common-sense steps to protect your operations and data.

New Threats From a Familiar Source

Russian hacking isn’t a new threat, so you’ve probably been battling it for years without realizing it. President Biden addressed Russia’s harboring of hackers at a meeting with Vladimir Putin in June 2021, and government and private security professionals have been fighting Russian interference for at least a decade. In January 2022, CISA issued an alert focused specifically on understanding and mitigating Russian state-sponsored threats to U.S. infrastructure.

But Russia’s attack on Ukraine brings new urgency, as Russia has already sought to bring down Ukraine’s government and critical infrastructure, mainly via denial of service attacks and malware deployments. Thus far, the U.S. Cybersecurity and Infrastructure Agency (CISA) has said in a statement that there are no specific or credible threats to the U.S. homeland at this point. But as sanctions begin to take effect, attacks may ramp up.

Few organizations face a real possibility of direct attack by nation states. But impacts could still be widespread if threat actors manage to compromise supply chains or critical infrastructure. Recent breaches involving Kaseya and Log4j have shown how quickly attacks can cascade throughout a software ecosystem. Russia’s attack on Ukraine may be your wakeup call, but regardless of the current headlines, you should incorporate the following best practices to protect your environment.

Establish Basic Protections

  • Enforce the use of strong passwords throughout your organization.
  • If you’re not using multifactor authentication (MFA), deploy it as quickly as possible. This single tool can stop nearly any attack that depends on compromised user credentials.
  • Update all your software to close known vulnerabilities.
  • Deploy a monitoring tool such as Managed Extended Detection and Response (XDR) that can identify threatening activity and help you investigate it.

Review Your Incident Response Plan

If you do suffer a breach, a calm, organized, well-planned response can greatly limit the damage and speed up your recovery time. Now is the time to pull out your incident response plan and make sure that it accurately reflects who is on your team, the tools you have in place, etc. The same goes for your business continuity/disaster recovery (BC/DR) plan, which describes how you’ll keep operations going if a crisis occurs.

Set up a tabletop exercise to walk through a simulated breach and identify any missing or unclear steps in your plan. Many organizations have only vague notes, for example, about how they would restore data from backups. Take time now to investigate how your backups work and the exact steps and timeframe it would take to restore your critical data.

Cloud-based services could be high-value targets for foreign attackers. So your IR plan should address how you’ll maintain operations if you lose access for a time to your customer relationship management (CRM) platform, document exchange service, Microsoft Office 365, etc.

Vet Your Software Supply Chain

Again, this is something that should be part of your normal practice, especially after the Log4j breach showed how rapidly compromised source code can wreak widespread damage. Many software developers have relied heavily on outsourcing work to programmers in Russia and eastern Europe in recent years. It will be a massive task to comb through all of your code for elements with Russian origins. But this process may become necessary to ensure that no allies-turned-adversaries left a pathway into your system for Russia to potentially exploit.

Report What You’re Seeing

U.S. authorities count on reports from private organizations to help them maintain an accurate picture of current threats. If you experienced an incident or spot anomalous activity, report it to:

CISA – This email address is being protected from spambots. You need JavaScript enabled to view it., 888-282-0870
FBI – Your local FBI field office or This email address is being protected from spambots. You need JavaScript enabled to view it., 855-292-3937.

If you experience a breach and need immediate assistance with assessing the situation and getting back online, call Pratum’s Breach Line 24x7 at 515-212-6634.

If you need advice on getting your policies and plans in place, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.