Back in 2013, a game-changing technology called EDR burst onto the scene, revolutionizing our approach to safeguarding our digital domains. This “new” tech sought to supercharge digital forensics on endpoint systems, eliminating the need for physical access to host drives. Previously, investigations meant gaining physical access, cloning drives, conducting exhaustive forensic analyses, and piecing together the attack timeline. This process set investigators days or even weeks behind their attackers.
At that time, Anton Chuvakin, a Gartner analyst, coined a term that would give birth to an entirely new category of security tools for endpoints: Endpoint Threat Detection and Response (ETDR). According to Anton, “This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents), and tools’ primary usage for both detection and incident response.” For visual learners, here’s a breakdown of the name:
|Endpoint||Threat*||Detection and Response|
*Note: The term “threat” was later dropped as EDR solutions evolved to provide more than just threat detection.
Little did Anton know that this simple naming convention would explode over the next decade. With the surge in popularity of detection and response solutions, it took on a life of its own. These solutions centered around extracting data from various sources, centralizing it, analyzing it, and issuing alerts based on patterns within the data. In many ways, the term eXtended Detection and Response (XDR) attempted to encompass all mediums, implying that the same data collection, centralization, and analysis would occur across multiple channels, rendering individual categorization unnecessary.
|Network||Detection and Response||NDR|
|Cloud||Detection and Response||CDR|
|Identity||Detection and Response||IDR|
|Threat||Detection and Response||ETDR|
|eXtended||Detection and Response||XDR|
As the security solutions market evolved rapidly, traditional anti-malware companies realized the importance of staying relevant by incorporating new functionalities. Traditional anti-malware once relied on knowledge about a specific malware or virus to build detection profiles. However, the new era of detection and response introduced the concept of pattern recognition for identifying malicious behavior. Vendors began defining what constituted “normal” or “good” behavior as a baseline and considered anything deviating from that as suspicious or potentially malicious. This gave rise to Next Generation Anti-Virus (NG AV).
But what about Endpoint Protection Platforms (EPP)? Is it the next-next-next-generation security solution? The truth is that EPP predates both EDR and NG AV solutions. EPP is a suite of tools designed to work together to protect an endpoint, encompassing functions like host intrusion prevention (HIPS), firewall, application control, web filtering, and more. EDR applications eventually found their place within these Endpoint Protection Platforms.
The downside of EDR solutions is sorting through all that data. Most teams need to be staffed to use EDR technology, and managed providers recognized they could quickly expand their platforms to include comprehensive endpoint monitoring. Unfortunately, this resulted in new jargon as providers sought to describe this unique service and differentiate themselves from other providers’ solution sets.
Managed Service Providers (MSPs) emerged in the 1990s, offering outsourced IT services to smaller businesses aiming to scale their IT capabilities. Over time, these providers adapted to emerging technologies, extending their services to various domains. Here are some common terms related to MSPs:
|Managed||IT (often dropped)||Service Provider||MSP|
|Managed||Cloud||Service Provider||CMSP or MCSP|
|Managed||Detection and Response||MDR|
|Managed (implied)||Cybersecurity||Service Profider||CSSP|
The naming conventions in this space can indeed be confusing. There are no set rules dictating what a service provider should call itself. Many providers aimed to distinguish themselves from standard IT outsourcing services and adopted the name Managed Security Service Provider to emphasize their focus on security. On the other hand, those MSPs already offering security services chose to retain their MSP brand and title. Similarly, new providers focused on threat detection and developed robust cloud-based solutions, leading to the label Managed Detection and Response as a way of differentiating themselves from security outsourcing solutions.
Unfortunately, these naming irregularities have often rendered the names less meaningful. Don’t believe it? Try comparing five XDR providers or five managed provider websites; you’ll find variations that can leave you scratching your head.
Here’s the bottom line: Refrain from getting bogged down in acronyms or buzzwords. When choosing a security solution or service provider, remember you’re not buying an abbreviation. While words matter, in this case, the name doesn’t always reveal the capabilities. Instead, engage with each vendor or provider to understand what they offer, how they deliver it, and whether it aligns with your needs. Your focus should always be on the substance, not the label.