What lies behind the acronyms

Stu Sjouwerman is the founder and CEO of KnowBe4 Inc.security awareness training and a phishing simulation platform.

The increase in volume and sophistication of cyberattacks is driving rapid evolution in the security industry. Under the “detection and response” umbrella, five emerging technologies aim to provide greater visibility, enhanced threat detection, and improved threat response across a wide range of attack surfaces. They look very similar and can be confusing even to experts and certainly to cybersecurity buyers. Let’s look behind the acronyms and dive into each of these technologies individually to better understand their capabilities.

Endpoint Detection and Response (EDR)

With trends such as “bring your own device” (BYOD), working from home, and IoT gaining popularity, organizations are finding it increasingly difficult to maintain visibility into all device activity. Traditional antivirus software fails to detect modern threats as modern malware becomes more sophisticated and evasive.

EDR technology is the latest evolution in endpoint security, identifying advanced threats and malware using artificial intelligence (AI), machine learning (ML) and advanced file analytics . EDR agents are deployed to endpoints and record what is happening on the system. It then analyzes endpoint behavior to detect potential threats. While traditional endpoint security is reactive and focused on malware detection using known malware signatures, EDR is predictive and detects advanced threats before they arise. EDR also offers a range of response mechanisms, which may include actions such as security alerts, isolating the machine from the network, reverting to a previous state, removing or stopping potential threats, and generating of evidence files for forensic investigations.

Managed Detection and Response (MDR)

MDR is not a form of technology, but a type of security service that organizations can leverage from a third-party expert. MDR services were created because even though advanced cybersecurity tools exist, most organizations lack the resources, time, talent, and willpower to create an in-house Security Operations Center (SOC).

MDR vendors typically offer 24/7 threat monitoring, response, and containment services using a host of cybersecurity tools such as EDR, NDR, and HDR, as well as other security services such as vulnerability management, security awareness training, penetration testing, and a virtual security director. (vCISO). Organizations can choose the level of engagement or support they want from the MDR provider, such as fully outsourced security services, co-managed incident response, or just advice, threat intelligence, and notifications of security.

Network Detection and Response (NDR)

With networks extending to the cloud, network traffic increases in both size and complexity. This created the perfect environment for threat actors to exploit. While EDR focuses on endpoint protection, NDR focuses on network traffic, device, and behavior analysis.

Using behavioral analysis, ML, and network device telemetry, NDR monitors and analyzes raw network traffic to establish a baseline of normal network behavior. When a deviation from this baseline is detected, NDR automatically triggers security alerts, drops traffic, contains devices, and generates forensic evidence. NDR will generally restrict malicious behavior to specific IP addresses, which can help security teams determine if threats have moved laterally and infected other devices. This enables faster incident response, better threat hunting, and rapid threat containment, leading to a more resilient organization.

Human Detection and Response (HDR)

The newest technology is HDR. 95% of all cybersecurity incidents can be attributed to human causes, and it’s easy to see why. In a world where systems are becoming increasingly difficult to compromise using technology-based attacks, humans have become the primary attack vector. Cybercriminals frequently target users, taking advantage of phishing attacks, compromised passwords, and other social engineering techniques.

HDR is a new and emerging category of cybersecurity tools focused on the human layer of cybersecurity strategy. Instead of viewing users as liability, HDR recognizes that users can become one of the strongest defenses to help detect, block, and report threats before they become major incidents.

HDR correlates, identifies, responds to, and logs user-related security events from network, endpoint, identity, web security, and other technologies within your security stack and provides on-the-fly coaching to users in response to their risky behavior (via email or a collaboration tool like MS Teams or Slack, for example). This allows security teams to coach users as soon as risky behavior occurs, providing immediate feedback and reinforcing security training. HDR can detect and respond to tens of thousands of risk events in real time, saving time for overworked security teams and helping to strengthen the organization’s overall security culture.

Extended Detection and Response (XDR)

EDR focuses on the endpoint, NDR focuses on the network, and HDR focuses on the user. It would make sense for another platform to provide visibility and control over networks, devices, clouds, and users. XDR is a unified, cross-platform approach where organizations ingest data from diverse environments, monitor all activity in one place, and correlate data from various telemetry sources. This can result in faster incident response, faster detections, and better forensics.

Most XDR platforms offer out-of-the-box integrations with security tools and platforms and have built-in AI and ML algorithms that help correlate user behavior and events from multiple data sources. This provides an overview of the entire threat environment and greatly increases the productivity of threat hunters and security analysts.

Security is never unique. First determine your security priorities, then proceed to select the tools and services that best meet those requirements.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?


Leave a Reply

Your email address will not be published. Required fields are marked *