MDR: top level security at your fingertips

For a correct interpretation of the concept, let us rewind to the evolution of cybersecurity. “In the early days, the computer or laptop was seen as an endpoint; the last step in the line of defense. The security sector focused on improving the firewalls that protected the perimeter. However, this resulted in cybercriminals shifting their attention to the workplace, which was still protected by outdated technology," says Bastiaan Germs, cybersecurity expert at Proximus NXT.

The principle was very straightforward:⁠ security companies compiled a list of all known viruses. The antivirus software then checked whether any of those viruses were hidden in a file or e-mail message. “The problem was that this approach was not tenable in the long term. There were too many new viruses and variants popping up too fast. For example, the so-called zero-day attacks, which strike faster than you can update your antivirus software."

Behavioral analysis

The security sector therefore adapted its approach and began improving workplace security. This involves not only looking for risks you are aware of but also those you are not aware of. Behavioral analysis plays an important role here. “And this is done by continuously monitoring the device,” explains Bastiaan. “When a newly downloaded file suddenly starts encrypting your computer, something is wrong.” The most important thing is that the approach does not just stop at pinpointing that something is wrong but that the security solution links a concrete action to that event.

Broader perspective

And so the sector evolved from a traditional endpoint protection to endpoint protection and response (EDR). This approach is a reaction to the realization that there is no such thing as 100% protection. Whenever there is an incident, you had better pick it up as quickly as possible and respond appropriately. “From there grew the concept of XDR or extended detection and response,” says Bastiaan Germs. “It ensures a broader perspective. XDR collects data not only at endpoints but also on the network. Analysis and correlation of all that data allows for faster and better tracking of deviant situations.”

XDR ⁠delivers the risk analysis, MDR ⁠ensures the correct human interpretation.

Bastiaan Germs, cybersecurity expert at Proximus NXT.

So, is XDR not the same as a SIEM (Security Information & Event Management)? “I don't think so,” says Bastiaan. “A SIEM is a very powerful and flexible tool, but it’s also typically an empty box which you yourself have to program with all the rules. You also have to prescribe all the correlation use cases. XDR allows you to get going much faster.

The supplier collates everything for you, sets up the AI and enables a far-reaching automated response.” This means, for example, that an endpoint can be isolated much more effectively and automatically, preventing an infection from spreading. “That would have to be done manually in a SIEM. In the event of an incident, you have to set up the response yourself, against the clock.”

Best of suite approach

XDR mainly works with solutions from the same supplier. A combination of various tools – best of breed – is not possible. “But in the event of an incident, you usually want the fastest possible response. And that’s where best of suite – everything from one supplier – is better, because the data exchange between the tools usually runs more smoothly.”

That said, the market is looking for a more open approach to XDR. “We are taking the first steps in that direction, towards a future in which you can, for instance, combine Cisco tools with Microsoft or Palo Alto,” says Bastiaan. “But for the moment, that’s all still largely theoretical."

Bastiaan Germs, cybersecurity expert at Proximus NXT

Human interpretation with MDR

This ultimately brings us to the field of MDR or managed detection and response. “XDR provides a risk analysis,” Bastiaan explains. “The vast majority of the detected risks are followed by an automated action. But there are also risk percentages that require human interpretation. A specialist has to look at those alerts and decide what the next step is.”

Large companies have their own team for this. But security specialists are very difficult to find on the labor market. And they are completely out of reach of small and medium-sized enterprises, even though they increasingly have to deal with the same threats as large organizations.

It is in that context that a company like Proximus NXT can act as an MDR partner. XDR technology takes care of the technical part, the Proximus NXT specialists provide the human touch. “Initially, we get the alerts,” says Bastiaan. “We do the analysis and estimate the risk.” This is followed by the correct action either by Proximus or the company itself, depending on the agreements made. “MDR enables the organization to implement the desired security policy, without the need to invest in its own specialists.”