What about the "big R", Remediation?
There's a pretty big difference
We wanted to expand a little more on a previous article about EDR, XDR, and MDR. As many of you already know, the “r” is for response: Endpoint Detection and Response. Extended Detection and Response. Managed Detection and Response. But, for some reason there seems to be little confusion on what response actually means and what it does.
As with many things these days there are plenty of opinions. And like other things along that train of thought, they all stink. Except this one, of course!
There is an important and distinct difference between response and remediation:
Response is “a reaction to something”. Response in cybersecurity is focused on containing and mitigating the immediate threat. While we’re thumbing through the dictionary, mitigation is “the action of reducing the severity, seriousness, or painfulness of something”
Remediation, or to remedy on the other hand is, simply put, “to set right”. So to remediate a security incident is to fix it.
Pretty big difference.
Response and remediation are both important parts of any cybersecurity strategy and incident response (IR) plan. However, as shown, there is a key difference between the two. It is important to be able to quickly detect and then respond to an incident. But we would like to highlught that not all _DRs are created equal, and you should never assume that the solution or service you have in place automatically includes remediation. Having a plan in place for remediating security incidents quickly and effectively is also critical and in most cases, not necessarily included.
In the context of EDR, XDR, and MDR, both response and remediation are important capabilities. EDR, XDR, and MDR solutions can all help organizations to respond to security incidents quickly and effectively. However, remediation is typically more of a manual process that involves fixing the underlying vulnerability and other problems that caused the incident in the first place.
Some EDR, XDR, and MDR solutions may provide automated remediation capabilities for certain types of threats. For example, an EDR solution might be able to automatically remove malware from an infected endpoint. However, for more complex vulnerabilities, remediation may need to be performed manually.
Remediation can be performed by either the organization itself or by the security solution provider. It often depends not only on the solution/software, but also on the service selected and service provider you get it from.
EDR solutions typically provide tools to help organizations remediate threats on their own. Most out-of-the-box solutions won’t remedy a security threat.
XDR solutions can automate some remediation tasks, such as quarantining infected endpoints or blocking malicious traffic.
MDR providers typically provide full remediation services, including removing malware, patching vulnerabilities, and restoring data from backups.
It is important to note that the specific capabilities of EDR, XDR, and MDR solutions vary widely. When choosing a solution, it is important to consider the specific needs of your organization and to ensure that the solution you choose provides the necessary response and/or remediation capabilities.
Which organization is responsible for remediation (either you or the service provider( will depend on the specific solution, or rather service, in place. For example, some EDR solutions provide the option to have the security solution provider perform remediation on behalf of the organization.
Here are some examples of how remediation might be used in each of the three solutions:
EDR: An EDR solution might be used to remediate a malware infection by removing the malware from the infected endpoint.
XDR: An XDR solution might be used to remediate a ransomware attack by automating the process of restoring data from backups and isolating the infected endpoints from the network.
MDR: An MDR provider might be used to remediate a data breach by investigating the incident, identifying the affected systems, and taking steps to prevent the breach from happening again.
Overall, remediation is an important part of any cybersecurity strategy, and it is important to have a plan in place for remediating security incidents quickly and effectively. EDR, XDR, and MDR can all help organizations to detect and respond and get organizations on the right path to remediate threats and incidents effectively. But understand that most solutions are not a complete remediation plan or strategy.
Again, response is to react, mitigate is to reduce, remediate is to fix.
You've done a great job so far, put all the right pieces in place, and now you need to be able to prove it. Or, you think your nicely buttoned up, but wouldn't mind a second pair of eyes.
Our comprehensive, customized Cybersecurity Readiness Report will give you 50 to 150 pages of dos, don'ts, best practices, and the latest strategies and innovations on your security preparedness. You'll get confirmation on some things, plenty of food for thought, and maybe even uncover some gaps you weren't aware of.
Cloud 9 Advisers
As a leading technology advisory firm with a security-first focus, Cloud 9 stands ready to help you unravel the complex web of noise and "FUD" you'll hear out in the cybersecurity marketplace. Cybersecurity should never be only about the latest products and solutions or the fear uncertainty, and doubt (FUB) often found in the marketplace. Cybersecurity isn't an IT problem, it is a business problem