ATVM & Infra Training

Day 5
LTI 25-09-2023
Fundamentals Of network Security &
Understanding The Network Security
Components Including Determing

2
Introduction to Network Security

Network security is a critical aspect of modern information technology that focuses on protecting an organization's data,
systems, and communication channels from unauthorized access, breaches, and cyber threats. As businesses and individuals
increasingly rely on interconnected networks for communication, data storage, and access to services, the importance of
network security has grown exponentially.

Importance:

Network security is of paramount importance for several key reasons:

• Protection of Confidential Data: In today's digital age, organizations store vast amounts of sensitive data, including customer
information, financial records, and intellectual property. Network security ensures that this data remains confidential and is
not exposed to unauthorized parties.
• Prevention of Unauthorized Access: Network security measures prevent unauthorized individuals or entities from gaining
access to sensitive systems and data. Unauthorized access can lead to data breaches, financial losses, and reputation
damage.

3
Introduction to Network Security

• Mitigation of Cyber Threats: The cybersecurity landscape is continually evolving, with new threats emerging regularly.
Network security mechanisms are essential for detecting, preventing, and mitigating these threats, ranging from malware
and ransomware to phishing attacks.

• Business Continuity: Network security measures contribute to the continuity of business operations. By protecting critical
systems and resources, organizations can avoid downtime and maintain productivity even in the face of cyberattacks.

• Compliance and Legal Requirements: Many industries and jurisdictions have specific regulations and compliance standards
related to data protection and privacy. Network security helps organizations meet these requirements and avoid legal
consequences.

4
Objectives of Network Security

The primary objectives of network security are to ensure the confidentiality, integrity, and availability (often referred to as
the CIA triad) of data and network resources. These objectives can be further defined as follows:

• Confidentiality:
Protection of Data: Network security measures aim to prevent unauthorized access to sensitive data. Confidentiality ensures
that only authorized users can view and access data, protecting it from eavesdropping or theft.

• Integrity:
Data Integrity: Network security ensures that data remains intact and unaltered during transmission or storage. Unauthorized
modifications, tampering, or corruption of data are prevented or detected.

• Availability:
Continuous Access: Network security measures strive to ensure that network resources and services are available when
needed. This includes protection against denial-of-service (DoS) attacks and system failures.

5
Objectives of Network Security

• Authentication:
User Verification: Network security mechanisms verify the identity of users and devices accessing the network.
Authentication prevents unauthorized users from gaining access.

• Authorization:
Access Control: Authorization defines what actions or resources authenticated users are allowed to access. It enforces
access controls and permissions.

• Accountability:
Audit Trails: Network security measures establish accountability by creating audit trails and logs of user activities. This
assists in tracking and investigating security incidents.

6
Network Security Components

Firewall
• Definition: A firewall is a network security device or software that monitors and controls incoming and outgoing network
traffic based on predefined security rules.

• Function: It acts as a barrier between trusted internal networks and untrusted external networks, like the internet, and
filters traffic to prevent unauthorized access and cyber threats.

Proxy Server
• Definition: A proxy server is an intermediary server that acts as a gateway between client devices and external servers or
resources.

• Function: It can enhance security by inspecting and filtering traffic, optimize performance through caching, and provide
anonymity by masking users' IP addresses.

7
Network Security Components

Network Segmentation
• Definition: Network segmentation involves dividing a larger network into smaller, isolated segments or subnetworks, often
for security and performance reasons.

• Function: It enhances security by limiting the lateral movement of attackers, isolating critical resources, and ensuring
compliance with regulatory requirements.

Remote Access VPN

• Definition: A Remote Access Virtual Private Network (VPN) allows remote users to securely connect to an organization's
internal network over the internet.

• Function: It provides secure and encrypted connectivity for remote employees, ensuring data confidentiality and
authentication.

8
Network Security Components

Email Security
• Definition: Email security measures protect email communication from threats such as phishing, malware, and spam.

• Function: It filters out malicious emails, scans attachments and links for malware, and may include encryption to safeguard
email content.

Data Loss Prevention (DLP)

• Definition: DLP is a set of tools and policies designed to prevent sensitive data from being accessed, shared, or leaked
improperly.

• Function: It inspects data to identify sensitive information, enforces policies to prevent unauthorized data transfers, and
facilitates incident response in case of policy violations.

9
Types of Firewalls

• Packet Filtering Firewalls: These filter network packets based on predefined rules, such as source and destination IP
addresses, ports, and protocols. They work at the network layer (Layer 3) and are efficient but lack advanced features.

• Stateful Inspection Firewalls: These track the state of active connections and make decisions based on the context of traffic.
They operate at both the network and transport layers (Layers 3 and 4) and offer improved security compared to packet
filtering firewalls.

• Proxy Firewalls: Also known as application layer firewalls, these operate at the application layer (Layer 7). They provide
deep packet inspection, content filtering, and application-level control. Proxy servers act as intermediaries between clients
and servers, enhancing security and control.

10
Firewall Placement and Configuration

• Firewall Placement: Firewalls can be placed at various points within a network, including the perimeter (between internal
and external networks), internally to segment network zones, and on individual devices as host-based firewalls.

• Configuration: Firewall configuration involves defining rules and policies. Access control lists (ACLs) specify which traffic is
allowed or denied based on criteria like source and destination addresses, ports, and protocols. Stateful inspection and
logging are common configuration features.

11
Firewall Rules and Policies

• Default Deny vs. Default Allow: Firewalls typically follow a "default deny" approach, blocking all traffic unless explicitly
allowed, or a "default allow" approach, allowing all traffic unless explicitly denied.

• Access Control Lists (ACLs): ACLs are sets of rules that control the flow of network traffic. They specify which traffic is
allowed or denied based on criteria like source and destination IP addresses, ports, and protocols.

• Stateful Inspection: Modern firewalls use stateful inspection to track the state of active connections, allowing related traffic
to pass while blocking unrelated or suspicious traffic.

• Logging and Alerts: Firewalls can be configured to log firewall activity and generate alerts for suspicious or critical events,
aiding in monitoring and incident response.

12
Application Layer Firewalls

• Application Layer Firewalls: These operate at the application layer (Layer 7) and provide deep packet inspection, content
filtering, and granular control over applications. They can block or allow specific services or features within applications and
often require user authentication for access control.

13
Proxy Server Functionality

Proxy servers play a pivotal role in enhancing both security and performance within a network. Their functionality includes:

• Intermediary Role: Proxy servers act as intermediaries between client devices and external servers or resources. They
receive requests from clients and forward them to the target server, serving as a middleman in the communication.

• Request Filtering: Proxy servers can filter and inspect incoming requests from clients. They evaluate the requests based on
predefined rules and criteria, such as URL filtering, access policies, and content inspection.

• Caching: Many proxy servers employ caching mechanisms to store frequently requested content locally. Caching improves
response times by serving cached content to clients, reducing the need to fetch data from the origin server.

• Anonymity: Some proxy servers offer anonymity by masking the IP addresses of client devices. This enhances privacy and
security by hiding the client's identity from external servers.

14
Use Cases for Proxy Servers

15
Proxy servers find applications in various scenarios

• Content Filtering: They are used to filter web content, blocking access to specific websites, categories, or types of content.
This is commonly employed in organizations to enforce acceptable use policies.

• Access Control: Proxy servers enable access control by defining rules that specify which users or groups can access
specific resources. This is crucial for securing sensitive data.

• Performance Optimization: Caching proxies improve network performance by reducing bandwidth usage and enhancing
response times. This is especially valuable for frequently accessed content.

• Security: Proxy servers can inspect and filter incoming and outgoing traffic for malware, phishing attempts, and other
security threats. They add an additional layer of protection to the network.

16
Reverse Proxy Servers

Reverse proxy servers are a specialized type of proxy server designed to enhance security, load balancing, and performance
for incoming traffic:

• Load Balancing: Reverse proxies distribute incoming requests across multiple backend servers, ensuring efficient resource
utilization and preventing overloads.

• Security: They provide an additional security layer by hiding the internal network structure and protecting backend servers
from direct exposure to the internet.

• SSL Termination: Reverse proxies can terminate SSL/TLS encryption, offloading the decryption process from backend
servers and enhancing performance.

• Caching: Similar to regular proxies, reverse proxies can cache content, improving response times for clients.

17
SSL Inspection with Proxy Servers

SSL (Secure Sockets Layer) inspection, also known as TLS (Transport Layer Security) inspection, is a crucial function of some
proxy servers:

• Purpose: SSL inspection involves decrypting and inspecting SSL/TLS-encrypted traffic passing through the proxy. This
allows the proxy to examine the content within encrypted connections, enhancing security.

• Security Analysis: SSL inspection is essential for detecting and blocking malicious content, malware, or other security
threats that might be hidden within encrypted traffic.

• Challenges: Implementing SSL inspection requires careful management of certificates and private keys to maintain trust
and security while decrypting and re-encrypting traffic.

18
Network Segmentation

Network segmentation is a strategy that involves dividing a larger network into smaller, isolated segments or subnetworks. This
approach offers several key benefits

• Enhanced Security: Network segmentation limits the ability of unauthorized users or malicious software to move laterally within
the network. Even if one segment is compromised, it does not necessarily grant access to other segments, protecting critical assets.

• Access Control: Segmentation allows organizations to implement strict access controls and permissions for different network
segments. This ensures that only authorized users can access specific resources.

• Reduced Attack Surface: By isolating critical assets, network segmentation reduces the overall attack surface. Attackers have
fewer entry points and targets to exploit.

• Compliance: Many regulatory frameworks and industry standards require organizations to isolate sensitive data or systems.
Network segmentation helps organizations meet compliance requirements.

• Resource Optimization: Segmentation allows for resource optimization and performance improvements. Bandwidth and resources
can be allocated more efficiently to meet the specific needs of each segment.

19
Implementing Network Segmentation

The implementation of network segmentation involves several key steps:

• Inventory and Asset Identification: Identify and categorize all network assets, including servers, devices, and data
repositories. Determine which assets are critical and require isolation.
• Segment Definition: Define the segments or subnetworks based on the organization's needs and security requirements.
Consider factors like data sensitivity, user roles, and operational requirements.
• Access Controls: Implement access controls, such as firewalls, routers, and switches, to restrict communication between
segments. Configure rules and policies that define what traffic is allowed or denied.
• Monitoring and Logging: Implement monitoring and logging solutions to track network traffic and detect unusual or
unauthorized activity. Continuous monitoring is essential for identifying potential security incidents.
• Testing and Validation: Conduct thorough testing and validation of the segmentation implementation to ensure that it meets
security and operational goals. This includes testing access controls and verifying that critical assets are isolated.
• Documentation: Maintain comprehensive documentation of the segmentation design, including network diagrams, access
control policies, and procedures for managing and updating segments.

20
Micro-Segmentation

Micro-segmentation is an advanced form of network segmentation that takes segmentation to a granular level

• Granular Controls: In micro-segmentation, each individual device or workload can be isolated into its own segment. This
level of granularity allows for highly specific access controls and policies.

• Dynamic Policies: Micro-segmentation often employs dynamic policies that adapt to changing conditions, user behavior, or
threat intelligence. Policies can be based on factors like user identity, device type, or application.

• Zero Trust Security Model: Micro-segmentation aligns with the zero trust security model, where trust is never assumed, and
verification is required for all network communication.

• Cloud and Virtualization: Micro-segmentation is particularly relevant in cloud environments and virtualized data centers,
where workloads are dynamic and require fine-grained security controls.

21
VPN Types (SSL vs. IPsec)

Virtual Private Networks (VPNs) provide secure connectivity over untrusted networks like the internet. There are two primary
types of Remote Access VPNs

SSL VPN (Secure Sockets Layer VPN): SSL VPNs operate at the application layer and allow remote users to securely access
specific web applications or services. They are user-friendly and often used for remote access to web-based resources,
providing secure connectivity via a web browser.

IPsec VPN (Internet Protocol Security VPN): IPsec VPNs operate at the network layer and create a secure tunnel between a
remote user's device and a corporate network. They are commonly used for remote access by establishing a secure tunnel
from a client device to the corporate network, ensuring secure communication.

22
VPN Placement and Setup

Setting up a Remote Access VPN involves determining its placement and configuration

Placement: Remote Access VPNs are typically placed at the network perimeter or within the corporate network. They provide
secure access to resources for remote users, whether they are connecting from outside the organization or within a remote
office.

Configuration: VPN configuration includes defining parameters like IP addresses, authentication methods (such as
username/password or digital certificates), encryption algorithms, and access policies. Both VPN clients and servers must be
configured to establish secure connections.

23
VPN Authentication and Encryption

Authentication and encryption are fundamental to the security of Remote Access VPNs
Authentication: Remote Access VPNs use various authentication methods to verify the identity of remote users or devices.
Common methods include username/password, digital certificates, and multi-factor authentication (MFA).

Encryption: VPNs employ encryption to ensure the confidentiality of data transmitted over the internet. Encryption protocols
like SSL/TLS for SSL VPNs and IPsec for IPsec VPNs establish secure communication channels that protect data from
eavesdropping.

24
VPN Security Best Practices

To maintain the security of Remote Access VPNs, organizations should follow best practices

Regular Updates: Keep VPN software and firmware up to date to patch vulnerabilities and maintain security.

Strong Authentication: Use strong authentication methods, such as digital certificates and MFA, to prevent unauthorized
access.

Secure Key Management: Protect encryption keys used in VPNs to prevent unauthorized decryption of data.

Logging and Monitoring: Implement robust logging and monitoring to detect and respond to suspicious activity on VPN
connections

25
VPN Security Best Practices

Access Control: Enforce strict access control policies to limit VPN access to authorized users and resources.

Security Policies: Define and enforce security policies that dictate acceptable VPN usage, data protection, and compliance
with regulations.

Regular Auditing: Conduct regular security audits and assessments of VPN configurations to identify and remediate
vulnerabilities.

User Education: Educate users about VPN security best practices and the importance of safeguarding credentials and data.

Resource Optimization: Segmentation allows for resource optimization and performance improvements. Bandwidth and
resources can be allocated more efficiently to meet the specific needs of each segment.

26
Email Threat Landscape

The email threat landscape encompasses various risks and challenges related to email communication

Phishing: Phishing attacks involve fraudulent emails that appear legitimate, tricking recipients into revealing sensitive information
or clicking on malicious links.

Malware Distribution: Cybercriminals use email as a vector for distributing malware, such as viruses, ransomware, and trojans,
often through malicious attachments or links.

Spam: Spam emails flood inboxes with unsolicited and often irrelevant messages, consuming network resources and potentially
delivering malicious content.

Spoofing and Identity Theft: Attackers can spoof email addresses to impersonate trusted entities, leading to identity theft or
impersonation.

Data Leakage: Inadvertent or intentional data leakage can occur when sensitive information is sent via email without proper security
measures.

27
Email Security Components

Email security relies on various components and measures

Authentication: Email authentication mechanisms, like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified
Mail), help verify the authenticity of email senders.

Anti-Malware Scanning: Email gateways and filters scan incoming messages for malware and malicious attachments to
prevent their delivery.

Anti-Spam Filters: Anti-spam filters use heuristics, machine learning, and blacklists to identify and block spam emails.

Content Filtering: Content filtering examines email content for sensitive information or keywords, ensuring compliance with
security policies.

Email Encryption: Email encryption secures email content to prevent unauthorized access, often using protocols like S/MIME
and PGP.

28
Email Filtering and Anti-phishing Techniques

Email filtering and anti-phishing techniques aim to identify and block malicious emails

URL Filtering: Email security solutions check links within emails against databases of known malicious URLs, blocking access
to harmful websites.

Attachment Analysis: Attachments are analyzed for malware, suspicious macros, and other threats. Sandboxing may be used
to isolate and test suspicious attachments.

Heuristic Analysis: Heuristic analysis examines email content for suspicious patterns, behavior, or characteristics commonly
associated with phishing or malware.

Machine Learning: Machine learning algorithms can identify phishing attempts and malware patterns by analyzing large
datasets and learning from historical email threats.

29
Email Encryption

Email encryption protects email content from eavesdropping by unauthorized parties

Transport Layer Encryption (TLS): TLS encrypts email traffic in transit, securing communication between email servers.

End-to-End Encryption: End-to-end encryption ensures that only the intended recipient can decrypt and read the email.
Solutions like S/MIME and PGP provide this level of security.

Secure Email Gateways: Secure email gateways often include encryption features to protect sensitive email content.

30
Understanding Data Loss Risks

Data loss risks are prevalent in today's digital landscape, and organizations must protect sensitive information from various
threats

Accidental Data Leakage: Employees may inadvertently expose sensitive data through email, file sharing, or other
communication channels.

Malicious Insider Threats: Disgruntled employees or insiders with malicious intent may intentionally leak sensitive
information.

Cyberattacks: External threats, such as hackers and cybercriminals, may breach network defenses and steal sensitive data.

Compliance Violations: Failure to protect sensitive data can result in non-compliance with industry regulations and data
protection laws, leading to legal and financial consequences.

31
DLP Components and Strategies

Data Loss Prevention (DLP) encompasses various components and strategies to prevent data loss

Content Discovery: DLP solutions scan and discover sensitive data within the organization, such as financial records,
personal information, or intellectual property.

Policy Creation: Organizations define data protection policies that specify how sensitive data should be handled, shared, and
protected.

Monitoring and Enforcement: DLP solutions monitor data usage and enforce policies by blocking or alerting on unauthorized
or risky actions.

User Education: Employee training and awareness programs educate users about data protection best practices and the
importance of safeguarding sensitive information.

32
Data Classification and Policy Enforcement

Data classification and policy enforcement are central to effective DLP

Data Classification: Organizations classify data based on its sensitivity, assigning labels or tags to indicate its confidentiality
level. Common classifications include public, internal use only, and highly confidential.

Policy Enforcement: DLP policies define actions to be taken based on data classification and context. For example, policies
may block the transfer of highly confidential data outside the corporate network but allow internal sharing.

Encryption: DLP solutions often include encryption capabilities to protect data both at rest and in transit. This ensures that
even if data is inadvertently leaked, it remains protected.

33
DLP Integration with Other Security Tools

DLP solutions can be integrated with other security tools to enhance data protection

SIEM (Security Information and Event Management): Integration with SIEM systems allows for centralized monitoring and
correlation of DLP events with other security data, enhancing threat detection and incident response.

Endpoint Security: DLP can be integrated with endpoint security solutions to monitor and control data transfers on individual
devices.

Email Security: Integration with email security gateways enables the detection and prevention of sensitive data leakage
through email communications.

Cloud Security: As organizations increasingly adopt cloud services, DLP solutions can be integrated with cloud security
platforms to extend data protection to cloud environments.

34
Network Security in the Perimeter

Network security at the perimeter is essential for protecting an organization's internal network from external threats. Here's
why placement and integration of security measures are crucial in this context

Firewalls: Firewalls are typically deployed at the network perimeter to filter incoming and outgoing traffic. They act as a
barrier, allowing or blocking traffic based on predefined rules, thus preventing unauthorized access.

Intrusion Detection and Prevention Systems (IDPS): IDPS solutions are placed at the perimeter to monitor network traffic for
suspicious behavior or known attack patterns. Integration with firewalls can help block malicious traffic.

Proxy Servers: Proxy servers can enhance security by intercepting and inspecting web traffic. They are often positioned at
the perimeter to filter out malicious content and provide anonymity for internal users.

Security Information and Event Management (SIEM): SIEM solutions aggregate and analyze security data from various
sources, including perimeter devices. Integration with firewalls and IDPS allows for centralized monitoring and rapid threat
detection.

35
Network Security in the Data Center

Data centers house critical organizational data and applications, making security essential. Integration and placement
considerations include

Micro-Segmentation: Within the data center, micro-segmentation is used to isolate workloads and applications, preventing
lateral movement in case of a breach.

Virtual Firewalls: Virtualized data centers often deploy virtual firewalls to protect workloads. These firewalls are integrated
with virtualization platforms for seamless security management.

Intrusion Detection and Prevention: IDPS solutions are placed within the data center to monitor traffic between virtualized
workloads and detect anomalous behavior.

Data Loss Prevention (DLP): DLP solutions can be integrated to protect sensitive data within the data center, ensuring that it
is not leaked or mishandled.

36
Remote Workforce and Network Security

With the rise of remote work, securing remote connections is crucial

Virtual Private Networks (VPNs): VPNs provide secure remote access to the corporate network. They are integrated with user
authentication and encryption mechanisms to ensure secure connections.

Endpoint Security: Security measures are extended to remote devices through endpoint security solutions. Integration with
VPNs and centralized management ensures remote device security.

Cloud-based Security: Cloud security solutions may be integrated to protect remote workers accessing cloud resources. This
ensures consistent security policies and controls.

37
Cloud Security Considerations

Cloud security requires a different approach due to the distributed nature of cloud environments

Cloud Access Security Brokers (CASB): CASB solutions are integrated with cloud services to provide visibility and control
over data and applications in the cloud.

Identity and Access Management (IAM): IAM solutions are integrated with cloud platforms to manage user access and
permissions across cloud resources.

Security Groups and Policies: Cloud providers offer security groups and policies that are integrated with workloads and
resources to control network traffic and access within the cloud environment.

Encryption and Key Management: Data encryption and key management solutions are integrated to ensure data privacy and
security in the cloud.

38
Understanding Endpoint Security and EDR

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to
client devices. The connection of laptops, tablets, mobile phones, and other wireless devices to corporate networks creates
attack paths for security threats.

39
Understanding Endpoint Security and EDR

There are a number of different measures that organizations can take to improve their endpoint security. These include:

Antivirus software: Antivirus software is designed to detect and remove malware from a device. It is important to regularly
update antivirus software to ensure that it is able to detect and protect against the latest threats.
Firewalls: A firewall is a system that controls incoming and outgoing network traffic based on predetermined security rules.
It can help prevent unauthorized access to a device and block malicious traffic.

Encryption: Encrypting data on a device can help protect it from being accessed by unauthorized parties in the event that the
device is lost or stolen.

Access controls: Access controls determine who is allowed to access a device and what resources they are allowed to
access. This can include measures such as user authentication and permissions.

40
Understanding Endpoint Security and EDR

Device management: Device management involves tracking and managing the devices that are connected to an
organization’s network. This can include enforcing policies such as password complexity and device inventory tracking.

To effectively secure endpoint devices, organizations should adopt a multi-layered approach that combines multiple security
measures. It is also important to regularly update and patch systems and software, as well as train employees on good
cybersecurity practices.

In summary, endpoint security is essential for protecting an organization’s systems and data from cyber threats. By
implementing a combination of security measures and regularly updating and maintaining those measures, organizations can
significantly reduce their risk of a successful cyber attack.

41
Understanding Endpoint Security and EDR

What are important endpoint solution metrics?

Here’s an amazing statistic from a Carbon Black study:

“… An average computer was a target of attacks less than one time a month in early 2017. By the end of 2017, that number of
attacks rose by 328% to three attacks per month…. Consequently, an organization with 10,000 endpoints could see
approximately 1,000 attacks a day… In 2018, it’s expected that endpoints attacks will increase even more, as the number of
attacks on the protected endpoints of Carbon Black’s customers’ is growing at a rate of 13% each month.”

What are leading endpoint solutions ranked by price?

The most common endpoint solutions that we implement for clients are Check Point and Nuspire. The best way to determine
which endpoint solution is best for your company’s needs is to schedule a free endpoint security consultation with an
experienced security consultant.

42
Understanding Endpoint Security and EDR

Check Point SandBlast Agent

“Check Point endpoint security includes data security, network security, advanced threat prevention, forensics, endpoint
detection and response (EDR), and remote access VPN solutions… Check Point’s entire endpoint security suite can be
managed centrally using a single management console.”

Nuspire
Nuspire NuSecure will “continuously manage your business’ endpoints 24×7 with endpoint detection and response (EDR),
Nuspire’s SIEM technology and always-on managed detection and response (MDR).”

FireEye
FireEye protects your organization’s desktops, laptops, and servers from security breaches with intelligence led protection,
detection and response.

43
Understanding Endpoint Security and EDR
Fortinet FortiClient
FortiClient strengthens endpoint security through integrated visibility, control, and proactive defense. With the ability to
discover, monitor, and assess endpoint risks, you can ensure endpoint compliance, mitigate risks, and reduce exposure.
FortiClient proactively defends against advanced attacks.

What’s the best anti-virus endpoint protection?

If we had to pick our favorite, we’d recommend Checkpoint SandBlast Agent for two reasons: 1) Check Point integrates easily
with on-premise data centers and modern cloud data centers, and 2) Check Point easily integrates with Active Directory.

Do I need an endpoint security consultant near me?

Maybe. The most important factor is experience and effective workflow, whether in-person, on-site, virtual, or off-site. That
said, we think working with an endpoint security consultant near you is an advantage. This will allow your endpoint security
consultant to better communicate with existing IT teams, and better understand your current information architecture. A
non-local endpoint security consultant becomes a good option if they follow security best practices, and have an established
virtual workflow. Why? Location is less significant when virtual workforce tools are effectively adopted by consultant and
client, whether a small business or global enterprise. Plus, on-site specialists can become costly. Bottomline, look for an
endpoint security consultant who offers an excellent communication process, clear workflow, and custom security solution
for your business.
44
Difference between EDR, XDR and MDR

45
Difference between EDR, XDR and MDR
The cybersecurity industry should come with a glossary to cover all the acronyms it uses. We’ve talked about some of the
more common terms in the past, but today we’re taking a closer look at three big detection and response technologies:
• MDR, which stands for managed detection and response.
• XDR, which stands for extended detection and response.
• EDR, which stands for endpoint detection and response.
These three approaches to detection and response technologies are hot topics in the security sector and dominate a lot of
conversation.
While closely related, there are several major differences—not to mention subtler nuances—that differentiate these
approaches to security from one another. Without a clearer understanding of the actual outcomes each one provides,
businesses may struggle to make an informed decision about the solution(s) they need to defend their operations and data.
MDR, XDR, and EDR share a lot of DNA, but the way they approach security can vary wildly. Let’s take a closer look at these
three solutions to better understand their capabilities and potential benefits.
In this blog, you’ll learn:
• What MDR, XDR, and EDR are designed to protect
• The benefits of each detection and response solution
• Which approach is best for your business

46
MDR, XDR, and EDR at a glance

MDR XDR EDR

Capabilities • Detection and response as a managed • Detection and response across the threat • Detection and response for endpoint
service. surface. threats.

• May include additional services and • Layers multiple tools to provide • Integrates with other solutions.
features. functionality.
Coverage • Varies by vendor. May be endpoint only, • Endpoints, networks, and cloud services. • Limited to endpoints.
holistic, or anything in between.
Benefits • APT and malware protection. • APT and malware protection. • APT and malware protection.

• Frees up time. • A lower total cost of ownership (compared • Good visibility of endpoints.
to layering point solutions).
• Scalable. • Effective at identifying unknown threats.
• Centralized threat data.
• Access to expertise.
Limitations • Not all MDR solutions are created equal. • Can be very noisy. • No visibility of network and cloud-based
Evaluating coverage/functionality is key. threats.
• Requires extensive time and skill to
manage.

47
What is endpoint detection and response (EDR)?

Endpoint detection and response (EDR) focuses on securing endpoint devices—any device with connections to and from a
network. Endpoints typically include laptop and desktop computers, smartphones, tablets, Internet-of-Things (IoT) devices,
servers, and more.
EDR can be seen as an evolution of traditional endpoint protection (EPP), a classification-based form of threat detection.
Classification-based detection is limited in what it can accomplish, and as such endpoint solutions that rely on classification
can only identify known threats by querying an existing database. This lets these EDR solutions compare detected activity to
a list of known threats, and to take automated action when they find a match.
Where modern EDR truly sets itself apart is with a greater focus on active monitoring and the ability to identify abnormal or
suspicious activity—which may go beyond known threats—and react appropriately. For example, actions taken could include
an active block, isolating a host, or escalating findings for further investigation. This is a stark contrast to classification-
based detection because it adds a layer of intelligence to the system; classification-based detection requires previous
experience or understanding of threats.
This makes EDR better suited to detecting and identifying unknown threats, such as advanced persistent threats (APTs). APTs
are, as the name suggests, more sophisticated cyber threats that can go undetected for long periods of time.
EDR is all about endpoint visibility, giving teams more insight into what’s happening on an endpoint so they can quickly
resolve threats as they arise.

48
What are the benefits of EDR?

EDR has a number of benefits that make it an appealing security tool. It offers visibility into activity on your endpoints, and
since 70% of all breaches start with endpoints, this approach is highly valuable for security professionals.
EDR is focused on reviewing a broad set of information. As such, threats that would have evaded legacy EPP platforms are
able to be detected, such as fileless malware attacks. And like other tools, EDR can integrate with a larger solution like a
security information and event management (SIEM) platform.
Yet the narrow focus on endpoint telemetry alone limits the amount of data available for analysis. Seen in isolation, abnormal
endpoint activity paints an incomplete picture. Without context from what’s happening on the network or in the cloud, for
example, it’s harder to determine what’s a genuine threat and what’s simply a false positive.
What’s more, when used as part of a SIEM, EDR solutions can also contribute to significant alert volume. Activity on endpoints
would generate one set of notifications, while activity in the cloud (potentially from the same threat) creates another. The
challenge of correlation means that dealing with the alerts can leave teams exhausted, exacerbating alert fatigue and
potentially increasing employee turnover.

49
What is extended detection and response (XDR)?

XDR’s origins come from the fact that looking through a single lens at an organization’s infrastructure simply doesn’t provide
the coverage and visibility required to minimize the threat surface. Compromises can happen at the endpoint, network, and
cloud, and through employees themselves.
EDR and some traditional MDR offerings are frequently seen as limited point solutions, addressing a single aspect within a
network. XDR is a direct response to those limitations, pulling together detection and response capabilities for endpoints,
networks, and cloud services in a single platform. XDR is often offered as software-as-a-service (SaaS), making it easier for
businesses to access this technology.
In light of hybrid work environments, complex IT infrastructure, and increasingly sophisticated threats, XDR solutions
promise to deliver relevant information and threat data so organizations can better protect their data and operations.

50
What are the benefits of XDR?

XDR solutions acknowledge that endpoint detection alone is not enough to protect modern IT infrastructure. Indicators of
compromise don’t exhibit solely at the endpoints; abnormal traffic and traffic patterns through the network, and anomalous
cloud activity can equally indicate trouble.

Beyond this, XDR provides a range of benefits for organizations:

• Improved detection and response—as we’ve discussed, because of its focus on the entire threat surface, XDR can help
businesses identify and address threats targeting any aspect of their IT infrastructure.

• Centralized user interface—one of the major selling points of XDR solutions is the fact that they centralize all threat data in
a single dashboard, making it easier for teams to prioritize their response.

• Lower total cost of ownership—XDR solutions can simplify security toolsets, often helping organizations find efficiencies and
maximize their resources.

• Automated analytics—having a solution that will identify, triage, and prioritize threats on your behalf while simultaneously
analyzing reams of data is a huge benefit for security teams everywhere.

51
What are the benefits of XDR?

XDR takes its broad approach to cyber threat monitoring by pulling together multiple pieces of technology to deliver greater
insight into an IT environment—but even this approach has its drawbacks.

XDR solutions often are built in a disparate fashion—that is, each component hasn’t been cohesively developed from the
ground up to ensure seamless interoperability. As a result, each piece of the platform may only be providing a snapshot of
the bigger picture. Additionally, the footprint and CPU usage due to the different pieces of technology can be significant.

This leads to considerable noise, too. Each tool in an XDR solution may be providing multiple alerts for the same issue. As
mentioned above, suspicious activity in a cloud service and suspicious activity on an endpoint may be linked, but XDR
solutions don’t always provide that context—which could mean the difference between preventing an attack or falling victim
to one.

52
What is managed detection and response (MDR)?

As helpful as EDR and XDR can be for an organization, they’re not without challenges. Tools that simply compile activity data,
whether from endpoints alone or other areas of your IT infrastructure, generate a wealth of data that requires further
analysis. In turn, this increases workloads and requires an in-depth understanding of cybersecurity telemetry and processes.
This is the challenge that managed detection and response seeks to address.
MDR is not a specific technology, but a managed service that packages the benefits of EDR and/or XDR into a convenient
offering, helping offload some of the challenges of hiring cybersecurity professionals who have the experience needed to
build an in-house security program.
As we’ve touched on, EDR and XDR generate significant amounts of information, requiring teams to parse greater volumes of
alert data and determine what is a false positive and what is an actual threat. MDR takes this off a client’s plate, putting
detection and response responsibilities in the hands of an experienced third-party security provider.
In many cases, MDR simply offers a services approach to traditional detection and response activities. Sometimes it’s
packaged alongside a range of other security tools, such as a DNS firewall, network sensors, or cloud monitoring to better
protect modern IT infrastructure.

53
What are the benefits of MDR?

The biggest benefit of MDR is the peace of mind it offers businesses. As a managed service, MDR frees up time for IT and
security teams to focus on strategic initiatives that support business goals.
What’s more, a managed service may be more cost-effective and more accessible than building an in-house security team.
By taking EDR capabilities and delivering them as a managed service, MDR providers can offer added benefits to their clients:
• Event analysis—handling the hard work of analyzing potentially billions of security events, helping weed out false positives
from genuine threats, often by augmenting machine learning with human analysis and support.
• Alert triage—triaging alerts which allows businesses to better prioritize their cybersecurity activities and focus on the most
critical issues first.
• Vulnerability management—proactively addressing vulnerabilities to minimize an organization’s threat surface
• Remediation—offered as an additional service or included in the service agreement, MDR providers can help repair, restore,
and remediate after a cybersecurity incident, minimizing damage and recovery time.
• Threat hunting—MDR providers can monitor an organization’s network and look for active incidents, helping businesses
detect threats early and minimize potential damage.
As useful as MDR products and services can be, not every provider offers the end-to-end defence a modern business
requires. Some MDR solutions fail to account for network- or cloud-based threats, only offering visibility into a single set of
data.

54
Different approaches to managed detection and response

As explained above, MDR isn’t a single technology or tool, but a managed service approach to cybersecurity. With this in
mind, buying an MDR solution from a managed service provider (MSP) means navigating its own set of terminology. There are
three distinct classes of MDR to be aware of:

• MEDR: Managed endpoint detection and response delivers endpoint detection and response capabilities as a managed
service.

• MNDR: Managed network detection and response focuses on network-based attacks on network infrastructure, servers, and
email.

• MXDR: Managed extended detection and response seeks to take the broader approach of XDR solutions—covering an
enterprise network—and deliver it as a managed service. Just like standard XDR, the exact definition of what is covered may
vary from vendor to vendor.

55
Thank You

56