EDR XDR and MDR overview – Bitdefender TechZone

EPPs represent the evolution of antivirus technology, moving beyond reliance on static signatures and incorporating multiple layers of security and advanced features such as Advanced Machine Learning technologies for dynamic threat detection. GravityZone EPP can evaluate the reputation of remote sites with Network Attack Defense (NAD) technology or perform an encryption rollback with Ransomware Mitigation.

This evolution includes the addition of proactive prevention technologies such as Patch Management and Risk Management, addressing vulnerabilities by patching software or systems, identifying and remedying security issues, and pinpointing users with risky behavior. By consolidating all these advanced technologies EPP establishes overlapping defenses, reducing the likelihood of successful attacks, and limiting the scope of an attack if one occurs.

A detailed description of the technologies included in EPP functionality can be found in the Prevention and Detection layers in the Multi-layered Security article here.

EDR utilizes EPP functionality and expands visibility for security analysts by gathering data from all endpoints. The correlation mechanism automatically identifies incidents that manage to bypass prevention and protection technologies, often originating from unmanaged devices.

Lateral movement on the network is detected either directly by observing common techniques (e.g., using WMI/PsExec) or indirectly by correlating different events. For instance, if user credentials are dumped on a machine and later used to log in to another machine where malicious behavior is observed, the central correlation engine connects the dots, presenting a graphical representation of the attack.

This central correlation engine, coupled with other technologies such as Anomaly Detection, which generates profiles of typical behavior for individual machines, can uncover threat actors already present on the network, maintaining a low profile and employing techniques like living off the land (LOL), where legitimate admin tools such as PowerShell are used, leaving no malware trace for traditional endpoint security tools to detect. EDR uses probabilistic models, constantly monitoring and analyzing the situation to uncover elusive attacks.

Incident Advisor simplifies incident investigation by presenting all the crucial information you need on a single page. It answers key questions like what happened, why this incident occurred, how it is impacting the organization, and what actions can be taken to minimize the business impact.

For a more in-depth investigation, you can switch to Extended Root Cause Analysis. This view provides an organization overview and a graph of the attack progression, helping you understand the attacker's strategy, including the Tactics, Techniques, and Procedures (TTPs) used.

Finally, for a deep dive into individual endpoints, you can use Root Cause Analysis. This allows you to see the detailed execution flow and relationships between processes and file system operations.

Throughout the investigation process, GravityZone suggests preventive and corrective actions, such as isolating endpoints or deploying missing patches.

XDR technology goes beyond EDR by extending detection and response capabilities by collecting data from a wider range of Sensors.

^{Bitdefender GravityZone XDR Sensors technology diagram}

ensors enhance your visibility across the entire attack lifecycle, starting from the initial point of compromise and extending to all impacted resources. For example, consider a scenario where a phishing email containing a suspicious file arrives in a user's inbox within Office 365. The Productivity Applications Sensor can detect the malicious attachment within the email, preventing the user from downloading it and potentially compromising the system. If the user executes the file, the Network Sensor, monitoring your network traffic, can detect the establishment of a reverse shell connection from the compromised station to the attacker's Command and Control (C2) server. Additionally, the Network Sensor can identify any lateral movement attempts within the network. Finally, when the attacker attempts to escalate privileges using a brute-force attack on Kerberos, the Identity Sensor, which integrates with Active Directory, can detect suspicious login attempts and report unauthorized access.

The central correlation engine brings together detections from all sensors into a unified Incident Advisor view. Each sensor also provides additional incident response actions that can be taken to disrupt the attack chain during the investigation. For example, you can delete malicious emails using the Productivity Applications Sensor or suspend a compromised user account using the Identity Sensor. GravityZone suggests all the actions to streamline the response actions.

XDR extends EDR features like Extended Root Cause Analysis and Incident Advisor by incorporating data and actions from additional sensors. For example, if an attack originated from a misconfigured public cloud instance, Incident Advisory and Extended Root Cause Analysis would include that instance in an organization-wide overview, including additional actions enabled by this integration. The overview goes beyond endpoint data, potentially revealing attacker entry points, lateral movement attempts, or privilege escalation efforts. This empowers your security teams with an understanding of complex attacks, leading to faster and more effective incident response. The intuitive interface allows you to seamlessly navigate from this high-level overview to intricate details of individual events. See it in action in our demo video here.

Our native XDR approach streamlines XDR implementation. It simplifies setup, reduces management headaches, and minimizes false alarms. This magic happens through pre-integration. Everything you need is built-in, eliminating complex tuning and ongoing maintenance. Plus, actions triggered by these integrations, like disabling a compromised cloud account, are available right out of the box. This translates to faster deployment, quicker time to value from XDR, less noise, and a more intuitive user experience for your security team.

If you are running a business but lack a dedicated security team, a Managed Detection and Response (MDR) service can be a game-changer. MDR acts like an outsourced security department, continuously monitoring your systems for threats 24/7. With expert analysts on the line, MDR can identify and respond to suspicious activity much faster than you could on your own. This not only minimizes damage from cyberattacks but frees you up to focus on running your business with peace of mind.

Even for established SOC teams, MDR services can offer a significant boost. Our MDR goes beyond basic monitoring by incorporating a dedicated cyber threat intelligence team. These specialists continuously research and analyze the latest threats, allowing us to tailor our risk-based threat hunting specifically to your industry and vulnerabilities. This frees up your SOC analysts from constantly chasing shadows and lets them focus on higher-level tasks and incident response. With MDR as your partner, your existing SOC team becomes even more efficient and effective. You can find detailed information about MDR services here.

To learn more about the technologies included in the Detection layer we recommend reading the next article Sensors.

Bitdefender Endpoint Detection and Response official website: Endpoint Detection and Response

Bitdefender EDR datasheet: GravityZone Security EDR Datasheet

Bitdefender XDR official website: GravityZone XDR

Bitdefender XDR datasheet: Bitdefender GravityZone XDR Datasheet

Bitdefender MDR official website: Managed Detection and Response (MDR)

Bitdefender MDR datasheet: Bitdefender GravityZone MDR Datasheet

Bitdefender Technical Spotlight Video: GravityZone XDR