因為手邊有相關的專案進行中,不同部門的同事們也常問到/討論到這些名詞。EPP v.s EDR? EDR/MDR/XDR 都是DR?! 傻傻分不清,長得很像。什麼又是 SIEM?
Peggy就花點時間稍微整理一下,提供給需要的朋友作參考。有些部分可能整理過後偏向容易理解和想像而不十分精確,也歡迎Feedback。
EPP: Endpoint Protection
- Traditional endpoint protection. Traditional AV is also included.
- Main function: identify and block known threats
EDR: Endpoint Detection and Response (created by Gartner)
- Security solutions that sniff out suspicious activity on endpoints. Primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints
- Market share: Gartner now predicts that the global EDR space will grow at a compound annul rate of 45.3 percent through 2020($1.5 billion)
EPP vs EDR vs XDR
- 簡單的區分方式:
- EPP: identify and block known threats。著重Prevention。
- EDR: 以endpoint 為基礎,收集更多資訊,發現潛在的Unknown threats,以提供相關人員做出反應。著重Detection(檢測)和 Response(反應)。
- XDR: Cross Detection and Response. 主要是 EDR 偏重Endpoint, 這邊的XDR 是下一代,橫跨 Network, Endpoint, Server, messaging, 3rd party logs等等各個面向。
- Gartner 預測: 2019 EPP 將會和 EDR整合在一起
-
MDR: Managed Detection and Response
- Gartner在2016年提出
- The emergence of specialized managed detection and response
- outsourced Threat Detection and Response Expertise
- 簡單的理解來說: 一般如果是Very large enterprise,通常會有自己的team專門monitor公司內外部流量、系統狀況、異常行為、endpoint detection alterts、EPP/EDR的detections、advanced attack等等。但許多Medium or large規模的公司不一定有能力/skill set/resources 去做這些事,這時候MDR service就符合他們的需求了
- MDR's Pros: https://arcticwolf.com/why-choose-mdr-over-mssp-or-siem_brief/
SIEM: Security Information and Event Management
- A software solution that collects log records of every endpoint and network activity, correlates these logs to identify indicators of compromise, and alerts security analysts when attacks are detected. It help you manage your overall IT security from a single tool
- TOP10 SIEM products: ex. HPE ArcSight 、Splunk Enterprise Security (ES) 、IBM QRadar...etc
- Pro and Con: https://arcticwolf.com/why-choose-mdr-over-mssp-or-siem_brief/
-