As a Business Owner Business Solutions, Sascha Levölger has been responsible for expanding cyber defense solutions for business customers and developing new offerings to market maturity since 2020. He is familiar with current IT security trends and uses them to derive needs-based offerings for his target group, with the aim of strengthening G DATA’s economic growth. Sascha Levölger has been working at G DATA since 2006, initially as a software developer and later as a team leader with responsibility for the development of product setups and license servers. We talked to him about EDR and XDR.
Sascha Levölger, Business Owner Business Solutions at G DATA CyberDefense
There are a number of explanations for EDR, XDR, MDR – how would you briefly describe and delineate them?
Endpoint Detection and Response (EDR) refers to software that helps organizations detect cyber threats that have overcome preventive defenses (Detect – the “D” in EDR) and respond to them with countermeasures (Respond – the “R” in EDR). XDR stands for “extended detection and response.” Products called XDR cannot be defined uniformly. Depending on the provider, different functions are hidden behind it. These are often in the network area. This means that not only endpoints are monitored, as is the case with EDR, but also servers, for example. MDR or MEDR (Managed Endpoint Detection and Response) means that the analysis of threats and the response to them are not carried out by employees of the own company, but by an external IT security provider.
What would be important criteria for you when selecting an EDR?
Since data protection plays an important role in EDR, you should take a closer look at where the company is located and where the data is stored. You also need good service and support. Personal contacts are essential in the case of managed security. It should be clear in advance which areas in one’s own company are to be protected, where critical data and where risks lie.
Microsoft is also increasingly dominating this market, as the licensing packages mean that medium-sized companies often opt for the Microsoft Defender family. How do you see the EDR/XDR market? Is it already consolidating, or is there enough room for 20 or more solutions
Microsoft itself does not currently offer a managed solution. You can get an EDR service based on Windows Defender from third parties, but you should take a close look at how much experience the service provider brings to the table beforehand. Especially since he is serving a platform that he did not develop himself. There is definitely room for 20 or more solutions, and that is desirable. The more different solutions there are, the harder it is for attackers to find ways past them. If the market were to focus on individual solutions, then attackers would automatically have an easier time.
Do you have any guidelines for when a managed service is worthwhile for medium-sized companies?
You must ask yourself how important the data you have stored in the system is to you. If you want to prevent data from leaking out or being encrypted, then you need expertise these days. Therefore, you must answer quite openly for yourself whether you can muster the necessary know-how to detect attacks unerringly.
Can you describe how onboarding to a managed service basically works and what tasks the customer must do himself in the end?
Onboarding is divided into two phases: First, the coordination between the customer and the service provider, and then the rollout phase. In the coordination phase, it’s a matter of explaining the risks and determining which areas the service provider is allowed to look at and, if necessary, isolate. The rollout phase is followed by installation and configuration.
From your point of view, where are the crucial differences between a SIEM solution and an XDR approach today? And how long will these products continue to exist in parallel?
As a rule, the information that is collected is different. In principle, it is first better to evaluate as much data as possible. The more different solutions you use together, the sooner attacks can be detected. This approach will remain relevant in the future. But the important question is who can make sense of all the information in day-to-day business.
If you could send a message to all CIOs and CISOs, what would it be?
It is always best to handle the issue of IT security internally. On the one hand, with a view to data protection, but also because you know your own systems best. The only thing is that this is almost impossible to do today. Hiring external experts who have a lot of experience and know-how is therefore absolutely obvious.
Thanks to Sascha Levölger for his time!