XDR vs EDR with Michael Gray

Jay Bradford: What is going on? It’s Jay and Michael here on the IT Directors podcast with our VP of Engineering today, Michael Gray. Michael, how’s it going?

Michael Gray: Hey, so glad to be with you guys. It’s going great.

Jay Bradford: Man, look, this is going to be a great episode. You know, we’ve touched on cybersecurity in the past, Michael, we’ve touched on just high level, kind of a lot of topics in cybersecurity, but today we’re gonna focus on antivirus versus EDR. XDR versus EDR. So, you know, that’s a pretty focal point. That’s a very focused area in cybersecurity — XDR versus EDR. So we’re gonna open up, just tell us a little bit about kind of your role at Clear Winds, Michael, and kind of what you do, and then we’ll get into the topic today.

Michael Gray: Excellent. Excellent. Thank you. Yeah. So I’m head over the engineering team and our Security Operations Center, which is directly related to what we’re talking about today. Got a great group of guys that help us accomplish our goals. So, excited to talk about it. Antivirus, XDR, EDR is a very confusing topic in the industry as people are trying to learn to adopt and grow into the more modern, new age technology out there. So, great timing, great topic.

Jay Bradford: Yeah. I mean, so Michael, we hear these terms all the time, right? And especially in the engineering world when we’re meeting with customers, and when Michael and his sales team are talking, we hear these terms with antivirus and XDR, EDR, and I think it’s really confusing to the average person.

Michael Thomas: Oh yeah, it definitely is, because there’s a baseline of acceptance for antivirus software. So when we’re out talking to people and meeting with different organizations, different groups, people accept antivirus. Anything else, it’s like, what is it? What’s all this alphabet soup you’re throwing out there? What do these letters even mean? You’re just making stuff up.

Jay Bradford: Yeah.

Michael Thomas: Making stuff up. So what — I’d say if you can give us like, hey, a broad understanding of antivirus, that’s what’s accepted. But at least if you could give us your definition of that, so now when we start looking at the other stuff — so broad definition, what is antivirus software?

Michael Gray: Yeah, so antivirus software is, of course, the legacy, the traditional technology that is derived and based upon file level, signature level identification, meaning the threat was in the wild, signatures were created to defend against it, and deployed to the desktop for that. So pretty good.

Michael Gray: Pretty good. But technology has evolved. The speed is more needed today than the time it would take for a traditional, signature-based solution.

Michael Thomas: So the speed has evolved. What does that mean?

Michael Gray: Yeah, so everything is quicker today. The device that we had just three years ago — if you buy one today, it’s going to run faster. Well, as the machines run faster, the bad guys’ availability and capabilities to infect begets faster.

Michael Thomas: Mm-hmm.

Michael Gray: So the delays and the lags of developing the technology to help combat those — it’s just not good enough in today’s environment.

Michael Thomas: Okay. And so that antivirus — I think that’s why it’s been the standard for a while, but the speed — that’s no longer enough. Is that a fair statement? So then EDR — what’s the difference between antivirus and EDR?

Michael Gray: Yeah, excellent. So AV — antivirus has an acronym too.

Michael Thomas: It’s got some letters as well.

Michael Gray: So you know, don’t wanna leave it out. So the — it’s

Jay Bradford: Kind of like the flu shot — AV’s kind of like the old flu shot syndrome, right, Michael?

Michael Gray: Yeah, yeah, yeah, it is. You have those signatures. There are mutations from the major variants. But migrating from AV antivirus to EDR is like flipping the light switch on or off. So it’s a huge shift in the way those attacks are dealt with. Number one, you go from file signature-based defenses to heuristic — meaning it’s more behavioral, more real time. So you’re able to adapt. The technology is thinking and looking at what you’re doing, being able to identify stuff that’s not normal and make that identification, number one. So its ability to respond is faster. The thing about EDR that sets it apart from the traditional AV is not only can it identify threats quicker, but it also has a feature called response.

Michael Thomas: Mm-hmm.

Michael Gray: Which is the R in EDR — endpoint detection and response. So it can now not only detect what’s going on, but instead of sending you a report that says, “Hey, you’re getting eaten” or “you’re getting taken to the cleaners,” it takes action. So it will automatically, if you’ve configured it as such, isolate the device if it can’t clean it.

Michael Thomas: Mm-hmm.

Michael Gray: So a huge shift in the way that works. So, you know, it’s good that they’re able to detect and let you know that there’s an attack happening, but let’s say you’re in bed at 2:00 AM.

Michael Thomas: Mm-hmm.

Michael Gray: This attack happens — which is when they generally occur — and you get an email that tells you, “Hey, you know, you’re getting attacked. You need to pay attention to this.” Well, that would be great if you were sitting there in front of your computer, but when you’re asleep, that doesn’t do much good. And then by the time you get in to work the next morning at 7, 8, 9, whatever, you find out you’re underwater. Everything has been contaminated. So the response is crucial in being able to defend oneself in today’s landscape.

Jay Bradford: Mike, now that we’ve talked about AV and EDR and what they do and kind of the differences, what are some of the tools that our IT directors that are listening and watching the show could use in the EDR world? What are some of the major tools or software platforms?

Michael Gray: Yeah, well, there are three that have been tried and tested and proven very valuable. Sentinel One is probably at the top of that list. Then you have CrowdStrike, and then Carbon Black — the three that are very reputable. Like I said, they’ve been proven. So as long as someone’s running one of those three — there are several out there, but those are the three that would be at the top of the list.

Jay Bradford: Yeah, oh absolutely. And I mean, those are in the Magic Quadrant and those are the three big players, Michael Thomas. And most of our people listening or watching, if they’re going into EDR heavy, they probably have one of those three, you know?

Michael Thomas: They should.

Jay Bradford: They should. Yeah. So now that we’ve kind of laid the foundation — and especially for our viewers, because I think it’s so great that we’re going over antivirus and EDR — now we’re gonna talk about XDR. So what is the difference between XDR and EDR?

Michael Gray: So EDR is for the traditional workspace.

Jay Bradford: Mm-hmm.

Michael Gray: So that’s PCs, servers that are in the office. Of course we say traditional — that traditional seems to be evolving. So, you know, I guess you could still call that the traditional workspace. Well, we’ve moved to the modern, which now includes devices and equipment that are also in the cloud. So XDR encompasses both on-premise and cloud — the cloud infrastructure. So SharePoint, OneDrive, your emails that are in the cloud, whether Gmail or 365. Let’s say you have Intune-registered devices or cloud-registered devices — the XDR helps protect against attacks in that arena.

Jay Bradford: Yeah. So it kind of goes a whole extra step, right? Versus EDR — it’s extended. Basically, right? So it gives you more visibility and a broader scope of devices, just like Michael talked about: stuff in the cloud, stuff that’s not on-prem, emails. So, now we’ve kind of narrowed all that down. So who needs what and why? That’s a big question. A lot of companies — do I need XDR, Michael? Do I need EDR, or do I need just AV? Like, what in your opinion, with your wealth of knowledge — who needs what? What’s the scenario where someone doesn’t need XDR and can just utilize EDR?

Michael Gray: Well, it would be based upon those two scenarios that I just presented. So if one doesn’t have a huge cloud presence, then EDR is the ticket. Meaning they don’t have their systems in the cloud — they’re just on-prem. If the only thing that’s in the cloud is email, then I would still say that XDR would not be needed for that. But it would typically only be needed if you start moving from the office to the cloud for your day-to-day activities — your file shares, your websites that are maybe cloud-developed, devices that are cloud-only, cloud-registered and managed and controlled. That would be the way that I believe everybody would be wise to sort of help use as a differentiator.

Michael Thomas: I think that’s key — trying to understand like, hey, who’s a good candidate for what? I think from a sales standpoint, what we encounter is, since people typically accept antivirus, it’s viewed as, “Well, you’re just trying to upsell me and sell me something else.” Well, hey, no, we’re not. We’ve seen real-life scenarios where this actually kept people from getting compromised or kept them from falling prey to a bigger attack that could have crippled an organization. So yes, there’s some buy-in there, but hearing like, okay, yeah, there are certain cases where each one applies — and I feel like that’s key, because it’s an industry where there’s the unknown. You could be suspicious: do I actually need this or not?

Michael Thomas: So I appreciate the context.

Jay Bradford: Well, and then also, Michael, there’s us at Clear Winds, right? We’re an organization that services our customers. We propose these solutions, whether it be XDR, EDR — we do a lot of that. But for your government, your K-12, your municipalities, even some of our healthcare clients — XDR can be pretty costly. It does have a higher cost than EDR. So give us an example, Michael, where you’ve seen a customer that maybe didn’t go the XDR route and it hurt them. Or they weren’t sure whether they needed XDR or EDR and how that impacted day-to-day operations — because a lot of people have stuff in the cloud and they don’t even really realize it. A lot of customers and organizations run more in the cloud than we actually know.

Michael Gray: Yeah, no, that’s good. And to your point, Michael, there is some skepticism in the marketplace. And that falls on us as messengers to improve our messaging too, to help lay out the differences and help explain them. And at the end of the day, they have those choices, but to be able to articulate it in a manner that’s easy to understand.

Michael Gray: One thing before we jump into XDR that we haven’t mentioned yet — three letters — is MDR. Which is Managed Detection and Response. So one could have — and I think this would probably carry a little more weight than the XDR discussion, really — here’s the ability for a client to have the EDR on their device, which is exceptional. But what do you do with it?

Jay Bradford: Mm-hmm. Yeah, that’s a great question.

Michael Gray: Who’s gonna answer that call at 2:00 AM? On the EDR — we just said the difference between AV and EDR is the response mechanism.

Michael Gray: Well, so let’s say that something does come across at 2:00 AM, and I can give a specific example of this — where your legacy antivirus solution sent an email stating they were noticing something unusual and that someone needed to check it. And of course, it came in the wee hours of the morning. The client, when they got to the office, had found that all of their systems had been encrypted — in other words, useless and taken offline. So they ended up purchasing an EDR solution, and we helped them manage that. They had a similar attempt, and because they had not only the EDR but it being managed by someone who’s looking at it 24/7, we were able to not only detect the event and isolate the device, but prevent the scenario from spreading through their system. So it turned into an annoyance for one or two people as opposed to the whole organization walking in the next day.

Michael Gray: So the managed piece — with any tool, I could go to the tool shop and buy Makita, I can buy a set of the most expensive tools that are made, put them in a toolbox, go sit them right there in my carport. And if I don’t use them, if I’m not managing them, if I’m not looking at them, what good have they done me? I can say, “Oh yeah, I’ve got the best tools out there.” “What do you do with them?” “I don’t know — they just sit there.”

Michael Thomas: But they look good over there.

Michael Gray: Yeah. So it’s not just the acquisition of tools. And that’s where managed services — that’s where your partners come into play and help not only advise you on what the best tool is for the job, but also help you deploy it, manage it, and enable it to do what you bought it for: protect you, safeguard you. And that’s key. That’s very key. So that’s an aspect of these tools that I wanted to make sure we brought out, because that is crucial.

Jay Bradford: No, look — that is fantastic. What Michael talked about, because we can sell solutions, we can provide solutions to customers or organizations, but without someone managing those solutions, they’re really still just a solution sitting there. Yeah. And they do have the response. They do have some intelligence around how they do things, but without someone managing that, they’re still not as good as they could be. That’s a great point that Michael brought up. And hey, you know, for our listeners and viewers — that’s why Michael’s the VP of Engineering. He thinks about those things, because you can’t just give someone a tool and then not manage it or not show them how to utilize it.

Michael Thomas: Well, and another thing you bring up as well is that education aspect.

Jay Bradford: Correct.

Michael Thomas: Even part of our organization — something our CEO preaches — is, “Hey, we wanna be a trusted advisor.” So our goal here is not just to make a sale and try to make some money off of it. No. Hey, we wanna actually help people. We wanna be in that position where we can be a trusted advisor and provide a solution that’s actually gonna benefit them, and then educate them on why.

Jay Bradford: Well, you know, if you walked around the airport about a year and a half ago and saw all the blue screens on all the monitors in there — that was someone not managing one of the EDR tools. I mean, they had a major catastrophe, right? It kind of stopped everything in the world for like a day and a half. So, if you have people managing these solutions — and I think that’s so important, and I’m so glad you brought that up — because I know me, as an IT director before in my old role, I would buy a solution or tool thinking, “This is great.” But if I wouldn’t watch it or have someone managing it, it really didn’t serve the purpose it was designed to. So I think having training and people tied to those tools — and that’s where partnerships with Clear Winds and what we can bring to the table come in. Having that managed piece that Michael mentioned is huge. That’s really big. I think — what are some things you’ve seen, Mike, with XDR? How do you feel it differentiates itself in real-world practicality for our IT directors? What have you seen in a real-world example?

Michael Gray: Well, again, it is the shift of where day-to-day business operates. So if a business has shifted their infrastructure to more of a cloud-driven environment, that’s where XDR comes into play. So, you know, it has the capabilities of doing just what EDR does, except in the cloud space. So, you know, it can detect — I’ve got a SharePoint file that I uploaded, and I wasn’t careful and I’ve got it publicly exposed. It can be accessed from anywhere. And let’s say it’s a confidential document. Well, uh oh. So those tools can help identify that type of behavior — like, “Hey, it looks like you’ve got a document that’s being accessed from Beijing. You may wanna look at that.”

Jay Bradford: Yeah.

Michael Gray: So it provides that component that — again, if one has shifted and that’s their major platform for doing business — and we see a lot of customers and a lot of people in the industry heading that way. But that’s some of the bigger components: it provides the notification. Now, depending on which cloud platform one leverages, that notification capability is there. The problem is trying to find it and get it configured, whereas these tools do that for you.

Jay Bradford: What is an XDR tool? We talked about some EDR tools — what are one or two XDR tools that you’ve worked with or that we’ve seen have success?

Michael Gray: Yeah. Well, Checkpoint has one. Sentinel One has a product — either one of those two. XDR is just like EDR was when it first came out — it’s gaining traction. They’re evolving and adjusting and it’s growing. But you typically know the players and their roles in security, and they’re going to usually be your frontrunners and the ones you would be safe selecting. So you’ve got — and of course Palo Alto — we can’t talk about security and exclude Palo Alto. They’re widely known in most circles as the premier security company, or one of the premier security companies, in the world. So those are some things to look at in these tool sets as you’re trying to make your decision: how wide is the scope? Is this company based in the United States, or do they have presence around the world? The more global the company is, the more valuable the information you’re going to get from the tool set. And it’s going to really increase what it brings to the table. So it’s just evaluating — and I know somebody right there listening is going, “Oh my, this is spinning my eyes.” But that’s where we come into play and help you decipher some of this. And again, one tool’s not for everything — it just depends on the environment we find ourselves in and what we’re trying to defend.

Jay Bradford: Yeah. Man, that’s fantastic. Michael, you know, in closing — Michael Thomas, I mean, this is gonna be a great episode for our listeners and viewers. I think it’s great information that the average IT director probably doesn’t know, because just because you’re a director running a data center, or you’re a CIO, you may not be a cybersecurity expert. Right. And that’s why you have the SOC team, that’s why you have all these different resources. So the information that Michael has shared here is invaluable to our listeners and viewers.

Michael Thomas: Yeah, definitely. I think it’s key — back to that education aspect. You want your people — and I call our partners “our people” as well. We like to view ourselves as an extension of their own team. But we want them to know the tools that we’re providing and recommending, really because we’re genuine in that. Hey, we wanna have their best interest in mind and make the recommendations that are actually going to benefit them the most.

Jay Bradford: Absolutely. If you could have one takeaway for our listeners, Mike, as we close — just one thing about EDR versus XDR and antivirus — just one nugget. One thing. What would you want to share with that IT director out there trying to figure out how to protect their organization, with all the cybersecurity challenges going on, AI — I mean, what’s one thing you’d like to share with them?

Michael Gray: Well, I would be remiss in not saying this: contact Clear Winds. We would be very willing and able to assist in that determination, because one thing about technology is there’s no such thing as one answer for every scenario. So it would have to be based upon that specific scenario. And that’s one thing we’ve prided ourselves on here at Clear Winds — we tailor it, because that’s the way the technology works best. That would really be the biggest takeaway: reach out to us. We’d love to talk with you and help you craft a solution that’ll meet your needs.

Jay Bradford: Man, that’s fantastic. Well, look, thank you so much for joining. I think our listeners and viewers are gonna love this episode. I think they’ll gain a lot of knowledge about XDR versus EDR and how it can benefit the organization, and when to engage us as a partner and a resource for that — because look, I can tell you this: I didn’t make that decision on my own, Michael, when I was looking at all that. We had Checkpoint in my previous organization. Thankfully we didn’t have CrowdStrike, so that didn’t cause me a lot of havoc during that time. But you know, that’s a great product too — they just had a security situation. But look, we thank you so much for being on, Michael. Wealth of knowledge — that’s why we wanted to have you on today.

Michael Gray: Yes sir. Well, enjoyed being here. Thanks for the invitation.

Jay Bradford: Yeah. Well, we appreciate it. Look, to all our listeners and viewers, keep following the show — the IT Director’s Podcast on LinkedIn, Instagram, Spotify, and YouTube. And this is Jay and Michael with Clear Winds, and we are out.