Security product acronyms proliferate. Vendors use them interchangeably or combine them in ways that obscure rather than clarify what is actually being offered. Cutting through to what each capability actually does — and what problem it solves — is the starting point for making sensible security investment decisions.
Endpoint Detection and Response (EDR)
EDR software runs on managed endpoints and monitors process execution, file activity, network connections, and registry changes for malicious behaviour. When suspicious activity is detected, it can alert, automatically remediate, or isolate the device from the network. Microsoft Defender for Business is an EDR. It protects the endpoint but does not provide visibility across the broader environment.
Security Information and Event Management (SIEM)
A SIEM collects and correlates log data from across the environment — endpoints, servers, network devices, cloud services — to detect threats that span multiple systems. A compromised account accessing unusual data over several days may not trigger an alert on any single system but does create a pattern detectable in a SIEM. Microsoft Sentinel is a cloud-native SIEM. It requires log sources, detection rules, and someone to triage and respond to alerts.
Managed Detection and Response (MDR)
MDR combines technology — typically EDR and SIEM — with a human team monitoring and responding on behalf of the client. The team investigates alerts, determines which are real threats versus false positives, and takes or recommends containment actions. MDR addresses the "someone needs to act on alerts" problem for businesses without internal security operations capability.
What Makes Sense for an SMB
Most Australian SMBs are best served by EDR (Microsoft Defender for Business, included in M365 Business Premium) plus a managed service that monitors and responds to alerts — essentially MDR without the enterprise price tag. A full SIEM adds value at scale but requires log volume and alert triage investment that most SMBs cannot justify. Start with EDR and managed monitoring. Add SIEM capabilities when the environment grows to justify it.
