In the rapidly evolving area of cybersecurity, the landscape is awash with terms and abbreviations used to describe the latest strategies being recommended by experts.
There has been security information and event management (SIEM), security orchestration, automation and response (SOAR), and secure access service edge (SASE) to name just a few. Now a new one is attracting increasing attention: Extended detection and response (XDR).
At first glance, XDR may appear similar to established approaches such as network detection and response (NDR) and endpoint detection and response (EDR) — and that is understandable. Indeed, as an idea, XDR does not offer a radically different value proposition.
However, the capabilities and requirements of XDR as a product or platform are relatively muddy and undefined. Security buyers and practitioners should carefully examine XDR offerings and compare them against their own existing capabilities and requirements before taking the plunge.
Defining XDR
According to research firm Gartner, "extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."
Gartner also states that "XDRs are similar in function to security information and event management (SIEM) and security orchestration, automation and response (SOAR) tools. However, XDRs are differentiated by the level of integration of their products at deployment, and the focus on threat detection and incident response use cases.
The bottom line is that XDR can be a powerful concept for understanding and defining security requirements, but every product purchase still requires due diligence. Due to the aforementioned muddy and undefined nature of the term XDR, it is vital that buyers research any product they consider and assure it actually meets the security requirements of their business.
Rather than assuming that an XDR branded product is a necessary addition to an existing security toolset, security teams should look at the systems they have in place, and identify gaps or areas that could improve. If any one data source or solution is missing or needs an upgrade, buying the best-of-breed solution in that category is likely the right choice to fill the gap.
For teams undergoing more heavy-duty transformation in their security operations, a best-of-breed approach to XDR is wise. A diverse ecosystem composed of integrated, best-of-breed solutions can fulfill the promise of XDR without compromising on future growth and integration possibilities.
When provided by a single vendor, XDR comprises two or more vendor-specific log sources (such as EDR and firewall) together with some kind of active directory log integration for additional context. In some instances, there will be machine learning engines built on top of these data sets to help provide anomaly or user behaviour analytics.
Once these log sources are aggregated, the XDR platform supports security operations by correlating alerts into attack campaigns to provide a single interface from which to investigate and respond to security alerts. In this way, XDR can be thought of as a vendor-specific security orchestration, automation, and response (SOAR) platform with customised cross-product playbooks and vendor-specific ML engines.
A best-of-breed ecosystem approach is the most future-friendly
Gartner states in their research, "XDR products have significant promise, but also carry risks such as vendor lock-in. The XDR market is immature, and capabilities vary widely across products from different vendors.
Therefore, while XDR can offer benefits to organisations looking to improve their security posture, security teams need to assure that any tool they buy can integrate with their existing toolset and future needs. They also need a well-developed view of their own security requirements and gaps to compare against what is offered in an XDR solution.
When it comes to achieving effective IT security, you can't afford to sacrifice or cut corners. The dream of a one-stop-shop for all security needs is incredibly appealing, but security teams need to dig deeper and assure that the vendors they choose are committed to building an open ecosystem of tightly integrated, best-of-breed tools to fulfill the XDR functions without creating undue lock-in or leaving visibility gaps unaddressed.
For the strategy to work effectively, XDR vendors will need to create open interfaces and enable integrations with best-of-breed tools in each category. Buyers, for their part, should look for open and extensible solutions for their security requirements, to assure flexibility in the face of current and future threats and security needs.