Why extended detection and response is a 'movement'
Written by Marc Solomon, Chief Marketing Officer, ThreatQuotient
In some of the world’s largest cybersecurity companies, most industry analysts are talking about the emergence of Extended Detection and Response (XDR) solutions. Gartner defines this as solutions that ‘automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability’.
If this were possible today, imagine the gains in mean time to detection (MTTD) and mean time to respond (MTTR) to an attack or active threat in your environment.
XDR as a movement is gaining traction by expanding its approach to achieve its goal. For instance, early last year, Gartner talked about XDR as a vendor-locked, cloud-based offering. However, at the virtual Gartner Security and Risk Management Summit in September 2020, VP analyst Peter Firstbrook discussed an alternative approach which broadens the category to include a best-of-breed XDR strategy.
Further fuelling momentum, Gartner called XDR the number one trend CISOs should understand to strengthen security initiatives.
We have the definition of XDR by Gartner above, so what does it mean from a practical standpoint? Let’s start with a simple and important statement:
XDR <> EDR + NDR
Unfortunately, this is how some have viewed the development of XDR — bridging the gap between endpoint (EDR) and network detection and response (NDR). However, XDR has a broader, more complicated reality:
XDR = EDR + NDR + CDR + the dozens of existing security tools.
This reality forces the need for a best-of-breed strategy, at a minimum from a transition standpoint, and more likely on an ongoing basis.
Organisations often protect themselves by using many different technologies, including firewalls, IPS/IDS, routers, web and email security, and endpoint detection and response solutions. They do this while also utilising SIEMs and other tools that house internal threat and event data, such as ticketing systems, log management repositories, case management systems.
They may rely on one or two ‘large vendors’ to handle the bulk of their security tasks, although typically they use at least a few best-of-breed vendors for controls, which the larger vendors do not have or do not excel in.
Many studies, going back years, find that some Global 2000 enterprises have as many as 80 different security vendors in their environment. This happens naturally over time with different teams, budgets and departments making independent decisions.
Vendors must also accommodate the reality that not every organisation will have all their tools from a single provider out of the gate, and the appetite to rip and replace is low. Not to mention the fact that new vendors and solutions will continue to emerge given the ongoing innovation required to keep up with new use cases, threats and threat vectors.
Whichever path to XDR is selected, integration with existing tools in the security infrastructure is essential for XDR solutions to merit and capitalise on all the attention. The reasons are obvious for a best-of-breed approach, although even single-source XDR requires integrations to deliver on the promise. Two key types of integrations that are needed:
Companies use an average of five external feeds within their environment. These can include commercial sources, open-source, government, industry, existing security vendors — as well as frameworks like MITRE ATT&CK.
Having the ability to utilise this data as part of a detection and response strategy is critical. It improves the breadth, speed and relevance of detections, rather than just relying on a vendor’s intelligence.
This is important for multiple reasons. First, additional telemetry, context and events from internal systems are crucial to putting the pieces together for detection. This data from internal systems is often overlooked but is one of the best sources of intelligence, and when combined with external data will improve detection.
Second, integrating with the internal systems will allow for a faster response and the right mix of automation and manual actions. Systems become more effective, and people more efficient.
There are several paths to recognising the benefits. Yet the most common is starting with a company’s EDR implementation and then adding capabilities:
- EDR: endpoint detection and response from a single vendor, using that vendor’s detection content
- EDR +: a vendor’s EDR solution plus integration with third-party data and intelligence for faster, more effective detection
- EDR ++: a vendor’s EDR solution plus integration with third-party data and intelligence for faster, more effective detection, plus integration with the other tools in your infrastructure for more efficient response.
To truly become a movement that more organisations can get behind, what’s needed is a conduit between an XDR solution and the data sources and security tools it needs to interoperate with.
A centralised platform that bridges these gaps can provide the integrations and intelligence for all teams and tools to use. Ultimately, helping with detection, understanding and response, which unleashes the full potential for XDR.