Demystifying XDR

Published on November 10, 2020

Just like any other IT field, the cybersecurity market is driven by hype. And the current hype is called XDR - eXtended Detection and Response.

 

What exactly is XDR?

It’s still in that phase where definitions vary between vendors and analyst firms, but the consensus seems to be that it is an extension of EDR that includes other sources of telemetry and the ability to perform response actions on other solutions too, such as on the NG firewall.

 

Why would anyone want it?

For two main reasons: The endpoint has no visibility into threats in places such as cloud services, and it may not be possible to put an agent on all endpoints of the organization (or with access to the organization’s data).

Those are not the only reasons; the addition of other data sources can provide more context to findings from EDR, improving the triage and investigation of alerts. Some vendors who are offering many pieces of the puzzle together are also highlighting the reduced burden of building and maintaining integrations. They also provide content developed and tuned to leverage the expanded universe of data available. All of this translates into ease of use and reduced operational costs.

XDR may look very appealing as a product: Tight integration of parts, highly tuned content (as the vendor has total control over the events from the data sources), use of analytics, and response automation. Why wouldn’t anyone buy into it?

But this nice package comes at a cost, of course. Some vendors are positioning their XDR product as the definitive threat detection solution. At this point, however, there are no vendors out there who can offer all the necessary pieces. Some will have endpoint and cloud, others endpoint and network, but if you investigate the complete needs of most organizations, there will be missing pieces in that puzzle. Buying into one of these will also bring the dreaded vendor lock-in situation. What if you are happy with the cloud monitoring solution, but want better EDR capabilities? Even if you can live without the best of breed for all pieces, what would you do with the pieces you already have paid for and integrated into your other systems? The displacement cost is not negligible and will make CIOs cringe.

 

But what if we look at XDR as an approach, instead of a product?

First, what would it look like? What are the main “selling points” of XDR solutions?

Tight, bidirectional integration of multiple threat detection and response capabilities is the first defining characteristic. But you don’t need to buy two technology components from the same vendor in order to achieve good integration. In fact, many products have the ability to integrate with certain solutions from other vendors as one of their main strengths. You don’t avoid buying Okta or Duo because they are not from the same vendor as your Active Directory. One of the key requirements of an XDR approach is tight integration between the parts, not necessarily getting all of them from the same vendors. These days, with so many APIs publicly available and documented, it is actually not that hard.

The other strengths of XDR are not anything new and can be achieved with a combination of technologies. In fact, with the right pieces you can actually get something far better than what you could get relying on a single vendor. Those pieces are highly tuned and effective content, strong analytics capabilities, and response automation capabilities.

The XDR approach has at its core a strong platform providing the necessary data collection and retention, strong analytics capabilities, and the ability to orchestrate and automate the response actions delivered by the other parts of the solution. A cloud based SIEM is in a perfect position to be that core component.

With a strong native cloud SIEM in place, the other pieces can follow a best of breed approach. Integration and well-tuned content may be a concern when we think about legacy SIEM solutions, but a next-generation SIEM can deliver a layer of integration and highly tuned content for the best, most visible products in the market. A SIEM is also data source neutral by nature. The traditional flexibility of being able to connect ANY data source and to create ANY content eventually required is the perfect way to future-proof the solution and avoid vendor lock-in.

The interest in XDR products is a clear signal that excessive fragmentation was bringing excessive complexity. Some consolidation is good, but it has to be done while protecting your flexibility and ability to follow best of breed. A cloud based SIEM, with strong analytics capabilities, is the future of security operations platforms. Not only that, but it is also in the perfect position to deliver real XDR: It just needs to deliver premium integrations and content for the key components.