Published on June 30, 2021
by Oliver Rochford, Senior Director
What’s the big deal with XDR?
To a former analyst, the genesis of a market is always of keen interest, so I have been following the discussion around XDR intently. Having also just been involved in deciding what XDR means for Securonix, I wanted to share some of my thoughts and observations.
What is XDR?
First, let’s look at a few definitions of what XDR is meant to be (emphasis mine):
The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.
XDR is a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.
Extended detection and response (XDR) is cross-layered detection and response. XDR collects and automatically correlates data across multiple security layers – email, endpoint, server, cloud workloads, and network – so threats are detected faster and security analysts improve investigation and response times.
Extended detection and response (XDR) delivers visibility into data across networks, clouds, endpoints, and applications while applying analytics and automation to detect, analyse, hunt, and remediate today's and tomorrow's threats.
I am sure you can find many others - for example here or here - they are all kind of similar, but not quite. Which really highlights the first problem. There seems to be no actual consensus about what XDR is in detail. What is rather obvious is that instead it seems to align with whatever any individual vendor has in their portfolio.
The definitions also seem awkwardly close to what a SIEM is meant to do. The two advisory firms, Forrester and Gartner, have at least tried to delineate a little. For Forrester, the core of an XDR solution is EDR. For Gartner, it is vendor-specific or proprietary, meaning that it’s a SIEM-like offering from a vendor with their own EDR or endpoint detection product.
How much something can be called a new technology when everyone and their dog can just reposition their portfolio is of course, open for debate.
X-EDR Versus XDR
The other thing that sticks out is that there are really two things going on here. We have one definition that puts EDR front and center, and another that sees EDR as just one of several security controls in addition to network, cloud, and identity. What my peer and colleague, Augusto Barros calls X-EDR versus XDR.
Working for a SIEM vendor, with UEBA, SOAR, network traffic analysis, and a bunch of other stuff in our portfolio, I am sure I don’t need to tell you what our official definition of XDR contains.
We are fully on the XDR side, even going so far as to call it Open XDR. But I want to be clear that we have not developed a whole suite of new tools to build this. We didn’t need to. That’s the point.
And indeed, throwing your EDR data into Elastic on AWS, and adding some canned analytics also does not sound like the makings of a new, innovative, or disruptive technology. That truly does sound more like X-EDR, not XDR.
But if we’re going to play along with the XDR meme, there are some really good reasons why it must be Open XDR, and not X-EDR.
The world is heterogeneous and hybrid
We may not have a single monolithic company network with a single perimeter anymore - but we still have networks and perimeters - lots of them in fact, what I like to call metarimeters. We also have a growing array of different technologies, architectures and devices, and a diverse population of digital users. And these users roam all over the place - in the office, at home, or even working in a van while travelling the world. That’s the new normal.
EDR will be the right solution for some of those scenarios, but not for all, or even most of them. The inexorable hypergrowth of cloud computing, mobile and IoT especially, make endpoint agents sound like today’s, not tomorrow's solution.
Lastly, no credible security expert would want to choose between endpoint and network when you ideally want both.
Defense-in-depth (or layered defense) means having a second control in case the first fails. If we can’t see it on the endpoint, we expect to see it on the network, or in more modern scenarios in the cloud. And more importantly, being able to correlate and triangulate different vectors increases the reliability and accuracy of detections, allowing a greater degree of confidence in autonomous response.
You can’t fix everything on the endpoint
Not only is the world heterogeneous and hybrid, so is security. A user is not solely managed on the endpoint and credentials are compromised more often than devices. The ability to respond remotely and automatedly, and when necessary, fully autonomously, must extend to the entire environment and architecture including access and identity. Future attacks may even bypass the endpoint entirely. EDR is about as useful in securing cloud assets as a bicycle is to a fish, for example. Inevitably, you will end up with multiple solutions.
Which leads me to my next point.
The future is identity-centric
Effective threat detection and response in a hybrid world is identity-centric, not device-centric, and especially not endpoint-centric. What matters is whom (and increasingly “what”) is driving a device, and what they are doing with it.
Alongside insider threats, more and more attacks are designed to be evasive by nature, for example by mimicking legitimate users and activity, or adopting living-off-the-land techniques. Zero trust, with its focus on least-privilege also has an explicit focus on identity. And with users jumping between devices and services several times a day and roaming around the world, endpoint-based approaches will not provide end to end coverage or protection.
As to XDR superseding or replacing SIEM, I don’t see that happening any time soon. XDR is just another use case for SIEM. People have been proclaiming SIEM dead for a long time. Some people may recall the slide below, as I used it at Gartner from 2014 onwards. It is still as valid today. But SIEM is not dead - instead it is evolving. You see that quite clearly if you compare the SIEM Magic Quadrant from 2015 with the most recent one. Cloud architecture, UEBA, and SOAR capabilities are now the hallmarks of leading SIEM’s, and we have extended those benefits to our Open XDR.