XDR 101: What is Extended Detection and Response?

Extended Detection and Response (XDR) is by far one of the hottest topics and trends in cybersecurity today. Conduct a Google search on XDR and you will receive over 40,000,000 results[SL1] . According to an Enterprise Strategy Group (ESG) survey, 38% of cybersecurity professionals believe XDR can provide a centralized management hub for security operations while 42% of cybersecurity professionals want a XDR solution that can simplify the visualization of complex attacks across the cyber kill chain. Either way, momentum towards XDR is building and leading security tool manufacturers and managed security services providers alike recognize that this emerging technology is real and brings valuable outcomes to security teams.

Coined by Nir Zuk of Palo Alto Networks in 2018, in a recent blog Forrester Analyst Allie Mellen stated the definition of Extended Detection and Response as:
“The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”

Security leaders also undoubtedly recognize the value extended detection and response tools provide as they seek some consolidation in their ecosystem to manage their risk and improve security team productivity. In the November 2021 Gartner Market Guide for Extended Detection and Response, analysts noted that “XDR will be an increasingly critical capability for buyers to evaluate when seeking strategic architectural decision for their security operations program.” 

The market guide further stated that:

  • “By year-end 2027, XDR will be used by up to 40% of end-user organizations to reduce the number of security vendors they have in place, up from less than 5% today. 
  • By 2023, at least 30% of EDR and SIEM providers will claim to provide XDR, despite them lacking core XDR functionality.”

Why is Extended Detection and Response (XDR) important?

The reality is that today’s modern enterprise is under siege. It faces the radical challenge of detecting, investigating and responding to the ever-growing number and sophistication of multi-vector cyber-attacks including compromised credentials and email, phishing, and cloud misconfiguration. This challenge is compounded by a shortage of security experts, disparate security tools that don’t communicate with each other, and a fragmented IT and security infrastructure. The result is that security teams are missing the attacks sliding through these openings and organizations are experiencing high-impact hits to their brand reputation and devastating financial consequences. The simple truth is that from the small business to the large enterprise, many lack the threat intelligence and security maturity to respond effectively to these attacks. 

Enter the Extended Detection and Response platform. XDR is the new standard that security analysts can use to unify data including identity, email, cloud platforms and other networks to tell a story that more clearly identifies threats. Ajit Sancheti, VP of Identity Protection for CrowdStrike, points to the value of XDR lies in thinking of the security use case instead of collecting more and more data for its own sake. “What are the security use cases we’re trying to solve?” he asked in a recent interview. “How do we want to solve it? Our focus is on building XDR so that it answers these security use cases. I also think that if you look at the CrowdStrike story, we have so many good partners that do so many great things. So we want to bring in their indicators into our platform. And that’s how we want to leverage XDR. We can get to the point where we can solve these questions, not just by CrowdStrike’s native data, but with the partners that we work with in the industry that are really focused on these security use cases.”

What about MDR?

XDR is still rooted in endpoint security detections. And while XDR platforms are powerful detection and response tools, they are still highly complex and need the right human expertise to continuously optimize them and read the story they have to tell.

XDR needs Managed Detection and Response (MDR) to read that story and bring together the disparate security tools for unified visibility to help to better correlate and identify threats, which leads to accurate decision making. Managed detection and response service providers have traditionally been the single pane of glass to unify telemetry across SIEM and EDR/EPP tools. Now they’re going even further by supporting bi-directional integrations with XDR platforms and enhancing their value with the additional human security expertise required. To take advanced cyberthreats coming from multiple vectors, you need to be able to look at every alert and the contextual information behind it—exactly the place MDR providers such as Critical Start prefer to live.

Will Extended Detection and Response (XDR) tools replace EDR, SOAR or SIEM?

Time will tell on will XDR technology mature enough to replace other security solutions. XDR companies are starting to compete head-to-head with security orchestration, automation, and response (SOAR) tools as they build these specific capabilities into their platform.

XDR companies are also competing with security information event management (SIEM) platforms for threat detection, investigation, response and threat hunting. SIEM vendors have a long history of providing data aggregation to help solve security problems, but still lack response capabilities that can help enterprise organizations scale their security operations programs to improve security maturity. Additionally, deployments of SIEM platforms are generally compliance-focused, whereas XDR is threat focused.

According to Allie Mellen, Analyst at Forrester, XDR is on a collision course with security analytics and SOAR and because these platforms have yet to provide incident response capabilities. XDR is filling the void through a different approach. In her report, “Adapt of Die:  XDR is On a Collusion Course With SIEM And SOAR,” she says “The core difference between XDR and the SIEM is that XDR detections remain anchored in endpoint detections, as opposed to taking the nebulous approach of applying security analytics to a large set of data.”  She also notes that as this category of XDR evolves, definitions of endpoint security will also evolve based on where the attacker target is located.

Yonni Shelmerdine, AVP of Product and Head of XDR for SentinelOne, explains that there’s a reason it’s called XDR and not “X-IEM or X-OAR.“ He stated recently that “XDR does seem to be an evolution of Endpoint Detection and Response, obviously with more data sources and with more response actions, and there are some key parts of Endpoint Detection and Response that we recognize are going to be the crux of our approach to XDR. This includes using metrics such as mean-time-to-respond, mean-time-to-investigate and mean-time-to-detect as our beacons to answer: ‘Are we going in the right way?’”

Critical Start CTO Randy Watkins compares the idea of XDR vs. SIEM to the idea of a compliance auditor versus a compliance assessor. He highlighted how an assessor wants to understand the intent behind the control and to ensure that an organization is actually meeting that intent. The hope is that XDR will become a mitigating control for SIEM by providing more meaningful data feeds that will fulfil the security intent.

But he expanded on the key differences with the security solutions of the past, as he continued: “We determined that this was going to be about ingesting data, but not necessarily ingesting all of it. We’re not ingesting for the sake of ingesting. We’re ingesting for the sake of reducing mean-time-to-detect. We now facilitate much more automation than we did last year, and we’re going to be facilitating even more in the months to come. We ask ourselves, ‘Does it help reduce the number of screens you need? Does it help reduce the number of analysts you need? Does it help reduce the years of experience they need in order to solve this really complex problem?’ And then we set about deciding what we were going to build (for XDR).”

Tim Junio, SVP of Products, Cortex at Palo Alto Networks was recently asked about the essential criteria that should fall into the expectations for XDR, and he replied that the most important idea is the evolution of endpoint detection and response. “Protection, prevention and detection requires joining endpoint data with other data,” he shared. “Basically, if you’re dependent on only one source of information at a time for security, you’re going to miss sophisticated attacks.”

Tim believes that combining endpoint data with network security data is an essential place to start. “If you look at the prior era of endpoint protection, that is where you started to have behavioral analysis and looking at things happening locally on a machine,” he said. “And that obviously was a huge leap in technology that was efficacious for awhile, but then adversaries adapted and started doing a better job of obfuscation. We needed a new approach and joining endpoint data with network data gave us new kinds of visibility. If you’re looking across different data sets your odds dramatically improve that the attacker is unable to obfuscate across everything.”

Human Beings will Always be the Cornerstone of XDR and Effective Security Overall

Ann Johnson, CVP of Security Compliance and Identity for Microsoft, believes human input will be even more important in the years ahead. “People always ask me, “let’s see how technology can replace humans,” she shared. “My response to that is never. Human intel and understanding of the behavior of the attackers and where they’re going to go next and what they’re going to try to do all needs to be part of predictive analytics. That’s why I want to make it easier for customers by just automatically being predictive and blocking stuff that potentially comes into their environment. I think you’ll see a natural convergence of XDR and SIEM into one thing—we just have to make sure that we get it right. We want simplicity of tooling and automation of tooling. The goal is that we want customers running their businesses and not worried about their security tooling. The point when cybersecurity becomes a mature industry will be when there are no longer cybersecurity departments and when everybody’s problem is cybersecurity. Whether you’re a developer or an operator, you’ll still have a SOC. Cybersecurity needs to be everybody’s job from the first line of code.”

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Benchmark your cybersecurity against peers with our Free Quick Start Risk Assessments tool!
This is default text for notification bar