Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

XDR 101: What's the Big Deal About Extended Detection & Response?

Extended Detection and Response (XDR) could be the security management technology of your dreams...or not. What makes this technical 'evolution' so interesting to so many companies?

(Image: Ljupco Smokovski via Adobe Stock)

When endpoints become extended, does security necessarily improve? What, as Shakespeare would say, is in a name? And is there enough to make a security professional choose one category of product over another? The terms here are endpoint detection and response (EDR) versus extended detection and response (XDR). The differences -- and their relative importance to your organization -- could have an impact on your security infrastructure for years to come.

What Is XDR?
Just a moment...let's examine EDR first. EDR has become critical for many organizations as threat actors have focused more attention on users and their workstations, whether those devices are desktop, laptop, or handheld. So what is EDR?

There are two broad pieces to EDR technology. The first is continuous monitoring and threat detection. The second is automated response to threats discovered during monitoring. It should be obvious that an analysis step sits between the two basic pieces, and in many products there is logging and forensic analysis that enhances security analyst work on understanding threats.

The key, though, is that all of this is focused on the endpoint: The technology's laser focus doesn't extend to the network, servers, cloud, or applications.

XDR takes a much broader approach.

XDR provides visibility across all an organization's endpoints, as well as the network, and cloud workloads. It will typically analyze the collected data, act upon the threats, and send unified alerts and action items to security analysts.

An astute reader is probably now asking, "How is this different than SIEM?"

SIEM pulls data from a variety of sources, performs automated analysis, and then provides alerts and action signals to human security analysts and other parts of the security infrastructure. XDR, on the other hand, actually includes additional security functions within its technology borders -- functions that can include antivirus, firewall, and even EDR protection.

Because of this, some companies position XDR as the next evolution for EDR, while some customers are wary of potential vendor lock-in with a single product that covers so much of the security infrastructure.

The XDR Players
Because XDR contains so much, the vendors providing XDR can come from many different backgrounds. Microsoft and VMWare, for example, each touts an XDR service offering among its security arsenal. Hardware companies such as Palo Alto Networks and Cisco have XDR products, and traditional enterprise security companies including FireEye, TrendMicro, and McAfee have added XDR products or services to their overall security platforms.

Each of these companies, and others that are entering the market, provide options that can meet the needs of an enterprise. The question in selecting between them will often come down to whether or not a company is already engaged with one or more of their products, and the extent to which an enterprise is willing to have a single vendor provide the majority of its security infrastructure.

Why XDR?
There are organizations that prefer the simplicity of a single primary security vendor to the "tool overload" that many security professionals complain about. With EDR already widely accepted as a security tool category, XDR can be an evolutionary step, rather than a massive change in security strategy.

For some organizations, XDR is an opportunity to get ahead of the skills shortage that plagues enterprise cybersecurity. If XDR can provide alert triage, the thinking goes, then the human security analysts can focus their time and energy on the most critical incidents.

In any given organization, the ease of shifting to XDR will depend on a number of factors, including the existing set of security tools, the size and expertise of the in-house security team, and the relationship(s) that exist with current vendors. For those organizations looking for security analysis and management beyond SIEM, though, it could be worth taking a serious look at the possibilities of XDR.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights