XDR: What It Is, What It Isn't

The three must-haves in eXtended Detection and Response are: making data accessible, facilitating real-time threat detection, and providing remediation strategies.

Zeki Turedi, CTO for EMEA, CrowdStrike

December 14, 2021

5 Min Read
Network of screens with digital data.
Source: Wavebreakmedia Ltd IFE-210707_2 via Alamy

Security professionals are feeling the squeeze from all directions, from hybrid cloud environments, increasingly sophisticated threat actors, siloed data and tools, and the ever-present need to respond to breaches quickly and in real time. In the face of a massive skills shortage in cybersecurity, this new reality dramatically increases the workload for existing staff, leading to burnout — and missed detections.

XDR, or eXtended Detection and Response, is emerging as the solution that drives real productivity gains and saves security teams’ time by corralling and analyzing previously siloed telemetry from different sources and presenting relevant actionable insights through one unified console.

The Problems XDR Was Made to Solve
Until XDR came along, security solutions had been mostly piecemeal, addressing only one part of the overall challenge, such as network analysis for network traffic, endpoint data for endpoints, email gateways for email, and so on. The real world, as you know, does not function that way.

The problem with such siloed solutions is that when you receive alert notifications, you may lack the appropriate context associated with that alert. Since you are missing context, you don’t know how to prioritize the alert. Security professionals end up not only playing a never-ending game of “whack a mole” tracking down alerts, but they are spending most of their precious time feeding and watering patchwork solutions that do not provide comprehensive coverage.

These gaps in coverage are ripe for threat actors to exploit. That lack of context, which ultimately led to the gap, makes it harder and more time-consuming for security professionals to track down the source of problems should a breach actually occur. Alert fatigue anyone?

To prevent further damage, security teams need to identify and isolate the threat actor quickly, something that cannot be easily achieved if you have to trace 10 different paths every time and/or compare reports generated by different tools. By the time you have looked under every stone, and logged into every portal, the damage done might already be too extensive.

Today’s enterprises are also ingesting more data from more sources, which means an expanded number of attack surfaces for threat actors to exploit with their increasingly sophisticated techniques. We need more robust and agile tools to correlate all of the data from these diverse sources and deliver actionable insights — all in real time.

XDR and the Three Must-Haves for Its Implementation
It is becoming increasingly clear that as the complexity of enterprise systems grows — Internet of Things (IoT) devices and hybrid work add to the strain — we need a contemporary solution to find and address threats and speed response across the enterprise.

XDR is the answer. At the highest level, XDR must check off at least three basic must-haves: It must make all data accessible; it must facilitate real-time threat detection, alerts and hunting across multiple tools and domains; and it must provide remediation strategies to enable organizations to speed up response time.

Together, these must-haves give security professionals the information and tools they need to take on sophisticated attacks—faster and more efficiently.

Ready accessibility of all data is key. While endpoint detection and response (EDR) performs many of the same functions at its core, XDR builds on EDR. It makes all telemetry accessible — from endpoints, cloud workloads, identity, email, network traffic, virtual containers, sensors (from operational technology, or OT) and more. Equally important, XDR is an extendable solution that integrates together data from today’s sources and is also capable of accommodating what is coming down the pike tomorrow.

XDR delivers real-time threat detection. It’s not just about integrating all data into one console — XDR makes real-time threat detection easier by combining once-siloed data into single contextual detections through automation and orchestration in real time. This new dataset needs to livestream into machine learning algorithms and behavioral rules so that the technology can do the heavy lifting of analysis and generating threat detection patterns.

XDR needs to enable prompt remediation and deliver actionable insights. Not only are we harnessing new data, we must also enable cross-platform remediation. This means we should not only surface the most relevant data based on context and threat detection but also provide the tools to remediate the incident across our ecosystem.

In essence, XDR is a more intelligent and efficient solution in streaming and consolidating all of the valuable telemetry data and orchestrating and automating analysis, thereby delivering sharper remediation strategies. XDR is about more than just gathering all of the network and endpoint data. It is about understanding how your data is generated and what that means to your security environment.

The Right Ecosystem
For XDR to truly work, you need a purpose-built partner ecosystem in place in which data and workflows are structured for cross-system detection, analysis and multi-system response. Be sure to invest in a solution that will better protect your enterprise, understand and digest all data, streamline your security operations and lower risk.

XDR drives productivity gains and saves security professionals time by allowing them to understand and trust the data they gather. It is about piecing together those disparate pieces of information to form a holistic picture that can detect and remediate intrusions much more easily. For today’s rapidly evolving data environments, XDR just might be the ticket.

For more information on what XDR is, isn’t and should be, view our infographic.

About the Author(s)

Zeki Turedi

CTO for EMEA, CrowdStrike

Zeki is an influential, tenacious and highly motivated cybersecurity leader with professional experience specializing in Endpoint and Network Cyber Security, as well as extensive Incident Response & Forensic knowledge within Law Enforcement and the private sector. Zeki acts as a trusted advisor and strategist for organizations across Europe, the Middle East and Africa. He focuses on assisting them to lower and manage cyber risk as well as build their cyber maturity and future.

At CrowdStrike as the CTO for EMEA, Zeki also focuses on technology strategy and innovation reporting into the Worldwide Chief Technology Officer. Zeki's insights and subject matter expertise are frequently shared via media outlets such as the BBC, The Times, LBC, WIRED plus many others. He has also been published on several occasions including the journal on 'Issues in Cybercrime, Security and Digital Forensics'.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights