Does XDR Mark the Spot? 6 Questions to Ask

(Image: Gorodenkoff via Adobe Stock)

Extended detection and response – aka XDR – is one of those "buzzy" solution terms that seems to be everywhere in security lately. But despite the hype, there is still a lot of misunderstanding around the technology.

XDR promises to go beyond endpoint monitoring and detection to extend visibility into networks, servers, cloud, and applications. XDR analyzes data from all of these locations, takes action on threats, and sends information back to analysts.

Indeed, threat detection and response (TDR) is still a major pain point for security. According to research firm ESG, 83% of organizations will increase spending on threat detection and response this year. 

"Organizations have been spending regularly on threat detection and response but still can't detect sophisticated threats. And it takes too long to detect and respond to even common threats," says Jon Oltsik, a senior principal analyst at ESG. "By aggregating threat detection and response across multiple controls, XDR promises to improve TDR efficacy and streamline operations. This value proposition is too good to ignore, so XDR is getting lots of attention."

Is XDR right for your organization? Here are some common questions to ask as you think it through.

Why Should We Consider XDR Now?

The widespread shift to remote work in the past year made the attack surface (even more) massive, the amount of data produced staggering, and the number of tools to manage it all mind-boggling, says Dvir Sayag, a cyberthreat researcher at Tel Aviv-based Hunters.

"SOC teams cannot effectively investigate the increasing numbers of alerts and cannot maintain the rules and queries needed to be built to address ever-growing threats," he says. "There must be an effective level of automation that addresses threat intelligence, indicators of compromise, and tactics, techniques and procedures, and prioritizes alerts based on specific knowledge of the environment."

(Image: Superzoom via Adobe Stock)

What Is the Difference Between XDR and SIEM?

Security information and event management (SIEM) tech can offer XDR-like capabilities with the right analytics and response automation, ESG's Oltsik says. Given the crossover, it's understandable why many SIEM vendors are pitching XDR solutions. But, of course, there are distinctions.

"I'd say the two key functions promised by XDR are superior analytics and automated response," Oltsik explains. "This will really be driven by a cloud-native architecture and XDR vendors being highly active in analytics development. XDR vendors have a clean slate and a better toolset, including cloud resources and machine-learning algorithms, to address security at scale. SIEM could do the same but has to do so while still carrying a lot of legacy baggage."

(Image: profit_image via Adobe Stock) 

Is XDR an Extension of EDR?

EDR only applies to endpoints. With XDR, endpoints act as sensors and actuators, Oltsik says. Sensors feed telemetry to XDR analytics engines in the cloud. When analytics engines detect a problem, they instruct controls to take actions, like blacklisting a file or blocking an IP address.

"EDR is an important part of XDR, but there are other [components]: network, cloud, email, threat intelligence, as well," he says.

Keatron Evans, managing partner at KM Cyber Security, says XDR is the realization of a long-desired capability of automating some response activities.

"Response will still be response, but the response will be conducted with more information from more sources, which is where XDR comes in," he says. "Most EDR solutions work on managed endpoints where that EDR agent is deployed. XDR solutions can take and use data from places where there's no agent, such as Office 365 or even Dropbox in some cases."

(Image: momius via Adobe Stock)

How Does XDR Work with SOAR Platforms?

XDR increases the effectiveness of a security orchestration, automation and response (SOAR) platform and makes it easier to automate the response playbooks, according to Hunters' Sayag. 

"XDR is the best fit for SOAR and response and remediation workflows and playbooks. XDR automatically creates an in-context story of security incidents, connecting together the involved assets, communication, and users. By doing that, it creates the blueprint for remediation."

ESG's Oltsik predicts XDR will include full SOAR capabilities eventually – but we are not there yet. 

"I've been describing current XDR as containing a 'poor man's turnkey SOAR,'" he says. "In other words, XDR provides automation rules, but programmability is limited."

(Image: Gorodenkoff via Adobe Stock) 

Does XDR Help Solve the IT Infrastructure Visibility Gap?

Many visibility challenges exist because of IT tool segmentation. XDR can reduce blind spots by connecting the data and telemetry produced by IT and security tools across the environment.

"Security teams have a better chance of not missing incidents," Hunters' Sayag says.

XDR is intended to aggregate visibility, but what it will "see" will differ by XDR offerings, ESG's Oltsik notes.

"For example, Trend Micro includes email security in its XDR because Trend sells email security.  Another vendor like PAN may not include email coverage or rely on integration with third parties," he says. "If you think about the MITRE ATT&CK framework, XDR should eventually align to have visibility across all tactics and techniques regardless of their location."

(Image: Fractal Pictures via Adobe Stock) 

What's XDR's Role in an Incident or Breach?

"This is really where XDR will be very valuable," says ESG's Oltsik.

Today, one tool may detect anomalous behavior, but then someone with security analytics skills must examine the data and determine what else to investigate. The MITRE ATT&CK framework provides a road map, says Oltsik, but not every organization has the skills or visibility to look under every rock. 

XDR not only provides all the visibility in one place, but it is designed to piece together all the stages of an attack based on analytics. Rather than receive dozens of alerts, XDR alerts will consolidate others into high fidelity, highly detailed alerts that include a timeline of an attack kill chain. This would help immensely in several areas, like reducing alert storms, pinpointing root causes, and expedite remediation.

"To be clear, we aren't there yet but this would be a security operations game changer," Oltsik says. "I've used the analogy of how Henry Ford's introduction of the manufacturing line increased productivity, cut costs, improved quality, etc. If XDR can fulfill its potential, we could see similar impact on security operations."

(Image: James Thew via Adobe Stock)