Cybersecurity In-Depth

The Edge

Can I Have XDR Without EDR?

Yes, extended detection and response is possible without endpoint detection and response, but here's why having both is helpful.

Question: Can I have extended detection and response (XDR) without implementing endpoint detection and response (EDR) first?

Al Huger, vice president and general manager of Cisco Security Platform & Response: You can absolutely have XDR without first implementing EDR. Keep in mind that any XDR solution is more useful by leveraging endpoint visibility and the capability to respond. Ultimately, most threats are headed toward an endpoint. However, tying any part of that narrative together, including the network, user, and application, and then acting on it is still very powerful – just more so for an endpoint.

Most security teams find EDR data provides essential visibility to threats, and they correlate network detection data (NDR) to complete their visibility. Hence, it is valuable to begin with EDR. However, EDR covers only managed endpoints, whereas many threats originate on cloud workloads, IoT devices, on-premises servers, and unmanaged devices – places where EDR coverage is often incomplete. Security teams with mature network visibility and response but limited EDR visibility can build their XDR from their network detection and response (NDR) capability and layer in EDR as it matures in their environments. They can manage and respond to threats via dynamic network routing and block lists, a native capability of NDR into XDR.