Question: How do I know whether XDR is right for my organization?
Matthew Warner, CTO and Co-Founder, Blumira: As organizations accrue more controls and technology, they also add complexity; it’s a natural evolution of security maturity. Often this presents itself as an increase in those “accidental misses” across technologies — perhaps a reported phishing email was dropped or an alert for a PUP resulted in a workstation being corrupted. It’s likely no one's fault but rather the fault of the processes and tools in place that require another layer to level out effort with response needs.
Extended detection and response (XDR) will likely crop up in your research as a potential solution. And especially if you have a security information and event management (SIEM) platform, it’s natural to wonder whether XDR is a necessary addition.
According to Forrester analyst Allie Mellen, SIEM and XDR are on a crash collision course. In the meantime, it’s important to evaluate the use cases of each tool. Traditionally, SIEM use cases have focused mainly on compliance, reporting, patching, and triaging. SIEMs require a lot of manual care and feeding, and they often lack detection and response capabilities. XDR, on the other hand, is more focused around real-time hunting, detecting indicators of compromise, and getting immediate answers to help prevent an attack in progress.
Deciding whether you need XDR depends on your internal requirements, resources, and maturity goals for security. What resources have been allocated to your team, and how large is the team going to become? In almost all situations, it is not financially feasible or timely to build your own security operations center (SOC) from the ground up. Leveraging existing knowledge is paramount and should only make your life easier.
Fortunately, many modern SIEMs are starting to adopt XDR-like capabilities, so it may not be necessary to choose one over the other. However, a tool like XDR can allow you to centralize your tooling into one central detection and analysis platform as well as rapidly reduce complexity and effort for IT and security teams. It’s important to focus on how quickly you can apply a response and how your processes can support this response rather than how to detect the next new bad thing. Leaving this effort to your XDR, managed detection and response (MDR), or managed SIEM tools allows you to focus on running the business.