Is XDR Overhyped?
Security experts weigh in on the value and pitfalls of extended detection and response (XDR), offering consideration and advice on this growing new category.
November 17, 2021
![XDR XDR](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltd88a8b7eab94da84/64f15236c0f43897d2a3670e/SOC_Dimco_AdobeStock.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Dimco via AdobeStock
As security teams strive to get the most out of as many shreds of collectible security data as they can — detecting and responding to threat signals with as little trouble as possible — the category of extended detection and response (XDR) is gaining steam. It’s still early days for this growing niche, with a lot of interpretations of what XDR even is.
The foundation starts with XDR centralizing telemetry from security tools not just across the network but other key areas, like endpoints, cloud, and identity. The secret sauce tends to be what XDR does next with the data, using machine learning and threat intelligence to correlate the data and contextualize all of the different data dimensions against one another and against risk scoring to provide speedier and higher fidelity detection with less legwork from analysts.
Experts say the promise of XDR is that it makes good on unmet security promises, like security information and event management (SIEM), accelerating how security teams detect, investigate, and remediate threats. Sounds great — and suspiciously like hype to all those cyber cynics out there. So we asked a number of security experts whether they think this category is overhyped and what buyers should keep in mind as they mull over their XDR options.
“XDR is indeed the new magic word. And like all new magic words, [it's] overhyped and multi-interpretable. It is used for all kinds of capabilities that go beyond only having a single point solution. This can be a real pitfall for less knowledgeable customers.
“Next to this there is a big difference between ‘extended’ detection and response vs. ‘everything’ detection and response. In our company we strongly believe in being able to include every possible source (open architecture). This will support customers much better, in case they have a best-of-breed strategy or already signed multiyear license contracts for one or more point solutions.”
— Luck Bron, principal cyber security consultant, Defenced
"Organizations use multiple technology layers to address different security challenges. As is always the case, though, adversaries continually find new ways of getting past existing defenses, which is an ongoing problem that produces a steady cadence of new security products and services.
"XDR has emerged as the latest innovation taking aim at closing threat detection and response gaps. Whether or not XDR is over-, under-, or hyped just right remains to be seen. However, security operations teams are actively using it to connect siloed legacy tools, threat data, and intelligence to more quickly and efficiently identify and respond to attackers and breaches."
— Hugh Njemanze, president, Anomali
“XDR, in so far as vendors are just packaging existing tools and saying it is XDR, is overhyped. XDR isn't so much new as it is a repackaging of an idea based on the inability of our current toolsets to realize the promise. SIEM *should* have been about managing discrete forms of data from a wide variety of devices and logs [from endpoints and networks] to allow for building robust detection. What SIEM became was data normalization tied to storage costs.
“As with any security tool, [XDR] is only as good as the team that's using it to secure an environment and the data it can ingest. An organization either needs to have threat researchers and/or a hunt team or be willing to outsource that to a trusted third party.”
— John Bambenek, principal threat hunter, Netenrich
“XDR is certainly worth the hype. It was built to deliver the outcomes we expected from SIEM, without the overhead or cost to maintain. Additionally, with the context wrapped around a more authoritative source for data — [the] endpoint — alerts are higher fidelity, investigations are faster, and response can be done directly from the XDR platform.
“Because of the ambiguous definition of XDR, most of the misconceptions revolve around capabilities. From the assumed data sources to aggregation vs. correlation and replacement of a SIEM, the lack of a definitive capability set leaves many organizations assuming the benefit based on the marketing material.”
— Randy Watkins, CTO, Critical Start
“We are well past the time when 'we're fine with just a SIEM' or 'we're fine with just an EDR' was the right answer for the visibility you need in your operating environment. The biggest selling point of XDR — and the biggest promise — is its ability not only to ingest all the things, but to make it easier for our human beings in the SOC to get to the right answer more quickly.
“Pull back the curtains to confirm that what you are looking at is a fully formed, tightly integrated collection of technologies, and not a bucket full of different products that don't look like one another and are hard to navigate. Always keep your human analysts front and center when considering these technologies. Will this XDR solution complicate or simplify their day-to-day life?”
— Ben Smith, field CTO, NetWitness
“There’s no question that XDR has gained in awareness in a short period of time, and its overarching principles are sound. However, it’s vital that organizations not look at it as a 'magic bullet' that can solve all cybersecurity problems. XDR provides a compelling technology story to describe improvements in previous mainstream detection and response technologies, but it isn’t the whole story.
“We see XDR as embodying a set of capabilities that, when taken together, raise the bar for mainstream threat detection and response. However, misconceptions can abound as vendors are presently clamoring to define their specific approach or technology as true XDR. Much as the EDR acronym came to define a certain class of endpoint detection and response technologies that emerged nearly 10 years ago. Even today many products claim ‘EDR’ but vary widely in implementation and, thus, effectiveness at delivering desired security outcomes.”
— Marc Brawner, managing director and global head of managed services, Kroll Cyber Risk practice
“I think [XDR IS] a marketing term to describe something that was already being done. If you look at companies with mature security programs, especially those that have implemented a robust monitoring strategy through a security operations center (SOC), the key elements of XDR have always been there.
“These companies collect information from various sources, such as endpoints, cloud services, and network telemetry. They combine that information with human elements — security analysts — and quickly detect suspicious or malicious activity to initiate an effective and appropriate response. It’s just now there is an official name for it which can be marketed.”
— William Mendez, managing director of operations, CyZen, A Friedman LLP Company
“I think [XDR IS] a marketing term to describe something that was already being done. If you look at companies with mature security programs, especially those that have implemented a robust monitoring strategy through a security operations center (SOC), the key elements of XDR have always been there.
“These companies collect information from various sources, such as endpoints, cloud services, and network telemetry. They combine that information with human elements — security analysts — and quickly detect suspicious or malicious activity to initiate an effective and appropriate response. It’s just now there is an official name for it which can be marketed.”
— William Mendez, managing director of operations, CyZen, A Friedman LLP Company
As security teams strive to get the most out of as many shreds of collectible security data as they can — detecting and responding to threat signals with as little trouble as possible — the category of extended detection and response (XDR) is gaining steam. It’s still early days for this growing niche, with a lot of interpretations of what XDR even is.
The foundation starts with XDR centralizing telemetry from security tools not just across the network but other key areas, like endpoints, cloud, and identity. The secret sauce tends to be what XDR does next with the data, using machine learning and threat intelligence to correlate the data and contextualize all of the different data dimensions against one another and against risk scoring to provide speedier and higher fidelity detection with less legwork from analysts.
Experts say the promise of XDR is that it makes good on unmet security promises, like security information and event management (SIEM), accelerating how security teams detect, investigate, and remediate threats. Sounds great — and suspiciously like hype to all those cyber cynics out there. So we asked a number of security experts whether they think this category is overhyped and what buyers should keep in mind as they mull over their XDR options.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024