Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/29/2021
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

XDR Pushing Endpoint Detection and Response Technologies to Extinction

Ironically, EDR's success has spawn demand for technology that extends beyond it.

The success that many organizations have had in recent years with endpoint detection and response (EDR) products may be hastening the end of the technology.

Pushing it to the sidelines is an emerging class of extended detection and response (XDR) technologies that pairs EDR functions with telemetry from the network, applications, and cloud, Forrester Research said in a report this week.

Related Content:

Weakness in EDR Tools Lets Attackers Push Malware Past Them

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

Forrester is one among several analyst firms that in recent months has noted the rapid emergence of XDR as an approach to mitigating cyberthreats from the enterprise endpoint to the cloud.

Gartner, for instance, views XDR tools — as well as machine learning and automation — as key to improving threat detection accuracy and security productivity, especially for resource strapped security operations centers (SOCs). Omdia has described it as a technology that is "quickly taking the enterprise cybersecurity industry by storm." In a recent survey, ESG Group found 70% of organizations are already using or considering XDR. Another survey conducted by the Ponemon Institute on behalf of FireEye found organizations intended to spend an average of $333,150 on XDR in 2020, compared with $183,150 on security information and event management (SIEM) and $345,150 on security orchestration, automation, and response (SOAR).

Several factors are driving interest, says Allie Mellen, Forrester analyst and author of the new report. The first is the fact that understaffed SOC teams simply don't have the time required to thoroughly investigate and respond to every threat facing their organizations, especially given the plethora of security tools they must deal with.

Many security leaders, having seen the value in EDR, are also looking for ways to extend those capabilities beyond the endpoint.

"While EDR provides effective endpoint detection and response, security teams require more telemetry than just the endpoint," Mellen says. "XDR provides needed visibility and control to other parts of the business through integrations that combine EDR data with other types of telemetry."  

The third factor driving interest in XDR is the cloud. With enterprises shifting more of their operations to the cloud, security leaders are under growing pressure to protect data there, she says.

XDR builds on the success of EDR and is in a way the next evolution of the technology, Mellen says. Like conventional EDR tools, XDR also gathers and analyzes security event and threat data from endpoint devices, such as laptops, workstations, and mobile devices. Unlike EDR technologies, though, XDR unifies this endpoint security data with data from network tools, applications, identity and access management tools, and the cloud. Importantly, XDR enables an automated response capability as well.

Collision Course
Up until now, security teams have typically used security analytics tools, SIEM, network analysis products, and data lakes to try and match data from their EDR tools with the rest of the environment. While such efforts have had varying degrees of success, they have also been extremely resource-intensive, involved way too much data, and yielded a high rate of false positives.

Importantly, many security analytics platforms, like SIEM, are primarily useful in gathering and aggregating security event and log data from a wide variety of sources — but less so for analytics. That's because the primary driver for SIEM deployments, for instance, has typically been compliance, Mellen says.

"XDR looks to address these gaps by centralizing detection in telemetry that is known to produce high-efficacy detections," she says. "By basing detections in the endpoint, whether the endpoint takes the form of a laptop, workstation, mobile device, or the cloud, XDR aims to reduce false positives and focus detections on the data most likely to yield accurate detections."

Enterprises that are shopping for EDR technologies will need to decide whether they want to go with a native XDR capability or a hybrid one. Forrester defines native XDR as technology where integration is focused around products that are already in a vendor's existing portfolio. A hybrid XDR environment, on the other hand, integrates products from multiple third parties.

The benefit with native XDR is that it offers a relatively straightforward buying process and tight integration. The benefit with hybrid XDR is that it allows security organizations to choose best-of-breed products, though the integration could be a bit of a struggle, Mellen says. XDR, both hybrid and native, is delivered via a software-as-a-service (SaaS) model.

Mellen expects the shift from EDR to XDR will happen in an evolving manner.

"XDR detections remain mired in endpoint data, which is currently limited to laptops, workstations, and mobile devices," she says. "[But] as XDR capabilities mature and detection expands beyond the traditional endpoint, it will siphon off more tasks from the SIEM until they become head-to-head competitors in the next three to five years." 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20686
PUBLISHED: 2021-09-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2021-38402
PUBLISHED: 2021-09-17
Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to ex...
CVE-2021-38404
PUBLISHED: 2021-09-17
Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in a heap-based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process.
CVE-2021-38406
PUBLISHED: 2021-09-17
Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.
CVE-2021-41326
PUBLISHED: 2021-09-17
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.