Extended Detection and Response, or XDR, is one of the most promising emerging technologies to arrive on the enterprise cybersecurity landscape in many years.
First coined in 2018 by Omdia Principal Analyst Rik Turner, XDR is defined by Omdia as a single, standalone solution that offers integrated threat detection and response capabilities across (at a minimum) endpoints, networks, and cloud environments.
XDR offers significant potential for several reasons. However, because XDR is still emerging, few organizations understand exactly how it achieves what SIEM, SOAR, and other previous technologies have been largely unable to offer.
Here, Omdia will highlight why XDR has become one of fastest-growing market segments in enterprise cybersecurity. Specifically, XDR addresses four key enterprise threat detection and response requirements that vendors have struggled to address.
Unified Telemetry Analysis
No threat detection solution exists in a vacuum. In other words, consistent and accurate detection of a wide range of threats requires the combination of relevant data from multiple threat telemetry sources.
However, most enterprises manage a cybersecurity product architecture with dozens of unique solutions from many different vendors; few if any of them are designed to work well with each other.
XDR solutions are intended to address this challenge by providing unified analysis of previously siloed threat detection telemetry data. Regardless of whether threat data originates on the endpoint, network, cloud, or elsewhere, the telemetry is unified, standardized, and analyzed simultaneously as a whole.
The key difference is that unlike existing solutions that conduct analysis separately and then attempt to reconcile the findings to detect threats, the simultaneous, unified analysis of multisource telemetry offered by XDR accelerates the process of accurately identifying attacks, particularly multistage attacks like NotPetya that often go undetected.
Faster, More Accurate Threat Detection
In addition to unified telemetry analysis, several other XDR features are equally critical in helping enterprises realize faster, more accurate threat detection.
An XDR solution is constantly reviewing incoming telemetry, using a variety of detection engines, as well as machine learning algorithms and behavioral analytics. Unlike static policy-based alerting systems, XDR continuously determines whether an event is malicious, anomalous, or suspicious based on a variety of evolving indicators, including whether the activity has any precedent in the organization.
XDR can automatically initiate an event enrichment process upon discovery of suspicious or anomalous activity. The system saves time by accumulating additional data points that a human analyst would typically gather manually to determine whether the event is a true positive.
After enrichment, XDR solutions proactively correlate or review artifacts related to the event, as a whole and simultaneously, to make a conviction with the greatest possible accuracy. Because XDR typically standardizes the telemetry it takes in, that common format allows its analysis engines to find common data points that are indicative of a threat event quickly and accurately.
Finally, when a threat is confirmed, XDR solutions present the findings to analysts by way of informative, compelling visual representations of the sequence of events that encompass a threat event. Specific data points are often visualized as events on a continuum or with radar or spider graphs. This helps SOC analysts understand, explore, and act on threats more quickly and decisively.
React, Respond, and Resolve Faster and Better
Threat response is a highly manual exercise, often requiring hours of work, numerous tools, and inconsistent processes. CISOs and SOC analysts alike understand that this is an inefficient, expensive, tedious, and often ineffective approach.
While SOAR solutions have sought to codify, orchestrate, and ultimately automate some of this work, SOAR is often too expensive and complicated for many organizations.
XDR solutions provide SOAR-like functionality, but with better ease of use. Policy-based actions are pre-built based on industry best practices for various types of threats; enrichment, correlation, and presentation takes place prior to alerting, enabling fewer manual steps prior to response; and remediation actions are executed by the XDR system, allowing for closed-loop remediation, confirmation, and reporting.
Functionality Regardless of Maturity Level
Until XDR, enterprise-grade threat detection and response capabilities have largely required the deployment of a SIEM/SOAR-based SOC technology stack, which is expensive, complex, and requires trained experts to configure and manage.
Omdia's research indicates that XDR, compared with SIEM and SOAR, is often less expensive, somewhat less complex to deploy and manage, requires less expertise, and will increasingly become viable for organizations with lower levels of cybersecurity maturity.
Considering that essentially any organization can be targeted by a complex cyberattack at any time, this democratization of threat detection and response has been a long time coming.
XDR: Looking Ahead
To be sure, XDR is nascent, and vendors will be busy for years to come refining their solutions.
For starters, most XDR solutions today have unrefined features and workflow, widely varying depth of features (some don't even offer true threat response), and limited extended capabilities related to integration, ticketing, and compliance management. There are also few documented case studies proving the success of XDR in real-world deployment scenarios.
Still, Omdia is bullish on XDR, and expects the technology to mature rapidly. Enterprises are eager for an easier, more affordable approach to threat detection and response, and vendors recognize the opportunity to finally deliver solutions to address those needs.
Editor's note: This column is based on research excerpted from Omdia's recently published report, "Fundamentals of XDR versus SIEM and SOAR: Understanding the evolution of SecOps architectures," which is available to Omdia subscribers. Click here to learn more about Omdia. Click here to follow OmdiaCyber on Twitter.