Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Encrypted Traffic Strategies
Webinar: Best practices for enterprise net traffic
Omdia's On-Demand Webinars
Omdia's On-Demand Cybersecurity Webinars
What's next for DC firewalls?
Webinar: Net security for software-defined DCs
04:00 PM
Eric Parizo
Eric Parizo
Connect Directly
E-Mail vvv

What's So Great About XDR?

XDR is a significant advance in threat detection and response technology, but few enterprises understand why. Omdia identifies four catalysts driving the emergence of XDR.

Extended Detection and Response, or XDR, is one of the most promising emerging technologies to arrive on the enterprise cybersecurity landscape in many years.

First coined in 2018 by Omdia Principal Analyst Rik Turner, XDR is defined by Omdia as a single, standalone solution that offers integrated threat detection and response capabilities across (at a minimum) endpoints, networks, and cloud environments.

XDR offers significant potential for several reasons. However, because XDR is still emerging, few organizations understand exactly how it achieves what SIEM, SOAR, and other previous technologies have been largely unable to offer.

Here, Omdia will highlight why XDR has become one of fastest-growing market segments in enterprise cybersecurity. Specifically, XDR addresses four key enterprise threat detection and response requirements that vendors have struggled to address.

Unified Telemetry Analysis
No threat detection solution exists in a vacuum. In other words, consistent and accurate detection of a wide range of threats requires the combination of relevant data from multiple threat telemetry sources.

However, most enterprises manage a cybersecurity product architecture with dozens of unique solutions from many different vendors; few if any of them are designed to work well with each other.

XDR solutions are intended to address this challenge by providing unified analysis of previously siloed threat detection telemetry data. Regardless of whether threat data originates on the endpoint, network, cloud, or elsewhere, the telemetry is unified, standardized, and analyzed simultaneously as a whole.

The key difference is that unlike existing solutions that conduct analysis separately and then attempt to reconcile the findings to detect threats, the simultaneous, unified analysis of multisource telemetry offered by XDR accelerates the process of accurately identifying attacks, particularly multistage attacks like NotPetya that often go undetected.

Faster, More Accurate Threat Detection
In addition to unified telemetry analysis, several other XDR features are equally critical in helping enterprises realize faster, more accurate threat detection.

An XDR solution is constantly reviewing incoming telemetry, using a variety of detection engines, as well as machine learning algorithms and behavioral analytics. Unlike static policy-based alerting systems, XDR continuously determines whether an event is malicious, anomalous, or suspicious based on a variety of evolving indicators, including whether the activity has any precedent in the organization.

Related Content:

Fundamentals of XDR versus SIEM and SOAR: Understanding the evolution of SecOps architectures

SecOps 2021 Trends To Watch

Fundamentals of Cybersecurity Operations Lifecycle Strategy

XDR can automatically initiate an event enrichment process upon discovery of suspicious or anomalous activity. The system saves time by accumulating additional data points that a human analyst would typically gather manually to determine whether the event is a true positive.

After enrichment, XDR solutions proactively correlate or review artifacts related to the event, as a whole and simultaneously, to make a conviction with the greatest possible accuracy. Because XDR typically standardizes the telemetry it takes in, that common format allows its analysis engines to find common data points that are indicative of a threat event quickly and accurately.

Finally, when a threat is confirmed, XDR solutions present the findings to analysts by way of informative, compelling visual representations of the sequence of events that encompass a threat event. Specific data points are often visualized as events on a continuum or with radar or spider graphs. This helps SOC analysts understand, explore, and act on threats more quickly and decisively.

React, Respond, and Resolve Faster and Better
Threat response is a highly manual exercise, often requiring hours of work, numerous tools, and inconsistent processes. CISOs and SOC analysts alike understand that this is an inefficient, expensive, tedious, and often ineffective approach.

While SOAR solutions have sought to codify, orchestrate, and ultimately automate some of this work, SOAR is often too expensive and complicated for many organizations.

XDR solutions provide SOAR-like functionality, but with better ease of use. Policy-based actions are pre-built based on industry best practices for various types of threats; enrichment, correlation, and presentation takes place prior to alerting, enabling fewer manual steps prior to response; and remediation actions are executed by the XDR system, allowing for closed-loop remediation, confirmation, and reporting.

Functionality Regardless of Maturity Level
Until XDR, enterprise-grade threat detection and response capabilities have largely required the deployment of a SIEM/SOAR-based SOC technology stack, which is expensive, complex, and requires trained experts to configure and manage.

Omdia's research indicates that XDR, compared with SIEM and SOAR, is often less expensive, somewhat less complex to deploy and manage, requires less expertise, and will increasingly become viable for organizations with lower levels of cybersecurity maturity.

Considering that essentially any organization can be targeted by a complex cyberattack at any time, this democratization of threat detection and response has been a long time coming.

XDR: Looking Ahead
To be sure, XDR is nascent, and vendors will be busy for years to come refining their solutions.

For starters, most XDR solutions today have unrefined features and workflow, widely varying depth of features (some don't even offer true threat response), and limited extended capabilities related to integration, ticketing, and compliance management. There are also few documented case studies proving the success of XDR in real-world deployment scenarios.

Still, Omdia is bullish on XDR, and expects the technology to mature rapidly. Enterprises are eager for an easier, more affordable approach to threat detection and response, and vendors recognize the opportunity to finally deliver solutions to address those needs.

Editor's note: This column is based on research excerpted from Omdia's recently published report, "Fundamentals of XDR versus SIEM and SOAR: Understanding the evolution of SecOps architectures," which is available to Omdia subscribers. Click here to learn more about Omdia. Click here to follow OmdiaCyber on Twitter.

Eric Parizo supports Omdia's Cybersecurity Accelerator, its research practice supporting vendor, service provider, and enterprise clients in the area of enterprise cybersecurity. Eric covers global cybersecurity trends and top-tier vendors in North America. He has been ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.