Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/24/2021
01:00 PM
Jon Oltsik
Jon Oltsik
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Realities of Extended Detection and Response (XDR) Technology

While the term XDR has become pervasive, the technology and market remain a work in progress with lots of innovation and market confusion.

Given all the hype around extended detection and response (XDR) technology, it's worth starting this article by defining the term "XDR." XDR is an integrated suite of security products spanning hybrid IT architectures (such as LAN, WAN, infrastructure-as-a-service, data centers, etc.) designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.

Related Content:

XDR 101: What's the Big Deal About Extended Detection & Response?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

The "X" in XDR is about moving from discrete to comprehensive threat detection. Rather than identifying security events on endpoints, networks, and in email, XDR promises to gather and correlate all these events across security controls. So, think threat detection across the cyber kill chain or aligned with the MITRE ATT&CK framework. The "D" is about data collection, processing, and analytics to detect cyberattacks faster and more accurately than existing systems. Typically, these activities will be cloud-native, taking advantage of massive scale for advanced analytics across months or even years' worth of data. Finally, the "R" is really tied to automation. XDR promises to remove a lot of security operations busy work by taking automated actions out-of-the-box. Kind of a poor man's turnkey security orchestration and response (SOAR).

That's the marketing take on XDR, but we've been talking about tools consolidation for years, well before someone came up with the term XDR. Is XDR real?

My esteemed colleague Dave Gruber and I just completed a research project on XDR to answer this question and others. Dave is an expert on endpoint detection and response (EDR), while I focus on the security operations center, so we looked at XDR from many angles. Based on our research, XDR is not only real but may also disrupt the industry in 2021. ESG's research affirms this conclusion as:

  • Organizations have lots of work ahead for threat detection. When asked to define their threat detection goals, 34% of organizations say they want to improve the detection of advanced threats, 29% want to decrease mean time to recovery, and 27% want help in determining which threats to prioritize. This points to the need for process and technology improvement.

  • Existing tools aren't working. Despite billions of dollars of investment, enterprise organizations can't detect or respond to threats in a timely manner. When asked to identify threat detection and response challenges, 31% of security pros say they spend their time responding to emergencies, 29% admit to "blind spots" with security monitoring, and 23% claim that it's difficult to correlate security alerts from different tools. Hmm, this seems to indicate a lot of security operations chaos.

  • Threat detection/response budgets are increasing. A whopping 83% of organizations are increasing their threat detection and response budgets. This tells me that organizations need help ASAP.

The research also indicates that many organizations are already thinking of XDR as a possible solution; 70% could foresee creating an XDR budget within the next 12 months. Interestingly, another 23% of organizations say they are already working on an XDR project — like integrating EDR and network detection and response tools, enriching alerts with threat intelligence, etc.

Organizations need and are willing to pay for threat detection/response help, so XDR is gaining market momentum with impeccable timing. Security technology providers certainly see this opportunity, as large, deep-pocketed vendors like Broadcom (Symantec), Check Point, Cisco, FireEye, Fortinet, McAfee, Microsoft, Palo Alto Networks, and Trend Micro are integrating point products to create XDR suites. At the same time, EDR players like Crowdstrike, Cybereason, and SentinelOne have adopted XDR strategies, while security information and event management (SIEM) vendors like LogRhythm and RSA are messaging XDR. Meanwhile, a plethora of XDR startups, including Confluera, Hunters, Reliaquest, SecBI, and Stellar Cyber, have joined the fray. All this attention means tremendous XDR R&D investments and innovation.

Before XDR takes over the cybersecurity world, the research also points to several remaining obstacles. Security professionals need to better understand the following:

  • What an XDR solution includes. Only 24% of survey respondents say they're very familiar with XDR; the rest are somewhat familiar or not familiar with XDR. When asked for an XDR definition, 36% said that XDR collects, processes, analyzes, and acts upon security telemetry from various sources and controls — an accurate but vague classification. This confusion is understandable because many XDR solutions are based on a variety of different security controls with no standard offering. Other XDR solutions act as a software abstraction/overlay layer, sitting above existing controls and analytics tools. All the confusion indicates that there is a pressing need for market education before most organizations get their checkbooks out.

  • How XDR aligns with SIEM. Many enterprise organizations have invested millions in their SIEM, and 71% of organizations with SIEM say it's effective for threat detection and response. However, the research also shows that SIEM tends to be costly, complex, and not as effective for detecting unknown/sophisticated threats. Judging by this data, most organizations want XDR to augment and improve rather than replace their SIEM — at least in the short term. XDR vendors need to develop a strong SIEM supplementation strategy to help organizations consume their wares.

  • The data management story. Like SIEM, XDR must be able to collect, process, and analyze terabytes of real-time and batch data. Any security engineer will tell you that they spend a lot of time messing around with the underlying data pipeline to make this all work. The ESG research illustrates this; organizations have security data pipelining challenges like filtering out noisy alerts (38%), scaling the data pipeline to accommodate growing security telemetry volumes (37%), and building an effective data pipeline for stream processing (34%). XDR vendors have the advantage of cloud-native scale for data pipelining. Now they need to educate the market on how they can manage the security data pipeline when many organizations struggle mightily in this area.

  • The role of services. Nearly three-quarters (73%) of organizations use or plan to use some type of managed threat detection and response (MDR) service, from full outsourcing to staff/skills augmentation and everything in between. This indicates that bundled services should be a part of every XDR offering, but this is anathema to many XDR vendors used to transactional sales of security point products rather than solutions.

In a non-pandemic year, the industry would be gearing up for the RSA Conference. If this event were happening, you wouldn't be able to cross Howard Street in San Francisco without seeing the term "XDR" somewhere in your peripheral vision. This buzz is warranted — CISOs need threat detection and response help and are willing to pay for the right help. XDR could fill this gap, but there's a pressing need for market education and development before XDR becomes a killer app for security operations.

Jon Oltsik is an ESG senior principal analyst, an ESG fellow, and the founder of the firm's cybersecurity service. With over 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
amenard
100%
0%
amenard,
User Rank: Apprentice
3/5/2021 | 6:32:17 AM
Good Article
I appreciated your high level overview of XDR. Is your research paper available?
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: click on all the semaphores 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
CVE-2021-3287
PUBLISHED: 2021-04-22
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
CVE-2021-31547
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
CVE-2021-31548
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.