Given all the hype around extended detection and response (XDR) technology, it's worth starting this article by defining the term "XDR." XDR is an integrated suite of security products spanning hybrid IT architectures (such as LAN, WAN, infrastructure-as-a-service, data centers, etc.) designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
The "X" in XDR is about moving from discrete to comprehensive threat detection. Rather than identifying security events on endpoints, networks, and in email, XDR promises to gather and correlate all these events across security controls. So, think threat detection across the cyber kill chain or aligned with the MITRE ATT&CK framework. The "D" is about data collection, processing, and analytics to detect cyberattacks faster and more accurately than existing systems. Typically, these activities will be cloud-native, taking advantage of massive scale for advanced analytics across months or even years' worth of data. Finally, the "R" is really tied to automation. XDR promises to remove a lot of security operations busy work by taking automated actions out-of-the-box. Kind of a poor man's turnkey security orchestration and response (SOAR).
That's the marketing take on XDR, but we've been talking about tools consolidation for years, well before someone came up with the term XDR. Is XDR real?
My esteemed colleague Dave Gruber and I just completed a research project on XDR to answer this question and others. Dave is an expert on endpoint detection and response (EDR), while I focus on the security operations center, so we looked at XDR from many angles. Based on our research, XDR is not only real but may also disrupt the industry in 2021. ESG's research affirms this conclusion as:
The research also indicates that many organizations are already thinking of XDR as a possible solution; 70% could foresee creating an XDR budget within the next 12 months. Interestingly, another 23% of organizations say they are already working on an XDR project — like integrating EDR and network detection and response tools, enriching alerts with threat intelligence, etc.
Organizations need and are willing to pay for threat detection/response help, so XDR is gaining market momentum with impeccable timing. Security technology providers certainly see this opportunity, as large, deep-pocketed vendors like Broadcom (Symantec), Check Point, Cisco, FireEye, Fortinet, McAfee, Microsoft, Palo Alto Networks, and Trend Micro are integrating point products to create XDR suites. At the same time, EDR players like Crowdstrike, Cybereason, and SentinelOne have adopted XDR strategies, while security information and event management (SIEM) vendors like LogRhythm and RSA are messaging XDR. Meanwhile, a plethora of XDR startups, including Confluera, Hunters, Reliaquest, SecBI, and Stellar Cyber, have joined the fray. All this attention means tremendous XDR R&D investments and innovation.
Before XDR takes over the cybersecurity world, the research also points to several remaining obstacles. Security professionals need to better understand the following:
In a non-pandemic year, the industry would be gearing up for the RSA Conference. If this event were happening, you wouldn't be able to cross Howard Street in San Francisco without seeing the term "XDR" somewhere in your peripheral vision. This buzz is warranted — CISOs need threat detection and response help and are willing to pay for the right help. XDR could fill this gap, but there's a pressing need for market education and development before XDR becomes a killer app for security operations.Jon Oltsik is an ESG senior principal analyst, an ESG fellow, and the founder of the firm's cybersecurity service. With over 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help ... View Full Bio