Given all the hype around extended detection and response (XDR) technology, it's worth starting this article by defining the term "XDR." XDR is an integrated suite of security products spanning hybrid IT architectures (such as LAN, WAN, infrastructure-as-a-service, data centers, etc.) designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
The "X" in XDR is about moving from discrete to comprehensive threat detection. Rather than identifying security events on endpoints, networks, and in email, XDR promises to gather and correlate all these events across security controls. So, think threat detection across the cyber kill chain or aligned with the MITRE ATT&CK framework. The "D" is about data collection, processing, and analytics to detect cyberattacks faster and more accurately than existing systems. Typically, these activities will be cloud-native, taking advantage of massive scale for advanced analytics across months or even years' worth of data. Finally, the "R" is really tied to automation. XDR promises to remove a lot of security operations busy work by taking automated actions out-of-the-box. Kind of a poor man's turnkey security orchestration and response (SOAR).
That's the marketing take on XDR, but we've been talking about tools consolidation for years, well before someone came up with the term XDR. Is XDR real?
My esteemed colleague Dave Gruber and I just completed a research project on XDR to answer this question and others. Dave is an expert on endpoint detection and response (EDR), while I focus on the security operations center, so we looked at XDR from many angles. Based on our research, XDR is not only real but may also disrupt the industry in 2021. ESG's research affirms this conclusion as:
- Organizations have lots of work ahead for threat detection. When asked to define their threat detection goals, 34% of organizations say they want to improve the detection of advanced threats, 29% want to decrease mean time to recovery, and 27% want help in determining which threats to prioritize. This points to the need for process and technology improvement.
- Existing tools aren't working. Despite billions of dollars of investment, enterprise organizations can't detect or respond to threats in a timely manner. When asked to identify threat detection and response challenges, 31% of security pros say they spend their time responding to emergencies, 29% admit to "blind spots" with security monitoring, and 23% claim that it's difficult to correlate security alerts from different tools. Hmm, this seems to indicate a lot of security operations chaos.
- Threat detection/response budgets are increasing. A whopping 83% of organizations are increasing their threat detection and response budgets. This tells me that organizations need help ASAP.
The research also indicates that many organizations are already thinking of XDR as a possible solution; 70% could foresee creating an XDR budget within the next 12 months. Interestingly, another 23% of organizations say they are already working on an XDR project — like integrating EDR and network detection and response tools, enriching alerts with threat intelligence, etc.
Organizations need and are willing to pay for threat detection/response help, so XDR is gaining market momentum with impeccable timing. Security technology providers certainly see this opportunity, as large, deep-pocketed vendors like Broadcom (Symantec), Check Point, Cisco, FireEye, Fortinet, McAfee, Microsoft, Palo Alto Networks, and Trend Micro are integrating point products to create XDR suites. At the same time, EDR players like Crowdstrike, Cybereason, and SentinelOne have adopted XDR strategies, while security information and event management (SIEM) vendors like LogRhythm and RSA are messaging XDR. Meanwhile, a plethora of XDR startups, including Confluera, Hunters, Reliaquest, SecBI, and Stellar Cyber, have joined the fray. All this attention means tremendous XDR R&D investments and innovation.
Before XDR takes over the cybersecurity world, the research also points to several remaining obstacles. Security professionals need to better understand the following:
- What an XDR solution includes. Only 24% of survey respondents say they're very familiar with XDR; the rest are somewhat familiar or not familiar with XDR. When asked for an XDR definition, 36% said that XDR collects, processes, analyzes, and acts upon security telemetry from various sources and controls — an accurate but vague classification. This confusion is understandable because many XDR solutions are based on a variety of different security controls with no standard offering. Other XDR solutions act as a software abstraction/overlay layer, sitting above existing controls and analytics tools. All the confusion indicates that there is a pressing need for market education before most organizations get their checkbooks out.
- How XDR aligns with SIEM. Many enterprise organizations have invested millions in their SIEM, and 71% of organizations with SIEM say it's effective for threat detection and response. However, the research also shows that SIEM tends to be costly, complex, and not as effective for detecting unknown/sophisticated threats. Judging by this data, most organizations want XDR to augment and improve rather than replace their SIEM — at least in the short term. XDR vendors need to develop a strong SIEM supplementation strategy to help organizations consume their wares.
- The data management story. Like SIEM, XDR must be able to collect, process, and analyze terabytes of real-time and batch data. Any security engineer will tell you that they spend a lot of time messing around with the underlying data pipeline to make this all work. The ESG research illustrates this; organizations have security data pipelining challenges like filtering out noisy alerts (38%), scaling the data pipeline to accommodate growing security telemetry volumes (37%), and building an effective data pipeline for stream processing (34%). XDR vendors have the advantage of cloud-native scale for data pipelining. Now they need to educate the market on how they can manage the security data pipeline when many organizations struggle mightily in this area.
- The role of services. Nearly three-quarters (73%) of organizations use or plan to use some type of managed threat detection and response (MDR) service, from full outsourcing to staff/skills augmentation and everything in between. This indicates that bundled services should be a part of every XDR offering, but this is anathema to many XDR vendors used to transactional sales of security point products rather than solutions.
In a non-pandemic year, the industry would be gearing up for the RSA Conference. If this event were happening, you wouldn't be able to cross Howard Street in San Francisco without seeing the term "XDR" somewhere in your peripheral vision. This buzz is warranted — CISOs need threat detection and response help and are willing to pay for the right help. XDR could fill this gap, but there's a pressing need for market education and development before XDR becomes a killer app for security operations.