How XDR is changing the cybersecurity game

The sudden rise of XDR (Extended Detection and Response) has been nothing short of dramatic.

The term itself was only coined in 2018, and by May 2022, around 12% of organisations surveyed by CyberRisk Alliance were already deploying it. Within the next two years, XDR adoption is expected to jump to 77%. Why is XDR proving to be such a hit? And why is there so much debate over what cybersecurity’s latest star actually does?

Getting the basics right on XDR

Extended Detection and Response is a security solution that offers threat detection and response across environments such as endpoints, servers, email and the cloud. It collects data, analyses it, and sets it in context to discover current and future threats, which it then prioritises and responds to.

Part of its appeal is that XDR is a unified platform that collects all the data from across your IT environment and analyses it as a whole, allowing you to rely on a single resource to monitor and manage threats. So how does it stack up to other conventional cybersecurity solutions?

As I commented on the Get Cyber Resilient show, “Antivirus is the past, which is really about protection,”. EDR [Endpoint Detection and Response] is the present, which is all about detection, response, and resiliency. And then XDR is the future, it is organisational resilience.

XDR has enormous potential for businesses

To be fair, every new solution on the market claims it can change the world. But if we peel back the marketing and take a look under XDR's hood, it’s clear why it’s taking off across the industry:

1. XDR detects issues across your entire environment – just like hackers do
2. By looking at surfaces, networks, identity and the cloud together, XDR sees the whole picture
3. It works continuously, using threat intelligence, machine-learning algorithms and behavioural analytics to spot patterns – and serious attacks such as ransomware – early
4. Because it’s a single system that standardises data from different sources, it reduces the background noise that can swamp security teams: constant alerts, multiple tools from different vendors, and threats that are hard to compare or prioritise
5. Automated detection, data enrichment, threat reporting and automated responses further free up staff and give them the tools to explore and act on threats faster and more accurately

It thus has a wider reach than EDR or Network Traffic Analysis (NTA). Unlike Security Information & Event Management (SIEM), XDR derives context from all data sources and correlates based on risk and real threats (and should hit you with a lot fewer alerts), XDR is less expensive and requires less in-house resourcing than traditional SIEM and Security Orchestration, Automation, and Response (SOAR) models.

But XDRs can come in many shapes, so buyer beware

Given these qualities, XDR might seem like an easy win. But while vendors are rushing to offer “XDR”, they’re not all offering the same thing. There’s even debate over what the name stands for. In the original definition, “X” stood for “anything”, encompassing every feature or vulnerability that might be leveraged by attackers. Today, most experts have settled on “extended”, meaning XDR operates in multiple environments. But that doesn’t mean that every vendor abides by that definition.

One key distinction buyers should be aware of is between native XDR, which uses data from the vendor’s own tools, and open (or hybrid) XDR, which collates data from multiple vendors’ tools. Open XDR gives users the opportunity to plug in their existing security tools and collect data from a wide range of sources.

But some open XDRs struggle to standardise data from different sources, and others don’t collect information from every platform – defeating much of the point of having XDR in the first place. Contrastingly, native XDR may require users to rip out their current tool set, but will often present more comprehensive data because its tools are more integrated and its data more consistent.

Organisations should carefully review vendor offerings

This uncertainty over exactly what XDR does is compounded by companies who brand their products as XDR when they may be far closer to a SIEM. Others may not offer full endpoint capabilities, comprehensive automated response or compliance management.

None of this means the companies rushing to adopt XDR are making a mistake. But it is worth proceeding with caution and assessing your needs before shopping around for an XDR solution. Here are some things a potential buyer should consider:

1. The benefits of native vs open XDR for your organisation
2. How the service will work with your existing systems
3. The quality and consistency of the data produced
4. The degree and effectiveness of automation
5. What training security staff, developers and your workforce will require
6. Whether a managed XDR would be cost-effective

XDR can make a powerful difference if used wisely

XDR remains a relatively new cyber solution. Its technology is still maturing, and not everyone agrees on what it actually is. Given that, organisations must cut through the marketing, assess their needs, and find a solution that works for them. In that sense, you need to assess your current security posture, evaluate the gaps, and decide if XDR is the best way to fill them. Do that right, and you’ll have a platform that offers rapid threat detection and response across your infrastructure – and that sounds like a future worth fighting for.