Threat Intelligence

    What Is XDR (Extended Detection and Response)?  

    XDR platforms can unify threat detection, investigation, response and hunting. Here’s what you should do now to prepare — and avoid costly mistakes later.  

    by Bill Camarda
    gettyimages-503680362.png

    Key Points

    • Legacy solutions respond to threats too slowly and inefficiently, allowing breaches to dwell undetected for too long.
    • XDR promises to accelerate threat detection and response by unifying all the most relevant data being generated across an organization’s entire security ecosystem.
    • It also brings cutting-edge machine learning to bear on that data, automates most responses and, where automation isn’t possible, provides more actionable insights to security analysts.

     

    Remote/hybrid work and other trends are widening attack surfaces at the same time threat actors are becoming more sophisticated and aggressive. Traditional approaches to defense have proven insufficiently agile or intelligent. As threats grow, organizations need ways to manage them that are more coherent, holistic, automated, and integrated. Enter Extended Detection and Response (XDR), a proposed approach to unifying threat detection, hunting, investigation, and response. XDR optimizes all these functions by leveraging tightly integrated real-time or near-real-time telemetry from the most important sources throughout the organization.

    Before XDR, Endpoint Detection and Response (EDR) systems demonstrated the value of real-time detection and response leveraging endpoint telemetry. Emerging cloud-native XDR systems go beyond endpoints to also integrate valuable telemetry from email gateways, identity and access management systems, network and cloud security tools, and other key sources. Using advanced machine learning, they continually analyze these focused data streams, uncovering more threats and then directing automated or semi-automated responses through the same integrated systems.

    XDR Explained: How XDR Works

    XDR systems continually capture focused data and alerts from all the key systems connected to them and feed all this data into a centralized data lake, cleaning and normalizing it. Like EDR, XDR begins with all of your increasingly diverse endpoints — computers, mobile devices, IoT and so forth. But it also draws on data feeds from email security systems, network analysis and visibility tools, identity and access management platforms, cloud workload protection systems, and elsewhere.

    Using this unified, up-to-date data, XDR systems apply advanced machine learning that goes beyond traditional correlation to identify emerging threats across your entire infrastructure, while also generating fewer false positives. The results of this analysis drive specific actions. Many of these can be fully automated within the XDR system, which can direct connected systems such as endpoints and email gateways to take specific actions without human intervention. Other, more complex recommendations can be presented visually, and analysts can take all necessary actions from a single console, without switching among tools.

    XDR vs. EDR

    EDR systems demonstrated that organizations can manage threats more effectively if they focus on current activity occurring at all their endpoints, use advanced machine learning to understand this activity and specify responses, and use automation to drive fast action everywhere it’s needed.

    XDR systems build on this principle by integrating non-endpoint data streams — e.g., networks, email, cloud workloads, applications, devices, identity, data assets, IoT, and potentially others. Adding these makes it possible to discover more threats, breaches, and attacks, and to respond more effectively, because you can drive actions across your infrastructure, not just at endpoints. In addition, since XDR can gain deeper insight into exactly what’s happening, it promises to present fewer false positives that frustrate security analysts and waste their time.  

    Why Enterprises Need XDR Security

    In an era where there are essentially no network perimeters and disastrous breaches can come from anywhere at any time, security teams must sharpen their focus on threat detection and response. In many organizations, earlier approaches such as first-generation Security Information and Event Management (SIEM) systems have proven unwieldy. They can be difficult to deploy and integrate, too costly and too susceptible to false positives. Linking SIEM to Security Orchestration and Response (SOAR) systems has helped some organizations build response playbooks for automating responses to certain threats, but creating these has often been more complex and difficult than anticipated.

    Cloud-native XDR solutions promise to overcome each of these problems, providing more focused and actionable data, better integration, more relevant insights, fewer false positives, and easier automation of responses. As XDRs move beyond endpoint-only EDR solutions, they promise to provide the fuller visibility and faster response that couldn’t be achieved with earlier tools.

    Since XDR solutions are relatively new, enterprises will need to carefully evaluate whether they will actually achieve these goals in production, without encountering the same issues of complexity and inadequate integration faced by earlier approaches. 

    Approaches to XDR: Proprietary vs. Open

    Analysts often distinguish between two broad categories of XDR solution. The first, sometimes called “proprietary XDR” or “native XDR,” assumes that an organization will buy into most or all of a supplier’s security stack. The XDR vendor will ensure integration of the security systems that feed XDR and execute its instructions by providing most or all of those systems itself. Customers get a single point of contact, but they take on the significant risks of a single-vendor security monoculture — from vendor lock-in to suboptimal subsystems, to concerns that attackers can gain the keys to the kingdom by evading just one defender. Moreover, adopting monoculture solutions may require organizations to discard security subsystems that are still working well.

    In contrast, “open XDR” systems (sometimes called “hybrid XDR”) assume that customers want to keep relying on best-in-breed solutions such as email gateways. These systems integrate primarily through open APIs. They work best when the connected technologies have APIs that are robust, mature, well-documented, and modern — for example, streaming rather than traditional REST APIs.

    Open XDR requires deep integration across multiple systems. To promote this, XDR providers and other participants in XDR ecosystems are now coming together in alliances to define and evolve shared XDR standards, architectures, APIs, workflows, playbooks and best practices. 

    XDR Benefits and Use Cases

    XDR delivers value across all three tiers of the typical SecOps team, from less experienced Tier 1 analysts who typically monitor networks and respond to simple problems, to experienced Tier 3 analysts who hunt threats and address highly complex incidents. By integrating focused, real-time/near-real-time data with advanced machine learning analytics in a cloud-native environment, XDR systems can be used to:

    • Identify targeted attacks sooner, including those that risk loss of valuable customer data or intellectual property (IP).
    • Recognize new threats created by either malicious or careless insiders.
    • Uncover compromised endpoints that EDR systems missed.
    • Give lower-level analysts the knowledge to recognize more complex threats.
    • Streamline investigations and get to the root cause sooner.
    • Learn from earlier attacks to prevent them from recurring in the future.
    • Automate many threat responses and simplify those that can’t be fully automated.
    • Integrate more proactive threat hunting into your security operations.

    XDR: What to Look for, What to Do Now, and Mistakes to Avoid

    Take these steps and consider these issues to increase your chances of long-term success with XDR:

    • Carefully assess your readiness to move toward XDR. For example, are you prepared to break down siloes between endpoint, network, cloud, web and other security controls, and between SecOps and IT? XDR will deliver far more value if you are — so you may wish to address people and process issues before deploying XDR.
    • As you define XDR strategy, plan other security product/service purchases — and retirements — to align with it.[1] XDR makes deep integration crucial, so whatever systems you purchase or keep should support easy integration, particularly via open APIs.
    • Understand what XDR currently can and can’t do. For example, most XDR systems don’t yet solve important compliance and archiving problems traditionally addressed with SIEMs, but your SIEM can often feed XDR systems as they take charge of threat management.
    • Thoroughly assess the current state of any XDR product you’re considering, including its future roadmap and your confidence in the XDR provider’s ability to execute on that roadmap.
    • Consider how XDR can help you apply the MITRE ATT&CK® framework for understanding and responding to adversary behavior throughout the entire attack lifecycle. Understand how XDR products you’re considering do or don’t facilitate threat management and hunting with MITRE ATT&CK.[2]
    • Clearly understand tradeoffs associated with proprietary and open XDR systems, especially the dangers and costs of a single-vendor security monoculture.

    The Bottom Line about XDR Extended Detection and Response

    Today, threat detection and response are more important than ever before, and as organizations move toward zero trust these will become even more indispensable. Legacy solutions respond to threats too slowly and inefficiently, allowing breaches to dwell undetected and unremediated for intolerable periods of time. XDR was conceived to solve this problem. It does so by unifying all the most relevant telemetry being generated across an organization, bringing cutting-edge machine learning to bear on that data, simplifying responses by automating more effectively than SIEM and SOAR systems do, and — where fully automated responses aren’t possible — providing more valuable/actionable insights to analysts at all levels. With XDR in place, organizations can become more proactive, hunting threats rather than waiting for them to manifest themselves.

    But XDR is new. XDR solutions are changing and maturing rapidly. For organizations, this places a premium on careful planning and assessment. Security teams must ask many questions about XDR technology, process and people — and since XDR demands unprecedented levels of integration, they should choose complementary systems that make integration easier, not harder.

    XDR FAQs

    What problems does XDR solve?

    XDR promises to improve, accelerate and simplify threat detection and hunting, as well as investigation and response. It does so by:

    • Unifying and correlating the most valuable streams of focused real-time/near-real-time telemetry, to identify new threats faster and more reliably.
    • Automating response through the same systems that are providing telemetry — for instance, email gateways and cloud workload protection tools.
    • Providing better support to analysts so they can be faster and more effective in addressing complex threats that can’t be handled entirely through automated responses.

    What is detection and response in cybersecurity?

    In cybersecurity, threat detection means using relevant data sources to identify signs of a potential intrusion or other threat through correlation of events, advanced analytics, machine learning or other means. Threat response means identifying and taking actions to remediate the threat — for example, isolating a system from the network or disabling compromised credentials.

    Since threats that remain unremediated quickly become more dangerous, threat detection and response needs to happen rapidly, and that means relying on automation and artificial intelligence as much as possible. Often, companies build automated playbooks that trigger complex sets of actions when a threat of a certain type is detected.

    How does XDR work with SIEM?

    While some research analysts believe XDRs may eventually replace SIEMs, in the short to medium-term many organizations will continue to use both. For example, while an organization may move to XDR for threat management, it might retain its SIEM for log collection, archiving and compliance. An XDR platform might receive alerts generated by a SIEM, then automate further investigation and analytics, and then either drive an automated response or give higher-level analysts better insights for a timelier manual response. 

    What is MDR, and how does it compare to XDR?

    Managed Detection & Response (MDR) is a service, not a platform. With MDR, organizations delegate 24x7 threat monitoring, threat detection, proactive threat hunting and some or all responses to a service provider that specializes in these tasks. Some organizations use MDR services to complement and extend their own detection and response capabilities rather than supplanting them altogether.

    How does XDR support customers with zero trust aspirations?

    The zero trust paradigm means that you never trust any attempt to gain access to a system, application or digital data asset. Instead, every such attempt must be verified, even if it’s coming from within your network or a company location, or if a user has already been authenticated for another purpose. A commitment to zero trust requires organizations to reconsider many aspects of security from a mindset of continuous risk-based vigilance. In addition to recognizing that any access attempt might be a breach, organizations also recognize that some breaches will be inevitable, and must be detected and remediated rapidly. Accenture suggests that XDR can potentially serve as the central nervous system integrating an end-to-end zero trust architecture encompassing endpoints, networks, email, cloud workloads, applications, devices, identity, data assets, IoT and more.[3] Real-time visibility and fast, automated response will be essential to zero trust. As XDR matures, it promises to be the best way for many organizations to achieve this.
     

    [1] Innovation Insight for Extended Detection and Response, Gartner

    [2] Adapt or Die: XDR is on a Collision Course with SIEM and SOAR, Forrester Research

    [3] Growing zero trust security with an XDR strategy, Accenture

     

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top