Oct 26 2020

XDR: The Next Evolution in Endpoint Detection and Response?

The solutions promise to find previously undetectable breaches, reducing dwell time. But are they for everyone?

There’s a new security solution in town and it’s rapidly gaining traction. As with many security technologies that have come before it, XDR platforms currently exist in the gray area that lies somewhere between revolutionary new tech and a rebranding of existing solutions. 

But what is XDR, and is the timing right for your organization to consider deploying it?

What Is Extended Detection and Response?

Before we get into the capabilities of XDR systems, it’s notable that the term XDR is itself the source of some confusion. What everyone agrees on is that XDR is meant to be the next step in endpoint detection and response platforms. However, some say XDR is an acronym for “extended detection and response,” while others say the X represents “anything,” just as XaaS is “Anything as a Service.” Still others simply use XDR as a noun, avoiding any expansion of the term.

Nomenclature issues aside, XDR solutions are intended to build on the success that EDR platforms have already achieved in the endpoint security space. EDR platforms use agents to reach deeply into the configuration and reporting capabilities of endpoint devices and send telemetry back to a centralized console for correlation and analysis. This approach is quite successful at identifying compromised endpoints, with particular success against novel attacks that might escape the notice of traditional anti-malware systems.

However, the scope of EDR solutions is limited to data generated by endpoint devices — and those devices simply don’t see a significant volume of cybersecurity data. XDR platforms seek to address this limitation by combining EDR-like data from multiple sources, including network device monitoring solutions, cloud infrastructure and application monitors, email services, and other data sources.

This allows them to identify potential incidents where the clues are spread across multiple devices.

Now, you might be asking yourself a question: “Isn’t that what security incident and event management systems and security orchestration, automation and response platforms do?” It’s a reasonable question. SIEM platforms correlate and analyze information from a wide variety of sources, while SOAR platforms add on sophisticated response capabilities.

However, many cybersecurity professionals would say that SIEM and SOAR have never really achieved their full potential because of their limited understanding of the data generated by thousands of disparate security solutions. XDR is meant to overcome this by integrating directly with a select set of security tools, generally from the same vendor that produces the XDR platform. 

DISCOVER: Learn more about the value of managed endpoint services.

How Can XDR Help Businesses?

Organizations struggling to understand the massive volume of data sent to their SIEM and SOAR platforms may benefit from the enhanced capabilities of XDR. With their advanced analytic capabilities and direct product integrations, XDR platforms promise to find previously undetectable security issues, reduce the burden on analysts and decrease the rate of false positive alerts.

Combining this with integrated response techniques allows the creation of automated playbooks that immediately react to security incidents as they unfold, rapidly triggering containment, eradication and recovery efforts. 

The major benefit is that XDR may reduce the total dwell time of an attack, reducing the length of a compromise and the amount of activity that attackers might undertake after a successful intrusion. Organizations still struggle with this. According to Verizon’s “2020 Data Breach Investigations Report,” almost a quarter of breaches last year went undiscovered for a month or longer. If XDR solutions provide the visibility required to reduce that dwell time, they may be a worthwhile investment.

What Are the Limitations of XDR?

XDR solutions do promise to provide deeper insight into the data generated by many other security technologies, but this comes with a caveat: They have native understanding of other security technologies from the same vendor ecosystem but may not have that same analytic capability for data generated by other vendors’ products.

Deploying XDR technology, therefore, deepens the business’s lock-in to an ecosystem of security products from that vendor. If your organization already pursues a single-vendor strategy, this might not be a concern. However, if you’re a shop that prefers best-of-breed solutions, this might present a stumbling point. Organizations will need to weigh whether the enhanced analytic value provided by XDR solutions justifies the consolidation of their security vendor partnerships.

XDR platforms may be the latest in a series of bright, shiny objects in the world of cybersecurity, but they may offer organizations new visibility into the security of their infrastructure.

anyaberkut/Getty Images