XDR Is Not Just Another Fancy Buzzword
It is hard enough to keep up with all the latest buzzwords in cyber these days, but one in particular that has my attention is “XDR.”
According to analyst firm Gartner, Extended Detection and Response (XDR) is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
That is a lot to unpack, so let’s take it one step at a time. In this article, I'll focus on four main concepts: what problem XDR solves, how it does it, what makes this different and finally, who's using it.
According to various reports, the global XDR market is expected to grow at a compound annual growth rate of almost 20 percent from 2021 to 2028 and reach a massive $2.06 billion by 2028. Most all the major security vendors have an offering in this space, from Cisco, Palo Alto Networks, CrowdStrike, Microsoft, McAfee, SentinelOne, Cybereason, VMware Carbon Black and more. Whichever XDR solution you choose, it can bring together multiple siloed security tools and reduce the complexity that impedes faster detection and response, all of which will help fight cybercrime.
We now have almost 60 percent of organizations remaining at middle or late-middle maturity curve for cyber resilience, so these new approaches will accelerate your cyber maturity. It’s absolutely critical to get your teams and your board of directors out in front of the ransomware threat by investing and implementing a prevention-first strategy for early and rapid detection so you can stop disruptive ransomware attacks before damage is done to the organization.
Over the last year there is one common question I get: “I have an endpoint detection and response (EDR) investment, so why do I need XDR?” I always remind people that XDR is focused on protecting the endpoint — providing in-depth visibility and threat prevention for a particular device. Bottom line: XDR takes a much wider view.
XDR solutions offer better threat detection than existing tools and lower overall cost, which is where this gets interesting. XDR solutions are focused exclusively on threat-facing incident responses and are not used to solve other general security use cases such as monitoring of errors, misuse or policy violations, etc. XDR does allow the ability to shift most of the burden of product integration to the XDR vendor for building threat detection and response (TDR) systems.
By using XDR, it also may remove data volume and integration burdens from security information and event management (SIEM) such as Splunk or Exabeam, especially for smaller mid-size organizations for threat detection. To be clear, XDR does not replace security analytics platforms or security information and event management (SIEM) solutions. XDR uses knowledge services to deliver detection content and alert enrichment.
As we know with most things, the output is only as good as the quality of input — or in other words: garbage in, garbage out. Threat detection performance depends on producing quality alerts. The higher the quality of the alert, the shorter the time involved to investigate and respond, and there are fewer errors.
Better alert signals are produced by more thoroughly analyzing a larger amount of data, yet aggregating massive amounts of data to analyze can come at a very large cost. The promise of XDR is to increase alert quality without necessarily being a massive data aggregation solution, and without a lot of integration challenges which many organizations struggle with. XDR solutions can be used and operationalized as one of the primary tools for performing tasks such as aggregating data, monitoring systems and much more.
Another beauty of XDR it protects more than just your traditional endpoints. It “extends” across the organization so it can protect networks, cloud workloads, servers, email and much more. XDR relies on AI and automation to ingest and understand large amounts of data, and then normalizes the data and makes it available through a single pane of glass.
When selecting an XDR solution, every organization should look at the platform to see and ensure that it can give the security teams an easier way to stop breaches by extending visibility, detection and response beyond the endpoint. It should provide a threat-focused event analysis and management, provide multi-domain telemetry and comprehensive contextualization and correlation with tools such as network analysis and visibility (NAV), next-generation firewall (NGFW), email security, identity and access management (IAM), Cloud Workload Protection Platform (CWPP), Cloud Access Service Brokers (CASB), Data Loss Prevention (DLP) and more. When you combine this with the power of Secure Access Service Edge (SASE), your coverage and visibility is now very robust as SASE sees all of the network traffic and feeds this mountain of telemetry to XDR.
Your XDR solution should have well-defined schemas for data exchanges with additional IT security systems AI and machine learning that continuously searches for new unknowns. The perfect trifecta of SASE, ZTNA and XDR combined will most certainly simplify your operations.
Before you begin your journey down the XDR route, I would highly recommend one of two options.
First host a XDR Workshop, an on-site event for your security and operation teams. Our subject matter experts provide a customized endpoint assessment that enables you to understand emerging threats and develop an endpoint security strategy for next-gen malware and ransomware.
After conducting the workshop, we'll offer your organization access to the Advanced Technology Center (ATC) to further evaluate endpoint security solutions through a hands-on, practical approach. This includes customized product demos, real-world solution comparisons and integrations with our Cyber Analytics Reference Architecture, which includes SIEMs, automation and orchestration.
Another option is to conduct a thorough tools rationalization exercise, but one that really dives into a full portfolio review and capability mapping, to do things like gather a high-level understanding of the entire security tool estate (and how it came to be) and prioritize areas for deeper investigation. Secondly, identify high-level rationalization opportunities based on logic/data-driven framework enabled by data and hypothesis. Next, conduct “deep dives” to generate recommendations within each rationalization opportunity areas with specific implications (e.g., cost savings, organizational/ operational impact). Lastly, develop an executive-level ROI perspective for the overall initiative; pair with learnings on how/why the tool sprawl occurred and recommendations on intake processes & governance.
Ready to get started?