Every year, it seems there is a new solution in the security industry that will finally address the challenges security teams have been struggling with for years. Lately, the security vendor community is ablaze with talks of ‘XDR,’ an often-overheard acronym for eXtended Detection and Response. While XDR was first coined in 2018, the vendor-led buzzword has more recently sparked greater discussions in the industry, with many wondering how XDR is any different from Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) or Security Orchestration, Automation and Response (SOAR).
CISOs -- who may not be touting the term as much -- are still seeking answers to the pressing issues keeping them up at night. These range from overworked security operations teams, to alert fatigue that diverts focus from more severe, business-critical indicators of an attack. Add to this the increasing frequency of large-scale ransomware attacks, paired with the shift to a new era of hybrid work, and it’s easy to understand why security leaders are looking for a better way to bring together their security programs to get the most out of their people, tools and processes. The gaps in modern-day security programs are leading them to explore the potential and promise of XDR.
As security teams evaluate XDR solutions to solve these pressing issues, it’s important to understand how XDR works, its nuances, and what we really need from the technology.
What is XDR?
While the term XDR may be relatively new, the problems it solves and the outcomes it delivers are not new to security teams. Various industry analyst groups have formally defined XDR in their own way over the past year, with some of the top definitions including:
Enterprise Strategy Group: “XDR is an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.”
Forrester: “The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real-time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”
Gartner: “XDR is a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
Regardless of the formal definition, XDR is intended to collect and correlate data across the operating environment, ideally spanning both security and business infrastructure, including email, endpoints, servers, networks and the cloud. With comprehensive visibility, the XDR solution should correlate data with threat intel sources, as well as apply detection and analytics capabilities. With XDR fully implemented, security teams can analyze threats and prioritize those most critical to the business. Moreover, by improving visibility, detection and automating low-level tasks, security programs can evolve to a more proactive posture to get ahead of threat actors and establish advanced metrics they can use to measurably improve their security program. It all sounds promising, right? Well, it’s not that simple.
Two approaches: XDR and Open XDR explained
While XDR holds a lot of promise, we’re still in the “Wild West” phase of category development. Vendors are taking different approaches and offering different functionalities as part of their XDR offerings, making it confusing for organizations looking to invest. Primarily, vendors are focusing on providing an ecosystem of their products stitched together with XDR functionality, while others are offering “open” XDR that integrates with existing security tools.
Both of these approaches have their benefits and downfalls. By bringing together a defined ecosystem of products, vendors can offer “plug and play” solutions that assure their products work together, and that they can be specifically tuned to work together in a specific environment. However, the pitfall of this approach is that it often requires a rip and replace approach to some, or all, of the customers’ existing security tools. Further, if the vendor’s XDR solution doesn’t integrate third-party alerts, they won’t have visibility into critical parts of the security and business infrastructure. Organizations may also experience slower response times if closed ecosystem XDR vendors don’t build out response actions for third-party products.
The other approach to XDR is “Open XDR.” By overlaying existing security tools with an open XDR platform, organizations can maximize the value of their existing security spend – across tools, people and processes – as well as gain more visibility into their entire environment. Open XDR platforms can offer the same functionality as closed systems, with the added benefit of up-leveling an existing security program, without ripping and replacing existing tools. The open approach is more future-proof, as the vendor-agnostic approach is able to adapt to new tools and functionalities as the security industry continues to evolve.
What security teams need: An open XDR approach
Security teams need to be armed with real-time data and full visibility across all of their existing investments. XDR promises to lay the groundwork in achieving such outcomes. As security leaders are evaluating XDR vendors, the first step is establishing program objectives and evaluating if an open or closed XDR approach will suit their needs.
The good news is XDR, and specifically Open XDR, has the potential to drastically improve security outcomes. Through centralized detection and remediation of threats across siloed IT architecture, security teams will be able to gain greater visibility across all technologies in their stack, while increasing detection, investigation and response capabilities, without having to manually sift through spreadsheets or multiple alerts from different tools.
An open approach to XDR will also provide security teams with a comprehensive approach to automation and reduce remediation time, as the technology will look for opportunities to automate across the cyber response lifecycle. Effective Open XDR technology will aggregate, de-dupe, and enrich alerts utilizing threat intelligence and additional context from across an organization’s security ecosystem to serve up a research package, providing analysts with all the information they need in one place, to detect, investigate, respond. The ability for threat hunting capabilities, along with the end-to-end automation, is another proactive XDR core function. This has the potential to reduce alert noise and time to resolution by nearly 90 percent, ultimately saving valuable time and resources for an already strapped security operations team.
The ultimate outcome of XDR is to identify and remediate the most significant threats and move security teams from reactive to proactive mode. An open approach to XDR creates more effective security outcomes. Lastly, as with any rapidly changing industry, don’t get blinded by the shiny new buzzword in the security industry; ensure any solutions purchased align to strategic objectives.
Joe Partlow, CTO, ReliaQuest