The cybersecurity market is rife with jargon, and in the last few years, one more has entered the fray–Xtended Detection and Response, also known as XDR. If you were at the 2022 RSA conference, you would know that XDR was a hot topic of discussion among vendors and security and risk leaders. So, let us begin by understanding a few basics about Xtended Detection and Response.
XDR is the natural progression of endpoint detection and response (EDR), which typically analyzes telemetry data from endpoints and initiates investigations into probable security incidents. However, while EDR is valuable, it does not always convey the whole picture.
On the other hand, Xtended Detection and Response (XDR) collects telemetry from multiple sources such as endpoints, networks, cloud, email, and other security tools into a data lake. The acquired data is then analysed by XDR's 'BFFs' – Security Information and Event Management (SIEM), User Entity and Behaviour Analytics (UEBA), and network traffic analyzer (NTA). This robust data correlation helps detect advanced threats such as ransomware, advanced persistent threats (APTs), and insider threats.
The XDR solution then contextualises the data from all these sources and provides it to security and risk experts as dashboards and reports. Additionally, XDR will automate many processes and investigations typically performed by people, freeing up employees to focus on more critical tasks.
Before XDR security, businesses leveraged Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) to enhance their detection capabilities. But EDR and MDR focused exclusively on endpoints, while point security products secured other critical infra such as network and cloud.
This strategy resulted in security blind spots and made incident response cumbersome, manual, and error-prone. Consequently, it became tough to identify threats that move laterally from endpoints, servers, and networks to exfiltrate data. The lack of integration between security tools created visibility gaps and increased the Mean Time To Detect and Mean Time To Respond (MTTD and MTTR).
According to the Cost of Data Breach Report 2021 by the Ponemon Institute, even with the billions of dollars spent every year on cyber security, it still takes an average of 287 days to identify and contain a data breach. By offering more visibility and revealing advanced threats, XDR increases the efficiency of security teams and enables more rapid, automated responses.
XDR is anticipated to increase detection precision and boost cybersecurity operation efficiency and productivity. As threat sophistication increases, businesses struggle to detect and respond to threats and are turning to XDR as a means to attain this goal.
The vendor-locked ecosystem facilitates the adoption of an integrated suite of (usually cloud-based) security products from a single vendor. While this could, at the outset, seem promising and help firms overcome the issues of disintegrated and siloed systems, not every vendor can specialise in every element. Therefore, the ability to continually innovate to stay abreast of new use cases, risks, and threat vectors is crucial.
Thus, XDR Security must overcome the following limitations:
XDR should not be seen as a replacement for SIEM, SOAR, NDR, EDR, or other point security solutions that your business currently has or may implement in the future. But it can collect telemetry data from and alongside all these technologies to provide you with a more comprehensive view of your threat landscape, allowing you to detect and eliminate threats more effectively.
To identify and respond to threats in a timely manner, tools, people, and processes must all synchronise. Yet, the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) only go northward. So, as you seek to improve your threat detection and response capabilities, consider the following benefits of a managed Xtended Detection and Response:
Suppose your firm adopts Xtended Detection and Response, also known as XDR; it must decide whether to integrate it with current security tools or "tear and replace" them and acquire all security solutions from a single vendor. Open architecture or hybrid XDR integrates security products from hundreds of vendors and environments. Closed or native XDR security only works with one or a preferred vendor's security products.
If you obtain all or most of your security solutions from a single vendor and are comfortable with them, then that vendor's closed XDR solution is an obvious choice. If your present tools are best-of-breed from many suppliers, consider an open solution that works with all of them. This hybrid strategy will help you get the best of XDR and overcome many of its limitations without overhauling your existing security stack.
Mukul Ahluwalia - General Manager, Product Marketing MSS & CDN