What Is XDR?
Extended detection and response (XDR) solutions tackle the emerging security triple threat posed by remote work, sophisticated attackers, and complex security stacks. Technologies like endpoint detection and response (EDR), data loss prevention (DLP), network access control (NAC), security information and event management (SIEM), and security orchestration, automation, and response (SOAR) contribute to a cluttered solution space. When you add the shortage of high-quality security personnel, the result is vast pressure to manage all the threats manually. This isn’t a sustainable or smart approach.
XDR creates a unified platform that integrates multiple data sources to build a broader, more intelligent infrastructure picture with endpoints, network, email, and cloud deployments. In a landscape dominated by the search for “zero trust architectures,” XDR could be the answer security professionals seek.
What Are the Benefits of XDR?
XDR aims to be the complete detection and response solution. Incorporating email, network, endpoints, and cloud gives a more holistic view of alerts and incidents, automates detection and remediation, and improves SIEM/SOAR performance.
XDR platforms use data inputs as a data lake and apply advanced analysis/parsing combined with AI and ML to detect more incidents, identify connected attacks, and dismiss false positives. XDR helps take pressure off of stressed security teams, which can struggle to hire skilled workers to operate complex SIEM and SOAR platforms. By using AI and ML for intelligence-driven analysis, XDR solutions are able to connect unrelated network activities to uncover sophisticated attacks, while automated remediation can reduce mean time to resolution (MTTR).
With this broad approach, XDR can:
- Simplify and streamline the security operations center (SOC) role, reducing administration time by 50%.
- Reduce false positive responses by up to 90%.
- Reduce detection time by 80% and time to repair by 90%.
- Deploy continuous threat intelligence monitoring.
- Enable greater security intelligence for DevOps without slowing productivity.
- Increase endpoint visibility to enable distributed working while monitoring thousands of devices.
- Detect threats without signatures by using behavioral analysis.
What Are the Scenarios of Use?
XDR’s ability to unify the functionality of point security solutions into a single platform makes it broadly appropriate for most organizations. It resolves the complexity and siloed operation posed by tools such as EDR solutions for endpoints, email security solutions for email attack vectors, and firewalls, IDS, and IPS for network threats.
By consolidating events into a single data lake and correlating them, XDR solutions provide a single source of truth that combines numerous security events to deliver fewer action items with greater certainty for security operations teams. That way, organizations have only one platform, one training regime, and one alert instead of multiples of each.
Keep in mind XDR doesn’t replace the separate platforms; instead, it takes the alerts and events and figures out if they are related, adds context, and provides the operator with a better understanding of the risk.
What Are the Alternatives?
The most relevant alternatives to an XDR platform are a fully supported SIEM and/or SOAR deployment.
SIEM solutions provide event log correlation and a single pane of glass for security professionals, giving visibility to endpoints, networks, email, and cloud. This can be paired with a SOAR solution for responses and workflows, using automation to reduce the security team’s load. However, most SIEM/SOAR solutions break out incidents for each layer, leaving the team to connect the dots and pinpoint the exact nature of wider attacks, something XDR simplifies.
These solutions need a skilled team that understands the detailed and time-consuming work to manage a security stack, including maintaining the threat intelligence, collecting open-source threat intelligence (OSINT), and feeding it to the SIEM.
What Are the Costs and Risks?
XDR is an exciting and promising technology, but it’s far from mature and comes with its share of risks. It is a great fit for organizations already invested in security infrastructure and is designed to work with and augment an existing SIEM/SOAR setup. However, smaller organizations without a developed security infrastructure face additional cost, complexity, and deployment time to properly enable an XDR deployment.
Organizations must also be wary of solutions marketed as XDR that lack the tooling recommended in our Key Criteria evaluation. It’s important to evaluate your stack and security needs and scrutinize shortlisted solutions to ensure they suit your needs.
TCO will depend on set-up fees, the recurring costs for licenses and subscriptions, and ongoing maintenance and support. Licensing and cost vary among solutions, with pricing based on endpoint count, data ingestion, or seats all available.
30/60/90 Plan
A successful XDR deployment requires thoughtful planning and a cautious approach, given the nascent state of the sector. To improve the odds of successful adoption, consider this 30/60/90 Plan:
30 Days: Evaluate Security Needs and Stack
Evaluate your existing stack, the current capabilities of your security team, and your security performance as a first step towards establishing solution fit. From there, identify deployed solutions or technologies across three classes:
- Known-knowns: Solutions in your tech stack for which you have full awareness, access, and control.
- Known-unknowns: Your black boxes. You know they exist, but you don’t know if they are still used, by whom, or for what purpose.
- Unknown-unknowns: Solutions revealed during the XDR deployment. Their purpose, relationships, and owners will be a mystery.
60 Days: Outline Risk Profile with Security Team/SOC
Extend discovery across the three asset categories above to determine how critical they are and whether to include them in the XDR coverage. Once a tech asset has been included in the XDR, it’s easier to create requirements that best suit your organization. For example, if you have a known-known cloud provider like Amazon Web Services (AWS), you could include it inside your XDR coverage. You could make AWS Watchtower (a native AWS service) integration capability a requirement for the XDR solution. This top down approach can be tedious, but it ensures optimal coverage.
90 Days: Correlate Capabilities of XDR Solutions with Priorities
Take your understanding of risks, vulnerabilities, and top-level security priorities and map it against the features of the existing solutions in the market. This can help build an understanding of the benefits of deployment and provide a logical approach for reducing viable solutions based on well-defined requirements. Keep in mind it is early days for XDR, so buyers must either accept that an XDR solution will have flaws or they must spend extra effort vetting a solution to verify its full functionality.