Extended Detection and Response (XDR) is a new technology and security paradigm that is now offered by all large security vendors, and is getting major attention at security organizations. In this article, we’ll explain what XDR is, how it relates to traditional security information and event management (SIEM) systems, and how XDR concepts can transform the security organization.
What is XDR?
Endpoint detection and response (EDR) solutions are today an integral part of security infrastructure, and have helped significantly improve the response to endpoint-related incidents. However, threats are constantly evolving, and many attacks involve both endpoints and other layers of the IT environment. Businesses need to start thinking beyond EDR and antivirus solutions, extending security coverage to more than just endpoints.
XDR is a solution that can extend EDR, providing context and data about security events occurring on the network, on cloud-based systems, and elsewhere. While the E in EDR stands for endpoint data, the X in XDR stands for multiple data sources, enabling better detection and response.
A key value of XDR is that it offers a unified security platform, so analysts can quickly track security threats across multiple layers and security silos, understand the attack story, and immediately respond, all from one interface.
How Does XDR Differ from Traditional SIEM?
Traditional SIEMs are a core element of the technology stack at security operations centers (SOC). They obtain log data from dozens or hundreds of security tools, correlate them, and generate meaningful alerts.
However, the downside of SIEM is that it provides a shallow view of security data. It collects information from many different systems, but the traditional approach of static correlation rules make it difficult to adapt to a threat landscape with rapidly changing techniques, technologies and procedures (TTPs).
SIEM receives data from security tools, but cannot perform deeper forensic investigation and gather additional data for a specific incident.
Most importantly, traditional SIEMs do not have built-in response capabilities. They are detection tools, which can identify security incidents but do not have the ability to contain or eradicate them.
XDR can complement traditional SIEM and add some of these missing capabilities:
- Interacting with security tools, not just to pull data about events, but also to activate defensive capabilities to deal with those events.
- Providing a unified view of in-depth data across multiple security silos—beyond the shallow data provided by SIEM.
- Ability to query and interact with silo-specific data, such as permission or configuration data on cloud systems and in-depth data from endpoint protection.
- Central data lake holding all data from integrated security platforms, not just aggregated data processed by the SIEM.
- Advanced machine learning and AI capabilities to improve alert quality and combine data in new ways to generate a full attack story.
What XDR Means for the Modern SOC
Almost all security organizations are struggling with alert fatigue and proliferation of security tools—and this is exactly what XDR aims to solve.
By combining data from many different tools, XDR can cut through the noise and allow security analysts to see all relevant data about real security threats. This should enable faster investigation and more effective response, using one unified platform and interface, and with dramatically lower overhead for Tier 1 analysts.
XDR could transform the SOC in several ways:
- Reducing alert fatigue and the need to manually triage most incidents.
- Empowering Tier 1 analysts to investigate and respond to security incidents without escalation.
- Reducing the need for security teams to train and certify on so many types of security systems.
- Helping the SOC to support devops development processes with a high velocity of deployments and infrastructure turnover
- Enabling teams to identify, and respond faster, to security incidents that cut across security silos, such as endpoints, the network and the cloud.
A key consideration is how XDR tools integrate with other systems. Some XDR platforms only support a single vendor’s security toolset—requiring rip and replace of existing systems, unless you happen to be locked into that vendor already.
Others serve as a center for integrating tools from across the enterprise. In general, organizations prefer the second option, providing the flexibility to use existing tools. But many would be willing to rip and replace existing tooling if XDR really improves productivity and response time as it promises to do.
XDR is promising, but requires a change in mindset and a new operating model. It’s not just a matter of purchasing and integrating a tool—entire teams will need to learn how to work together in new ways.
Much like agile and DevOps changed software development for the better, XDR concepts could lead to a transformation of security organizations, encouraging collaboration and shared responsibility. Hopefully, this will ensure more threats are mitigated faster and more effectively, wherever they originate in the IT environment.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.
Gilad is a guest blogger. All opinions are his own.