Why XDR is a Movement

In some of the largest cybersecurity companies in the world, most industry analysts and other security experts are talking about the emergence of Extended Detection and Response (XDR) solutions, which Gartner defines as solutions that “automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability.” If this were possible today, imagine the gains in Mean Time to Detection (MTTD) and Mean Time to Respond (MTTR) to an attack or active threat in your environment.

I refer to XDR as a movement because it is gaining traction by expanding its approach to achieve its goal. For instance, in March, Gartner talked about XDR as a vendor-locked, cloud-based offering. But at the virtual Gartner Security and Risk Management Summit 2020 in September, VP analyst Peter Firstbrook discussed an alternative approach which broadens the category to include a best-of-breed XDR strategy. Further fuelling momentum, Gartner called XDR the number one trend CISOs should understand to strengthen security initiatives.

We have the definition of XDR by Gartner above, but what does it really mean from a practical standpoint? Let me start with a simple and important statement:

XDR <> EDR + NDR

Unfortunately, this is how some have viewed the development of XDR – bridging the gap between endpoint (EDR) and network detection and response (NDR).  However, XDR has a broader, more complicated reality:

XDR = EDR + NDR + CDR + the dozens of existing security tools

This reality forces the need for a best-of-breed strategy, at a minimum from a transition standpoint, but more likely for an ongoing basis.

Organisations often protect themselves by using many different technologies, including firewalls, IPS/IDS, routers, web and email security, and endpoint detection and response solutions. They also have SIEMs and other tools that house internal threat and event data – ticketing systems, log management repositories, case management systems. They may rely on one or two “large vendors” to handle the bulk of their security tasks, but typically they use at least a few best-of-breed vendors for controls, which the larger vendors do not have or do not excel in. Many studies, going back years, find that some Global 2000 enterprises have as many as 80 different security vendors in their environment. This happens naturally over time with different teams, budgets and departments making independent decisions. Vendors also must be able to accommodate the reality that not every organisation will have all their tools from a single provider out of the gate, and the appetite to rip and replace is low. Not to mention the fact that new vendors and solutions will continue to emerge given the ongoing innovation required to keep up with new use cases, threats and threat vectors.

Whichever path to XDR is selected, integration with existing tools in the security infrastructure is essential for XDR solutions to merit and capitalise on all the attention. The reasons are obvious for a best-of-breed approach, but even single-source XDR requires integrations to deliver on the promise. There are two key types of integrations that are needed:

Integration with third-party data and intelligence feeds – companies use an average of five external feeds within their environment. These can include commercial sources, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Having the ability to utilise this data as part of your detection and response strategy is critical. It improves the breadth, speed and relevance of detections, rather than just relying on a vendor’s intelligence.

Integration with third party systems – this is important for multiple reasons. First, additional telemetry, context and events from internal systems is key to putting the pieces together for detection. This data from internal systems is often overlooked but is one of the best sources of intelligence, and when combined with external data will improve detection. Second, integrating with the internal systems will allow for faster response and the right mix of automation and manual actions. Systems become more effective and people more efficient.

To really recognise the benefits. There are several paths, but the most common is starting with a company’s EDR implementation and then adding capabilities.

EDR: endpoint detection and response from a single vendor, using that vendor’s detection content

EDR +: a vendor’s EDR solution plus integration with third-party data and intelligence for faster, more effective detection.

EDR ++: a vendor’s EDR solution plus integration with third-party data and intelligence for faster, more effective detection, plus integration with the other tools in your infrastructure for more efficient response.

To truly become a movement that more organisations can get behind, what’s needed is a conduit between an XDR solution and the data sources and security tools it needs to interoperate with. A centralised platform that bridges these gaps can provide the integrations and intelligence for all teams and tools to use which helps with detection, understanding and response and unleashes the full potential for XDR.