XDR – What is Extended Detection and Response?

Extended detection and response, better known as XDR, is a security technology that combines multiple point solutions, including but not limited to endpoint protection and endpoint security tools, into a unified incident detection and response platform.

Introduction to XDR

First described in 2018 by Palo Alto Networks’ CTO Nir Zuk, XDR collects, correlates, and contextualises alerts from different solutions across endpoints, servers, networks, applications, and cloud workloads. SaaS-based, cloud-native XDR products use deep analytics and automation to detect, analyse, and remediate potential threats.

XDR is designed to:

However, XDR is still an emerging technology, lacking a universally agreed-upon definition. For this reason, organisations interested in XDR should also consider other tools, like SenseOn’s cyber defence platform.

Contact SenseOn today to learn how it can improve your organisation’s detection and response capabilities.

How Does An XDR Platform Work?

After connecting to an organisation’s IT systems, an XDR security tool works through three core processes:

  1. Data centralisation and correlation

XDR aggregates and normalises data from across various security layers, including endpoints (e.g., laptops, phones, workstations), networks (e.g., firewalls, routers), cloud resources (e.g., G-suite, AWS), servers (e.g., web, database), and other sources.

  1. Data correlation

XDR then leverages machine learning (ML) and artificial intelligence (AI) to correlate data and identify deviations from “normal” behaviour.

  1. Incident response 

Grouping alerts together, XDR creates “attack stories” and prioritises events for analysts’ attention through a management interface. This means that security teams can more effectively analyse and triage incidents using threat intelligence. XDR can also automatically remediate some threats like malware and update security policies to prevent similar attacks through its remediation capabilities.

Approaches to XDR

Right now, there are two main approaches to XDR: proprietary XDR and open XDR.

Proprietary XDR

Otherwise known as native XDR, proprietary XDR is an approach larger vendors use to unify their own security tools — or ones they’ve acquired from others — into a centralised XDR management platform. 

Because one vendor handles all threat detection and security analytics, this approach means that organisations don’t have to worry about integrations. Examples of proprietary XDR vendors include Palo Alto Networks and Microsoft.

However, for many bigger organisations, which likely use an array of “best-of-breed” solutions, going down the native XDR route might be too big of a cultural change. Not only does proprietary XDR require organisations to rely on a specific vendor, but it can also mean “ripping and replacing” existing security tools.

Open XDR

Open XDR is a vendor-agnostic approach to XDR. It refers to vendors who offer a core XDR product and build partnerships and integrations with other vendors providing compatible solutions. 

Open XDR allows organisations to consolidate best-of-breed security tools from various vendors or solutions they already use into a single platform. Forrester calls this approach “hybrid XDR.” Examples of open XDR vendors include IBM, McAfee, and Crowdstrike. 

XDR Platform Components

According to Gartner, any XDR tool needs to consist of two complementary component types:

  1. Front-end components. Front-end components should include at least three solutions or sensors, like endpoint detection and response (EDR), network detection and response (NDR), network (intrusion detection and prevention systems, firewalls), email security, etc.
  2. Back-end components. Back-end components should include cloud-delivered solutions, centralised data storage, threat intelligence, APIs, advanced analytics, incident investigations, response workflow, automation, and orchestration. 

Why Was XDR Developed?

Siloed security tools and out-of-context alerts are significant problems for most modern security operations centres (SOC). A security team working at an organisation with 1,000+ employees is likely to see at least 1,000 alerts per day — many of them false positives. Unsurprisingly, many security professionals report experiencing “alert fatigue.”

Learn more: The hidden cost of alert fatigue in cybersecurity.

Each false-positive alert takes 32 minutes to resolve. Most organisations never address all alerts on the day they are issued and rarely get to the root cause of threats. As a result, both productivity and security suffer.  

When security professionals are stuck chasing false positives, they have less time to spend on critical tasks like endpoint hardening, proactive security, or threat investigation. Overwhelmed security professionals have also admitted to ignoring alerts when an alert queue is full. Predictably, the time it takes to identify and contain a breach is increasing. For example, it now takes an organisation 326 days on average to identify and stop a ransomware breach. In contrast, it only takes cybercriminals around two days to penetrate a business’ internal network.   

Cybercriminals can breach 93% of organisation networks’ perimeter and access local resources.

There is also a critical cybersecurity skills shortage. Even large enterprises struggle to hire enough security professionals to help plug the gaps in their security postures.

Rather than investigating every alert that comes their way, security professionals need a solution that gives them visibility and control over their entire IT environment. Analysts also need a way to receive relevant, context-rich alerts that are confirmed automatically. XDR was developed to help solve this issue and improve security.

XDR vs Other Detection and Response Tools

Here is a short rundown of how XDR compares to existing security technologies.

Endpoint detection and response (EDR) monitors endpoints (i.e., desktops, laptops, phones, and tablets) to detect and respond to cyber threats. Learn more about the difference between XDR and EDR in our XDR vs EDR blog post.

Network detection and response (NDR) monitors an organisation’s network for abnormal behaviour, providing alerts and response capabilities when such behaviour is detected. Learn about network detection and response tools for remote working.

Security information and event management (SIEM) logs data from multiple sources and supports threat detection, security incident management, and compliance. Learn more about the difference between XDR and SIEM in our XDR vs SIEM blog post.

Security orchestration, automation, and response (SOAR) gathers data from integrated platforms in a single location to enable additional threat investigation. 

Managed detection and response (MDR) is a managed security service that can replace an in-house SOC. It gives organisations access to both security expertise and tools needed to defend their network. 

Extended detection and response (XDR) monitors endpoints, networks, servers, cloud workloads, and more to detect, investigate, and respond to potential threats. According to Forrester analyst Allie Mellen, one of the main differences between XDR and SOAR and SIEM solutions is that XDR executes responses natively rather than relying on playbook integrations. XDR vendors also claim that XDR provides more operational efficiencies “out of the box,” thus reducing the need for excessive customisation.

XDR Benefits

According to XDR vendors, XDR’s ability to consolidate the security ecosystem could provide several security-related benefits. These include:

XDR Limitations

In theory, XDR is a powerful concept. However, as a vendor-provided solution, XDR is still in its early stages. Today’s immature XDR marketplace presents two clear limitations for any organisation that wants to deploy an XDR solution right now.

There is no universal definition of what XDR is

Gartner defines XDR as a:

“SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

Conversely, Forrester makes no mention of XDR being vendor-specific. Instead, it has a definition for both native (vendor-specific) XDR and hybrid (open) XDR. Forrester’s definition for open XDR is:

“An XDR platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry.” 

Some vendors also provide their own definitions. For instance, one open XDR vendor claims that in contrast to native XDR, open XDR stands not for “extended detection and response” but “everything detection and response, because it must defend against all threats across the entire attack surface.” 

According to ESG senior principal analyst Jon Oltsik, it may not be possible right now for any vendor to place a strict definition on what XDR is or is not.

Comparing the evolution of XDR to the early days of the motor industry, he says, “It’s as if someone decided to define the automobile industry based on the Model T Ford (all cars must be black, mass-produced, offer a 4-cylinder engine, etc.).” It will take time before the industry can agree on what XDR, let alone its different flavours (open vs native).

This confusing jargon makes it difficult for any organisation interested in XDR to understand the next step they should take to consolidate their security toolstacks. 

There is no standard XDR offering

Organisations may wonder, “Is XDR an improved EDR? Does it consist of EDR, SIEM, and SOAR?” More often than not, the answer depends on which XDR vendor you ask and what is in their existing product catalogue. For instance, if a provider sells an email security solution, they are likely to include it as part of their XDR solution. 

Some vendors may also be rebranding existing solutions as XDR without improving their capabilities. According to Forrester analyst Allie Mellen, several SIEM providers are now repositioning themselves as XDR without necessarily offering additional features. This unfortunate trend is only going to get worse as time goes on. By Gartner’s estimates, by 2023, 30% and more of EDR and SIEM providers will assert that they sell XDR even though their offering is likely to lack core XDR functionality. 

As a result, some security professionals see the current state of XDR as just another marketing ploy based on an impressive list of features rather than a real-world offering. Most technical professionals are still unsure of the difference between EDR, MDR, and XDR, despite the many guides written on this topic in the last few years.

To quote computer security specialist and former Research VP and Analyst at Gartner Anton Chuvakin: “I don’t know what XDR is today. I know many people who think they do — and most of them don’t agree with each other.”

Like XDR But Better

Unlike XDR, SenseOn offers a present-day solution that removes the need for complex security stacks.

Allowing a truly revolutionary approach to security, SenseOn simplifies threat detection and response by allowing:

Consolidated toolstack: Built from the ground up to natively link endpoint and network telemetry and metadata from investigator microservices, SenseOn consolidates EDR, NDR, NGAV, IDS, SIEM, and SOAR with a single Universal Sensor. 

Unparalleled visibility: Our proprietary, low-impact software collects and correlates data from across a company’s technology environment (endpoints, networks, cloud infrastructure, and investigator microservices) to give organisations complete visibility into their entire digital estate through one console. SenseOn’s advanced telemetry and deep packet inspection provides a real-time window into network traffic.

Simplified threat detection and triage: SenseOn uses a technology known as “AI Triangulation” to mimic how a human analyst thinks and acts. This means that rather than flagging alerts when something remotely suspicious happens, SenseOn analyses data across the environment to see if it can link together events across tools and contrasts them to real-world hypotheses using Machine Reasoning and Expert Reasoning frameworks. 

If an event doesn’t match malicious activity, it is treated as a false positive. False positives are logged but are not surfaced for security analysts’ attention. 

However, when SenseOn finds a link between two or more events, a threat “Case” is built and is represented visually to show the relationship between events and devices. Cases are also charted against the MITRE ATT&CK framework and are prioritised based on the available information (this can change as more information becomes available). 

Efficient threat hunting: Through rich telemetry collected by SenseOn across the corporate network and endpoints and learned data, threat hunters can better understand what unusual events happened within their environments. Teams can carry out narrow and broad searches and take advantage of pre-built SQL queries as well as write their own. 

Get XDR Benefits Today with SenseOn

Analysts and security leaders everywhere are fed up with solutions that bombard them with false alerts or strain resources to breaking point. Unfortunately, there is little evidence that products sold as “XDR” right now solve these problems. 

Gartner describes XDR as “an evolution, not a revolution.” Instead of waiting for the evolution to happen, SenseOn allows organisations to achieve a connected, effective and automated security posture today.

Contact us to learn more.

What our customers have to say

Learn why hundreds of organisations choose SenseOn.

Loved by teams and companies you know.

We do security differently.

SenseOn was founded on the belief that the cybersecurity industry is broken. Designed by security professionals who have felt the pain of traditional tools, SenseOn’s vision is to remove the burden of mundane, repetitive work so security and IT professionals can enjoy more fulfilling careers by enabling an autonomous, intelligent and secure digital world.

Read more

See what SenseOn can do for you

Find out how you can protect your entire organization at the click of a button with our rapidly deployed, lightweight software solution.

Arrange a demo