What Is Extended Detection and Response (XDR)?
Extended detection and response, better known as XDR, is a security technology that combines multiple point solutions, including but not limited to endpoint protection and endpoint security tools, into a unified incident detection and response platform.
First described in 2018 by Palo Alto Networks' CTO Nir Zuk, XDR collects, correlates, and contextualises alerts from different solutions across endpoints, servers, networks, applications, and cloud workloads. SaaS-based, cloud-native XDR products use deep analytics and automation to detect, analyse, and remediate potential threats.
XDR is designed to:
Reduce product sprawl and security tooling integration challenges.
Show data from different environments in a centralised management hub.
Identify complex patterns and techniques used by cybercriminals faster.
Produce high-fidelity alerts based on artificial intelligence and machine learning technologies to analyse abnormal behaviours across systems.
Carry out threat investigations more efficiently.
Fully automate response tasks to basic incidents and investigation and basic response tasks to complex incidents.
Improve the speed with which security analysts can detect and respond to threats.
However, XDR is still an emerging technology, lacking a universally agreed-upon definition. For this reason, organisations interested in XDR should also consider other tools, like SenseOn’s cyber defence platform, to improve their detection and response capabilities.
How Does an XDR Platform Work
After connecting to an organisation's IT systems, an XDR security tool works through three core processes:
Data centralisation and correlation
XDR aggregates and normalises data from across various security layers, including endpoints (e.g., laptops, phones, workstations), networks (e.g., firewalls, routers), cloud resources (e.g., G-suite, AWS), servers (e.g., web, database), and other sources.
Data correlation
XDR then leverages machine learning (ML) and artificial intelligence (AI) to correlate data and identify deviations from "normal" behaviour.
Incident response
Grouping alerts together, XDR creates "attack stories" and prioritises events for analysts' attention through a management interface. This means that security teams can more effectively analyse and triage incidents using threat intelligence. XDR can also automatically remediate some threats like malware and update security policies to prevent similar attacks through its remediation capabilities.
Approaches to XDR
Right now, there are two main approaches to XDR: proprietary XDR and open XDR.
Proprietary XDR
Otherwise known as native XDR, proprietary XDR is an approach larger vendors use to unify their own security tools — or ones they've acquired from others — into a centralised XDR management platform.
Because one vendor handles all threat detection and security analytics, this approach means that organisations don't have to worry about integrations. Examples of proprietary XDR vendors include Palo Alto Networks and Microsoft.
However, for many bigger organisations, which likely use an array of "best-of-breed" solutions, going down the native XDR route might be too big of a cultural change. Not only does proprietary XDR require organisations to rely on a specific vendor, but it can also mean "ripping and replacing" existing security tools.
Open XDR
Open XDR is a vendor-agnostic approach to XDR. It refers to vendors who offer a core XDR product and build partnerships and integrations with other vendors providing compatible solutions.
Open XDR allows organisations to consolidate best-of-breed security tools from various vendors or solutions they already use into a single platform. Forrester calls this approach "hybrid XDR." Examples of open XDR vendors include IBM, McAfee, and Crowdstrike.
XDR Platform Components
According to Gartner, any XDR tool needs to consist of two complementary components types: front-end components and back-end components.
Front-end components should include at least three solutions or sensors, like endpoint detection and response (EDR), network detection and response (NDR), network (intrusion detection and prevention systems, firewalls), email security, etc.
Back-end components should include cloud-delivered solutions, centralised data storage, threat intelligence, APIs, advanced analytics, incident investigations, response workflow, automation, and orchestration.
Why Was XDR Developed?
Siloed security tools and out-of-context alerts are significant problems for most modern security operations centres (SOC). A security team working at an organisation with 1,000+ employees is likely to see at least 1,000 alerts per day — many of them false positives. Unsurprisingly, many security professionals report experiencing "alert fatigue."
Most organisations never address all alerts on the day they are issued and rarely get to the root cause of threats. As a result, both productivity and security suffer.
When security professionals are stuck chasing false positives, they have less time to spend on critical tasks like endpoint hardening, proactive security, or threat investigation. Overwhelmed security professionals have also admitted to ignoring alerts when an alert queue is full. Predictably, the time it takes to identify and contain a breach is slowly increasing and is now at 287 days on average. In contrast, it only takes cybercriminals around two days to penetrate a business' internal network.
Cybercriminals can breach 93% of organisation networks' perimeter and access local resources.
There is also a critical cybersecurity skills shortage. Even large enterprises struggle to hire enough security professionals to help plug the gaps in their security postures.
Cyber attacks are getting worse and more frequent. It doesn't help that cybercriminals employ more complex tactics and techniques to slip through the cracks. Cybercrime Magazine predicts that by 2025, cybercrime will cost the world a whopping $10.5 trillion annually.
Rather than investigating every alert that comes their way, security professionals need a solution that gives them visibility and control over their entire IT environment. Analysts also need a way to receive relevant, context-rich alerts that are confirmed automatically. XDR was developed to help solve this issue and improve security.
XDR vs Other Detection and Response Technologies
Here is a short rundown of how XDR compares to existing security technologies.
Endpoint detection and response (EDR) monitors endpoints (i.e., desktops, laptops, phones, and tablets) to detect and respond to cyber threats.
Network detection and response (NDR) monitors an organisation's network for abnormal behaviour, providing alerts and response capabilities when such behaviour is detected.
Security information and event management (SIEM) logs data from multiple sources and supports threat detection, security incident management, and compliance.
Security orchestration, automation, and response (SOAR) gathers data from integrated platforms in a single location to enable additional threat investigation.
Managed detection and response (MDR) is a managed security service that can replace an in-house SOC. It gives organisations access to both security expertise and tools needed to defend their network.
Extended detection and response (XDR) monitors endpoints, networks, servers, cloud workloads, and more to detect, investigate, and respond to potential threats. According to Forrester analyst Allie Mellen, one of the main differences between XDR and SOAR and SIEM solutions is that XDR executes responses natively rather than relying on playbook integrations. XDR vendors also claim that XDR provides more operational efficiencies "out of the box," thus reducing the need for excessive customisation.
XDR Benefits
According to XDR vendors, XDR’s ability to consolidate the security ecosystem could provide several security-related benefits. These include:
Increased visibility: XDR provides granular visibility into an IT environment, making it easier for defenders to detect and respond to threats. To solve the problem of analysts having to stitch together information from point solutions manually, XDR is designed to show the entire kill chain of staged attacks in one central console.
Improved productivity: By correlating, validating, and prioritising alerts, XDR solutions can reduce the number of false positives that analysts have to sift through daily. Similarly, XDR's automation capabilities may allow security professionals to automate some routine security tasks.
Deeper incident analysis: XDR technology can reconstruct the timeline and path of a cyber attack. This capability allows analysts to carry out deeper investigations. It also enables security teams to better understand the full scope of a particular threat, including where the threat originated.
More efficient threat hunting: Through XDR, threat hunters can hunt for threats across their entire tool stack from a single place. Furthermore, XDR's correlation capabilities allow threat hunters to confirm their hypotheses quicker.
Faster detection and response: Siloed security tools can't correlate events across multiple vectors. For example, an event that may seem harmless to an EDR may not be so innocuous when taken in context with what is happening in the rest of the network or connected cloud assets. Combining multiple sources of data and linking lower-confidence activities into a single contextualised event, XDR enables security analysts to improve their Mean Time to Detection (MTTD) and Mean Time to Respond (MTTR).
XDR Limitations
In theory, XDR is a powerful concept. However, as a vendor-provided solution, XDR is still in its early stages. Today's immature XDR marketplace presents two clear limitations for any organisation that wants to deploy an XDR solution right now.
There is no universal definition of what XDR is
Gartner defines XDR as "a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components."
Conversely, Forrester makes no mention of XDR being vendor-specific. Instead, it has a definition for both native (vendor-specific) XDR and hybrid (open) XDR. Forrester's definition for open XDR is: "An XDR platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry."
Some vendors also provide their own definitions. For instance, one open XDR vendor claims that in contrast to native XDR, open XDR stands not for "extended detection and response" but "everything detection and response, because it must defend against all threats across the entire attack surface."
According to ESG senior principal analyst Jon Oltsik, it may not be possible right now for any vendor to place a strict definition on what XDR is or is not. Comparing the evolution of XDR to the early days of the motor industry, he says, "It's as if someone decided to define the automobile industry based on the Model T Ford (all cars must be black, mass-produced, offer a 4-cylinder engine, etc.)." It will take time before the industry can agree on what XDR, let alone its different flavours (open vs native).
This confusing jargon makes it difficult for any organisation interested in XDR to understand the next step they should take to consolidate their security toolstacks.
There is no standard XDR offering
Organisations may wonder, "Is XDR an improved EDR? Does it consist of EDR, SIEM, and SOAR?" More often than not, the answer depends on which XDR vendor you ask and what is in their existing product catalogue. For instance, if a provider sells an email security solution, they are likely to include it as part of their XDR solution.
Some vendors may also be rebranding existing solutions as XDR without improving their capabilities. According to Forrester analyst Allie Mellen, several SIEM providers are now repositioning themselves as XDR without necessarily offering additional features. This unfortunate trend is only going to get worse as time goes on. By Gartner's estimates, by 2023, 30% and more of EDR and SIEM providers will assert that they sell XDR even though their offering is likely to lack core XDR functionality.
As a result, some security professionals see the current state of XDR as just another marketing ploy based on an impressive list of features rather than a real-world offering. Most technical professionals are still unsure of the difference between EDR, MDR, and XDR, despite the many guides written on this topic in the last few years.
To quote computer security specialist and former Research VP and Analyst at Gartner Anton Chuvakin, "I don't know what XDR is today. I know many people who think they do — and most of them don't agree with each other."
Unified Security with SenseOn
The rise of XDR shows that defenders urgently need a way to unify their threat detection and response capabilities and stop advanced threats. Unlike XDR, SenseOn offers a present-day solution that removes the need for complex security stacks.
Allowing a truly revolutionary approach to security, SenseOn simplifies threat detection and response by allowing:
Consolidated toolstack: Built from the ground up to natively link endpoint and network telemetry and metadata from investigator microservices, SenseOn consolidates EDR, NDR, NGAV, IDS, SIEM, and SOAR with a single Universal Sensor.
Unparalleled visibility: Our proprietary, low-impact software collects and correlates data from across a company’s technology environment (endpoints, networks, cloud infrastructure, and investigator microservices) to give organisations complete visibility into their entire digital estate through one console. SenseOn’s advanced telemetry and deep packet inspection provides a real-time window into network traffic.
Simplified threat detection and triage: SenseOn uses a technology known as "AI Triangulation" to mimic how a human analyst thinks and acts. This means that rather than flagging alerts when something remotely suspicious happens, SenseOn analyses data across the environment to see if it can link togethReasoning er events across tools and contrasts them to real-world hypotheses using Machine and Expert Reasoning frameworks.
If an event doesn't match malicious activity, it is treated as a false positive. False positives are logged but are not surfaced for security analysts' attention.
However, when SenseOn finds a link between two or more events, a threat "Case" is built and is represented visually to show the relationship between events and devices. Cases are also charted against the MITRE ATT&CK framework and are prioritised based on the available information (this can change as more information becomes available).
Efficient threat hunting: Through rich telemetry collected by SenseOn across the corporate network and endpoints and learned data, threat hunters can better understand what unusual events happened within their environments. Teams can carry out narrow and broad searches and take advantage of pre-built SQL queries as well as write their own.
Don't Wait for XDR
Analysts and security leaders everywhere are fed up with solutions that bombard them with false alerts or strain resources to breaking point. Unfortunately, there is little evidence that products sold as "XDR" right now solve these problems.
Gartner describes XDR as "an evolution, not a revolution." Instead of waiting for the evolution to happen, SenseOn allows organisations to achieve a connected, effective and automated security posture today.