Meet XDR, one security platform to manage them all
Security today seems overrun by buzzwords and new concepts. This can be said for other aspects of digital technology as well, resulting from the rapidly evolving cloud-and-connectivity nexus that transforms how we work and engage with digital services. But security is often at the front of the pack out of necessity – the complexity resulting from the cloud era stokes innovation for new suitable solutions.
To put it more bluntly, no longer can we afford to only rely on legacy anti-virus, intrusion detection systems (IDS) or firewall solutions. Today's security is much more sophisticated and needs new ideas to keep it effective.
Hence what seems to be a continual march of new concepts and acronyms: Security information and event management (SIEM); security orchestration, automation and response (SOAR); endpoint detection and response (EDR); and network detection and response (NDR) are the most relevant examples.
Now there is another one: Extended detection and response, or XDR.
What is XDR?
Finding a definition for XDR can be maddening. Analysts disagree on how to define it, some people question if it's anything other than a different type of SIEM, and the worst critics call it little more than marketing bluster. But if looked at practically, XDR represents a new level and significant consolidation of security capabilities.
"I think we're at an early stage where a lot of people have different perspectives about what XDR really is," says Milad Aslaner, Senior Director of Cyber Defence Strategy & Public Affairs at SentinelOne. "From my perspective, XDR is about unifying and extending detection and response capabilities across an organisation’s security layers to provide a holistic view across all threats in the enterprise landscape."
As an elevator pitch, XDR overcomes the typical fracturing in security environments by connecting those elements through integration, aggregating their logs for analysis, then leveraging automation to reduce analysis times and responses.
"XDR can help increase efficiency and reduce the operational cost of an organisation’s security team. Rather than organisations trying on their own to interconnect various security tools and data streams, the XDR solution can be an organisations centralised security and data platform.”
Aslaner says an XDR solution should solve three problems for organisations, packaged into a cloud platform:
- Centralise security data and normalise data from different institutions and vendor products.
- Apply data analytics at scale to correlate and identify previously unseen patterns when looking at the attack chain.
- Provide a centralised incident response mechanism that enables SOC analysts be more effective.
Hence the debate around XDR's definition: All the above elements can, in isolation, come from different security solutions. SIEM, in particular, deals with security analytics and is often compared to XDR. Yet, there is growing consensus that XDR represents the next generation of security platforms. It places a much greater emphasis on consolidating different vendor products under one roof and providing fast response choices. Hence the reason why XDR is also often compared to EDR.
Why adopt XDR?
But for argument's sake, what separates XDR from other security solutions? Aslaner says it relates to the way XDR uses data and how it focuses its efforts: "When you look into legacy solutions that are providing detection and response capabilities, they are often in-point solutions for specific areas like identity, email, endpoint or application. The responsibility for correlating and making sense of the big picture was with customers. As a result, organisations started to utilise their existing legacy SIEM or Data Lake technologies to correlate and analyse their security data. The problem is that these legacy technologies can no longer provide the required scale to be effective."
Additionally, when looking at an average enterprise and their vendor products, they rarely use the same data structures, making it tough to analyse and correlate.
"XDR focuses on detection and response capabilities. It's agnostic to the connected data sources. Previously siloed solutions can be interconnected through the XDR platform and benefit from extended detection and response capabilities."
XDR solutions aim to consolidate rather than force all of the vendor’s own services onto a security environment. “XDR is about helping organisations maximise their investments by being their underlying security and data platform.”
This cloud platform approach makes XDR particularly worthwhile for security operations centres (SOCs) and managed security service providers (MSSPs). In both cases, XDR can be the organisation’s security and data platform and, with that, help security teams interconnect their security products through easy integrations via a marketplace or robust APIs and ultimately help security teams be more effective.