XDR: What Does Extended Detection and Response Really Mean?
If you do a search for “extended detection and response,” you will find several different definitions. In general, Extended Detection and Response (XDR) focuses on either a single vendor being utilized to cover all the different areas of security or an open model that incorporates multiple vendors. However, by looking at analyst definitions and finding the commonalities, you can get a better sense of what XDR really means.
How do the analysts define XDR?
The first stop for industry definitions is the analysts. They often create terms and define them.
Gartner’s definition of XDR lends itself to the open model:
Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.
Meanwhile, according to Forrester:
XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation. XDR’s value is driven by its security analytics capabilities, third-party integrations, and response actions.
Additionally, Forrester defines two types of XDR:
- Hybrid XDR: platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry.
- Native XDR: suite that integrates with other security tools from their portfolio for the collection of other forms of telemetry and execution of response actions related to that telemetry.
Finally, Kuppingercole includes this sentence in a 2020 blog post:
Endpoint Detection & Response (EDR), Network Detection & Response (NDR), or their union, XDR.
Taking apart XDR definitions
With three different analysts offering three different definitions, you may be confused about what the “right” definition is. However, underlying all these definitions are some similarities.
With organizations adopting cloud services, the need to bring all security information into a single location is logical. As organizations expand their digital footprints, managing security across multiple vendor-supplied tools becomes overwhelming. A unified location that makes all security information accessible in a single cloud-based platform creates a more robust approach to analyzing and correlating data by normalizing data from sources that often have different formats.
Detection and response
The next similarity across these definitions is detection and response. The word “and” in this requirement is the most important one. Security analysts need solutions that detect potential threats and let them use that alert to start the investigation, all in one location.
According to the 2020 State of Security Operations report, analysts receive over 11,000 alerts per day, spending nearly 70% of their time on investigating, triaging, or responding to these alerts. Organizations that want to reduce important security key performance indicators like mean time to contain(MTTC) and mean time to respond (MTTR) need focused alerts that correlate events from across the organization’s IT stack.
The more a solution can help triagethe alerts, the less time security analysts spend researching false positives. Additionally, detection and threat hunting capabilities need to be in a single location. Security analysts need solutions that enable them to take an alert and move directly into the investigation phase for a more efficient, streamlined approach to detection and response.
Endpoints and networks
The final similarity between the definitions is that they incorporate the whole of an organization’s IT stack. While Gartner uses the term “multiple proprietary security components,” Forrester gives a long list of locations, and Kuppingercole simply argues that XDR is the union of endpoint and network detection and response.
As organizations expand their infrastructure, their XDR also needs to support this expanded footprint. In recent years, organizations invested in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud services and onboarded Software-as-a-Service (SaaS) applications. Additionally, organizations maintain on-premises applications and data centers.
Finally, all of these new locations also have users and devices connecting to them. Workstations, printers, smartphones, tablets, cameras, and network devices all generate security data
In order to efficiently and effectively detect threats, organizations need access to all these different data points, correlate them, and analyze them. This is, again, where the importance of words like “unified” and “and” matter. A true XDR solution is a single location where security analysts have access to all endpoint and network detection and response.
Where current definitions of XDR fail
The problem with the current definitions of XDR is that they all rely on a single platform to do all the collecting, aggregating, correlating, and analyzing.
No one technology can collect and store all the information that security analysts need. The storage costs, alone, often make XDR cost-prohibitive. The problem with this approach is that organizations need to make decisions around the data that they choose to collect before an incident occurs. This creates three problems:
- Alert quality: By making decisions about the information you need before an incident occurs, the XDR approach will no longer be poised to successfully “unify,” and you may not be choosing the right information as threat actors change their methodologies.
- Investigation speed: By collecting information that you think might be useful, you may be missing out on data points that would enable threat hunters to locate the source of the problem faster.
- Lack of unification: By making data trade-offs, organizations undermine the purpose of XDR, ultimately setting themselves up to fail
By aggregating and storing all the information in one place, organizations often make traditional choices around the data that they collect, correlate, and analyze. However, threat actors know the information organizations use to detect them in systems and networks. This means that they know how to go around even the most sophisticated XDR tool, which means organizations are spending a lot of money and may not get the outcome they want.
Creating a connective layer to enable XDR
To recap, XDR is about unifying data stores and security to gain insights into the relationships of data and activity between sources and, ultimately, empower security teams to readily manage the incident response lifecycle. For those that follow the NIST framework, that’s to prepare, identify, contain, eradicate, recover, and learn lessons (PICERL).
That’s a tall order for one product to enable where its success relies on access to enterprise data in environments that are increasingly distributed and decentralized across many, many supporting technologies. The answer for enabling any of these XDR models will require a connective layer that facilitates data access across all of the enterprise data silos, without requiring companies to duplicate or centralize the data in an XDR solution.
Instead, the XDR-enabling connective layer serves as a data hub that provides direct access to the data, where it lives, and helps SOC teams understand the relationships, as well as enables the team to initiate response actions. This is exactly what the Query.AI platform provides.
Query.AI provides a security investigations control plane to deliver a virtual data layer through a browser for data access, investigation, and response. And it provides the critical connective layer to enable XDR solutions in cloud-first and hybrid infrastructures. Security teams need the ability to access information, swiftly investigate, and respond to incidents. What XDR lacks in connecting the data across a distributed world, Query.AI brings to life.
Palo Alto Networks. The 2020 State of Security Operations: Assessing Analyst Burnout.