The security industry is often an alphabet soup of confusing acronyms—SIEM, SOAR, SASE—and the latest acronym du jour is XDR. At first glance, you may conflate it with terms such as NDR (network detection and response) or EDR (endpoint detection and response). In reality, XDR is not a radically different value proposition. Organizations need to have solutions that work together, but there are a few different ways to approach it.
What is XDR?
For a broadly defined view of what constitutes XDR, one can refer to Gartner’s definition:
“Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. … XDRs are similar in function to security information and event management (SIEM) and security orchestration, automation and response (SOAR) tools; however, XDRs are differentiated by the level of integration of their products at deployment, and the focus on threat detection and incident response use cases.”
This high-level definition provides a scaffold that can be used to understand XDR in a more general market context. For single platform vendor approaches, XDR consists of two or more vendor-specific log sources— often EDR and firewall—with some kind of Active Directory log integration for additional context and enrichment. In some cases, there will be machine learning engines built on top of these data sets to help provide anomaly or user behavior analytics. If the data from the EDR, firewall, and other sources aren’t already in similar formats or schemas, they’ll need to be processed and normalized before analysis, which requires specialized skills and adds compute cycles.
Once these log sources are aggregated, the XDR platform will help support security operations by correlating alerts into attack campaigns to provide a single interface from which to investigate and respond to security alerts. In this way, XDR can be thought of as a vendor-specific security orchestration, automation and response (SOAR) platform with customized cross-product playbooks and vendor-specific ML engines.
Sounds like a fairly compelling “one-stop-shop” for your enterprise security needs, right? Not so fast.
XDR is a Wolf in Sheep’s Clothing
While XDR offers benefits to those looking to improve their security posture, there are significant drawbacks to a singular platform approach that security analysts need to be aware of. In today’s security landscape, vendors often specialize in specific security tools such as endpoint detection and response or next-generation firewalls. But for the single-platform XDR approach to provide broad-based benefits, XDR vendors are often building additional security capabilities that are outside their core competencies. The result is often a flawed toolkit, lacking important feature functionality and table-stakes detection capabilities.
Beyond “watered down” capabilities, the premise of a “one-stop-shop” is flawed on its face. Silver bullet solutions are often nothing more than an attempt by vendors to consolidate the market, lock customers in and earn more dollars. According to Gartner: “XDR products have significant promise, but also carry risks such as vendor lock-in. The XDR market is immature and capabilities vary widely across products from different vendors.”
Best-of-Breed Creates Stronger Enterprise Security
In security, you can’t afford to sacrifice or cut corners; the stakes are too high. Often when one tool tries to do too many things, you lose the ability to do anything well. At face value it may seem as though an XDR tool would make sense, but evaluation teams need to dig deeper. In reality, working with a mix of best-of-breed security tools that are optimized for your specific use cases and well-integrated through APIs will ensure you are able to maximize the benefits for each requirement you have. Accepting a sub-par data set or tool as a free add-on is tempting, but more often it leads to false positives or negatives, impacts your security staff’s productivity and can eventually end up in costly breaches.
What’s more, vendor lock-in and market consolidation have profound consequences for the entire security industry. Diversity and innovation in the market are some of the strongest defenses organizations have. If every organization uses the same set of consolidated security tools by the same vendors, once threat actors break in once, they’ll have the keys to a vast number of organizations. Bottom line: Enterprises benefit from a diverse security ecosystem.
The Road Ahead
XDR’s goal of providing a unified analysis that helps security teams understand the broader picture of what’s happening across different data sources is a good one, but trying to achieve that through a single vendor is a fool’s errand.
XDR has the potential to deliver a solution that empowers security analysts with one-touch analysis and forensics interfaces, but only when XDR vendors work to provide open interfaces and enable integrations with best-of-breed tools to enhance a vendor’s native detection and response capabilities.