Anton and The Great XDR Debate, Part 1

I know you may hate me for this, but I‘ve been finally tempted into the Great XDR Debate.

Here, if you want TL;DR, my position on XDR today is “wait and see” (boring, huh?). Unlike some of my esteemed former colleagues, I don’t really have a horse in the race.

First, a very brief bit of history. The origin of the term XDR (Extended Detection and Response) is disputed. Wikipedia (entry, reviewed 8/6/2021) has us believe that Palo Alto invented the term “in 2018.” Josh Zelonis points out that he in fact invented the term. My Googling for its earliest use didn’t yield any revelations.

Today, I see several visions of XDR that are somewhat conflicting. So, let me outline them the way I understand them.

  • “XDR as improved EDR” or “EDR+” vision; on the analyst side, we have Forrester with illustrious Allie Mellen (example, FAQ) and on the vendor side we have many EDR vendors (example, example). This is definitely a defensible view of XDR as EDR with more data collection outside of the endpoint. Thus defined, XDR can nicely coexist with SIEM, but may also collide with it later on.
  • “XDR as ‘UTM’ for D&R” view considers XDR to be a combo toolset (likely from a single vendor); Gartner, for example, says XDR is “vendor-specific” and “natively integrates multiple security products into a cohesive security operations system.” This is also a defensible view of XDR as “bundled D&R toolset.” Here, we have XDR on a rapid collision course with SIEM. Smart SIEM vendors are coopting it.
  • “XDR as EDR + NDR” with some SOAR added and SIEM not added (example). This view is also defensible, and it seeks to dethrone SIEM from its central spot in many SOCs. This vision of XDR can nicely coexist with SIEM, but may also collide with it as SIEMs collect more endpoint and network data.
  • “XDR = SIEM” line of thinking considers XDR to be essentially a SIEM 3.0; it avoids the debate of XDR vs SIEM by stating that XDR is in fact SIEM rebranded.
  • Some other combination of security technologies in this area (XDR = SIEM + EDR example, find others on your own…). This is all over place and, frankly, does not deserve my analysis.
  • “XDR as a senseless marketing term” (example) or “random security technology rebranded”; no comment, make your own conclusions.

So, some points of agreement:

  • XDR is cloud-native. There is no on-premises XDR, and if you think you have one, sorry, you were lied to…
  • XDR is about detection. There is some debate over how much response needs to be there, and what it even means (workflow? investigations? action? playbooks?), but detection is there for sure.
  • XDR may be related to EDR, but the nature of the relation is under debate.
  • XDR may collide with SIEM, and these technologies may merge (just like SIEM and UEBA did)

As a minor aside, somehow I never got to get myself to care deeply about “open” vs “native” XDR. If we don’t agree on what XDR is, this is not the time to debate variations and subspecies of it…

And here is my favorite (Really?! No, not really…) list of XDR vs SIEM comparisons, just for fun:

There you have it! Not bad for a Friday afternoon? 🙂

Related blog posts:

Anton and The Great XDR Debate, Part 1 was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: