Extended Detection and Response (XDR) has generated a lot of buzz recently with press, analysts, and even customers. There’s no denying that, at face value, its promise of reduced complexity and cost while increasing detection and response is alluring. As security teams look to modernize their security tooling, they’re also looking for solutions to some of their largest challenges. Is XDR the answer? What is XDR, exactly, and how do you determine if it’s right for your organization? Let’s explore.
Endpoint Detection and Response (EDR) has been the gold standard for the better part of a decade. It began as an evolution of antivirus technology to counter threats that bypassed the capabilities of traditional file- and heuristic-based malware detection. The new reality that “you will be breached” drove the need and demand for EDR. With its novel use of machine learning and behavior analysis, EDR allowed security analysts to have better visibility and detections on the endpoint, conduct real-time forensic investigations and respond to threats more quickly and effectively. But as threats have increased in sophistication, EDR’s narrow focus on the endpoint has become a limiting factor to its effectiveness. Contextual data from network detection, threat intelligence and other security tools are needed to improve detection and increase the speed of response. Enter, Extended Detection and Response (XDR).
It’s clear that XDR expanded out of EDR. What’s not so clear is a generally agreed upon set of requirements that define an XDR solution. Open. Closed. Native. Hybrid. While there are many approaches, the common theme is that XDR synthesizes endpoint, cloud, network, email, threat intelligence, and other data sources and controls into one place to improve threat detection, investigation, and response. For those of you who are familiar with Splunk, that sounds a lot like what we’ve been doing for a long time. We’ve led the security operations market for years with our Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solutions. So what’s the difference between XDR and SIEM/SOAR solutions, you might ask?
XDR is great for enhanced detection and response across a limited set of use cases using a limited set of data sources. What happens, though, when threats evolve beyond the scope of that set of use cases and data sources? Splunk delivers the same benefits as XDR without the limitations on use cases and data sources or the need to deploy more product, portals and data models into your crowded technology stack. In addition to threat detection, investigation and response (TDIR), you can index and search across all your data. We bring together Security data sources, as well as your IT Ops, DevOps, and any other data source that you can imagine so that you can achieve the best visibility possible. This level of visibility is critical to discovering the root cause for today’s most complex attacks. In short, Splunk provides enterprises with the flexibility they need to solve the challenges of today, while remaining agile to adapt to the threats and challenges of tomorrow.
Moreover, we believe that the comparison of XDR to SIEM and SOAR is misaligned. Our view is that XDR is a data source and control point that integrates with these tools, just like EDR. In fact, we have customers who have already integrated their XDR solution with Splunk today. XDR helps to eliminate some of the noise analysts typically face and Splunk gives teams the ability to solve for use cases beyond the endpoint. It’s a win win.
In the end, you don't really want more product categories and more tools to learn and integrate; you want relief from the tool proliferation and integration debt, you have portal fatigue and you’re witnessing lost productivity across a team of highly trained people that are overwhelmed with data janitor work.
That’s why we recently announced Splunk Security Cloud, the security operations platform for the agile enterprise. Centralizing all data, with the intent to deliver advanced analytics, streamlined operations through automation and orchestration, with tight collaboration from a thriving and diverse set of ecosystem partners is the formula for modern security operations.
Our north star here at Splunk is improving analyst productivity. We do this through streamlining workflows across the SOC — from threat detection, to investigation, to response, to hunting, to intelligence sharing, and beyond. We are open to your preferred endpoint, cloud, network, email, and any other tool you want to use. Including XDR.