What Is XDR? 

XDR products are designed to assist with endpoint threat detection, investigation and response by providing a single platform for an analyst to perform these functions. Specifically, they streamline the steps analysts typically perform during triage, validation and response for security threats.

To that end, an XDR solution, or XDR platform, ingests data from integrated security solutions, executes threat analysis and performs coordinated threat response actions back through the security solutions. Using data from a mixture of endpoint, network, cloud, email and identity sources, an XDR product can detect corroborating evidence and funnel it into a single incident to create high-accuracy alerts. This approach can save analysts from using multiple consoles and solutions to triage an alert before deciding what to do.

XDR tools rely on integrations to provide threat response capabilities as well. Pre-configured responses based on credible threats correlate data and initiate coordinated responses across the solutions falling under the XDR umbrella, allowing analysts to conduct a complete end-to-end triage, verification and response.

The primary drawback with XDR solutions is their limitations: 1) the limited set of integrated solutions they work with and 2) the limited data set they analyze to provide the higher quality detection and built-in response capabilities. These drawbacks can prevent teams from using existing or choosing new security solutions. Security teams may also encounter monitoring blind spots, especially if they’re trying to use an XDR as the primary security operations platform.

XDR is used to support specific use cases in the security operations center (SOC), including:

• Enhancing endpoint detection and response: The endpoint may be the first place that threats are detected, but an attack will leave clues identified by other solutions. XDR can make the endpoint detection and response capabilities more effective in finding and shutting down attacks.
• Providing high-accuracy telemetry into a SIEM: An XDR tool can perform some of the heavy lifting around enhanced endpoint threat detection and provide high accuracy alerts to a SIEM. This can reduce the number of alerts, helping analysts speed up investigations or find additional threats using the data contained in the XDR’s analysis.
• Supporting smaller security operations teams: XDR solutions can perform some of the evidence gathering and automated response steps that analysts often perform manually today. By freeing up analysts from these manual tasks, XDR solutions can help security operations teams be more effective in finding and stopping larger, high-priority threats.

At first glance, an XDR tool may look similar to a security incident and event management (SIEM) solution. Both take in telemetry (data) from across an organization’s security stack to better detect existing and emerging threats. However, there are a number of notable differences between the two technologies.

The biggest difference is that XDR tools limit the data they can ingest in order to perform their duties whereas a SIEM solution is designed to take in data from any and all sources. By virtue of their EDR roots, XDR tools ingest data to improve the scope and accuracy of their endpoint threats detections. The technologies integrated into them, such as email, network and cloud workload, are either endpoints, or endpoint adjacent.  Information gathered from these types of solutions are used to determine if an endpoint threat is credible. On the other hand, SIEM platforms take in data for threat detection across all parts of the infrastructure.

Another difference between a SIEM platform is that XDR tools are not well suited for investigating emerging and advanced threats or fraud use cases. Investigations tend to span across multiple systems and solutions, often with clues lying in unlikely places as attackers become more creative in hiding their attacks. Not having access to all forms of data can stymie threat hunters as they follow the trail of an attacker and piece together the story of the attack.

Also, unlike SIEM, XDR solutions lack long-term storage capabilities. Whether due to functionality or performance compromises, XDR tools can’t retain data long-term. Consequently, data needs to be stored elsewhere in order to fulfill compliance and auditing requirements faced by enterprises. Compliance mandates such as PCI DSS, NIST CSF, GDPR, HIPAA, and SOX generally require organizations to reduce the risk of data breaches by implementing various security controls, tracking critical business events, defining a security threat response plan, and keeping detailed records of all security events and how they were handled. SIEM, however, provides continuous monitoring, log management, analysis and visualization and real-time threat detection and alerting that help organizations meet these requirements.

XDR tools do provide threat response capabilities that legacy SIEM platforms do not. XDR tools are also typically much easier to assemble and run than a SIEM platform.  Because they have a limited set of integrations, vendors can more easily integrate the solutions, in turn easing XDR logistics and management.

XDR is an evolution of endpoint detection and response (EDR), as well as managed detection and response (MDR). EDR is a solution deployed to connected devices on an organization’s network, such as PCs, smartphones, servers and IoT devices. EDR detection works by capturing security-related data from endpoints, which is analyzed to detect behavior that signals a potential threat. The potential threat can then be contained and investigated and, if necessary, remediated through actions such as file deletion or network blocking. Because EDR was designed to detect sophisticated threats, such as ransomware, it’s often the last line of defense, allowing human analysts to detect and remediate threats that have slipped through the cracks.

XDR goes beyond the endpoint and integrates other security processes, such as identity and access management (IAM), with EDR to enhance and extend detection across the entire IT environment.

Both XDR and EDR have several similarities, including:

• Advanced threat capabilities: Both EDR and XDR use threat intelligence and behavioral analysis to detect and respond to sophisticated and stealthy threats, with a focus on endpoints, that go beyond antivirus capabilities.
• Real-time monitoring: EDR and XDR both continuously collect and analyze data in a single data lake so security analysts can more efficiently monitor, detect and triage security events.
• Fewer alerts: Because of their proactive and advanced detection capabilities, both EDR and XDR solutions generate fewer false-positive alerts, reducing the occurrence of alert fatigue within security teams and enabling a faster response to threats.
• Threat hunting: Both EDR and XDR solutions empower security analysts to proactively search for evidence of suspicious or malicious activities in the network that weren’t triggering security alerts.

These similarities have led some vendors to simply rename their EDR solution as “XDR,” even though there’s been no change to the original product. XDR, however, aims to unify detection and response capabilities across multiple telemetry sources, not just endpoints.

XDR tools also have capabilities similar to that of security orchestration, automation and response (SOAR) platforms, with some very notable differences.

SOAR and XDR are similar in that they both aim to integrate a multitude of security tools, and allow a coordinated and automated response (threat response can often be manual and repetitive, and thus, conducive for automation). Automating manual functions also frees up time for analysts to perform other duties that require critical thinking and problem solving, while also virtually eliminating mistakes and oversights in manual threat response

Despite these common goals, SOAR and XDR differ in a few important ways. For one, SOAR focuses more on automation, using a playbook-based system to orchestrate and automate incident response procedures. By contrast, XDR usually only automates single actions based on the analysis of incoming data. Also, SOAR is designed to integrate with as many tools and point solutions as possible. XDR solutions, on the other hand, are typically an assemblage of a single vendor’s tools that must be implemented together.

XDR solutions can improve on existing EDR solutions in several distinct ways, including:

• Better detection and prevention capabilities: The use of machine learning and threat intelligence will optimize protection against a wider range of attacks than existing EDR tools may be able to do on their own. XDR solutions with automated response capabilities can also block a threat as soon as it is detected.
• Better advanced threat defense: XDR delves deeply into endpoint and network traffic to identify trends and get to the root cause of vulnerabilities, allowing security analysts and other security professionals to identify the complex patterns and techniques in advanced attacks.
• More effective response: XDR’s deep data collection and analysis allows security teams to trace attack vectors and understand how a threat unfolds, making it easier to locate the attacker in the environment. Integrating with tools beyond the endpoint generates a more comprehensive and coordinated response, with little effort from security professionals.

When evaluating an XDR solution, there are a few key things to consider:

• Role in your security architecture: You’ll want to determine if the XDR solution is an EDR replacement or engine for threat detection, investigation and remediation work.
• Ease of use versus comprehensive detection: If you’re thinking of using XDR as your main SOC threat detection and response platform, you need to consider the trade-offs: XDR tools can be easier to use and setup, the single console for detection, investigation and response can save your SOC analysts time and effort when performing threat detection and response duties. However, because XDR tools are unable to ingest and store data across the environment, teams will miss threats and lack the investigative capabilities to find new or evolving threats, leading to increased dwell time for threats to incubate undetected. Additionally, it’s also possible they would lack critical capabilities around compliance and auditing, fraud detection and threat hunting.
• Proprietary versus open: There are two primary types of XDR solutions: proprietary and open. Proprietary XDR solutions are assemblages of a vendor’s own network solutions unified through a centralized management platform. These types of solutions work together, but may require you to replace your current tools and become locked in with a single vendor. The alternative is open XDR, which brings together disparate security products in a centralized management interface. It’s important to evaluate your organization’s needs and resources to help determine which option is best for you.
• Vendor support: Introducing any new technology can cause some hiccups in the short term, but it’s important to know that an XDR vendor will be able to help smooth them out so you can quickly realize the benefits. If your resources are limited, many vendors also offer managed XDR services.

Ultimately, organizations are looking for the solutions to help them detect, investigate and remediate threats, not just purchase a tool or technology. Today’s security platforms are a confluence of separate tools, SIEM, SOAR and UEBA — so it’s not a big stretch to predict that XDR, or at least some of its benefits, will be integrated into the next iteration of security operations platforms. XDR’s machine learning and threat intelligence defends against a wider range of attacks than existing EDR tools and its deep data analytics can trace attack vectors and provide insight into the root and evolution of advanced threats. As such, the lasting legacy of XDR may very well influence the next generation of security operation platforms.