Understanding XDR in Cybersecurity Strategy
In their effort to keep pace with the ever-evolving threat landscape, large organizations often end up having myriad security tools. This tool overloading coupled with understaffed and overworked security teams results in disjoint layers of protection and multiple security strategies working in silos. Well orchestrated attacks can sneak into the corporate network lurking between these siloed defenses and causing irreparable damage to the enterprise.
Motivation behind Extended Detection & Response (XDR)
XDR aims specifically at removing the following problems that are caused by siloed security approaches:
- Too many disconnected security tools.
- Data sets from too many vendors and inadequate integration with analysis tools causing “analysis paralysis”.
- Unwarranted time & effort spent pivoting between various tools to extract the required information.
- Lack of coordination among various tools causes complex security operations resulting in poor incident-response abilities.
- Unsatisfactory ROI on existing security investments.
The prime objective of XDR is to enhance threat detection and response through unifying data, automation, and measurement. It breaks down the silos of detection and improves SOC productivity and lowers ownership costs. XDR doesn’t replace SIEM, EDR, or any other security platforms, but unifies multiple security products into a cohesive incident-response platform.
How XDR works
Gartner defines XDR as “a SaaS-based, vendor-specific, security threat detection, and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
Let’s take a few steps back visiting the capabilities of existing tools to understand the definition in an enlightened context.
Corporate cyberspace typically consists of a diverse set of end devices, networks, servers, cloud workloads, and numerous SaaS or cloud services. Historically organizations have employed varying security measures to safeguard their digital assets. These measures are broadly fit into the following categories:
- Endpoint-centric: Such as EDR and other endpoint tools.
- Log-based: SIEM or UEBA and various SaaS application and CASB logs
- Network-based: Such as NTA & NDR solutions.
All these approaches are effective in their respective spaces. EDR solutions protect endpoints, contain breaches at edge devices, and have the ability to investigate and respond to threat incidents. But they don’t provide visibility across networks, servers & cloud workloads. On the other hand, SIEM tools focus on detecting threats rather than responding to them. It gathers data from different sources, does analysis, and provides actionable signals. NTA & NDR solutions collect and analyze network traffic for potential threats but they don’t have endpoint visibility. Threat actors exploit the silos caused by these different approaches.
As an example, network analysts or NDR solutions can pick up the underlying vulnerability of an anomalous behavior within the network, but they can’t ascertain the source & scale of an attack without endpoint visibility.
XDR collects and correlates data across multiple security layers enabling a level of detection and investigation that is impossible to achieve with individual solutions. With a combined context, events that seem benign earlier become meaningful indicators of compromise. XDR simplifies security operations with centralization and normalization of data. For example, an attack causing alerts on email, endpoint, and network can be blended into a single incident.
XDR VS SOAR
XDR is the solution that combines human reasoning with machine power to make complex decisions with high fidelity. In comparison to SOAR & SIEM tools, XDR can be thought of as the combination of both — SIEM-like alert integration, normalization, correlation, and SOAR-like automated Investigation & response with added security functions that can include antivirus, firewall, EDR & NDR protection.
Conclusion
XDR provides broad-based benefits that improve overall security posture. But it has drawbacks that security analysts should be aware of. Typically vendors specialize in specific security tools such as EDR or next-generation firewalls. Once vendors step outside their core competencies and build additional security products for XDR, the result is often an unimpressive tool kit that lacks depth in the functionalities. In addition, XDR solutions possess a serious vendor lock-in challenge.
