Extended Detection and Response (XDR) is the supercharged development of Endpoint Detection and Response (EDR); a security solution that combines real-time continuous monitoring and collection of endpoint data, with data analytics to detect threats and automate rules-based responses.
Where EDR is focused on the endpoint, XDR takes a more holistic view: integrating security solutions that monitor endpoints, cloud computing, email and other apps across your entire network infrastructure. It helps security teams become more proactive by providing unified visibility across multiple attack vectors.
Sounds good? It is, but before you dive in you should know that not all XDR platforms are created equal.
Is it really XDR?
The first consideration is whether an XDR solution is really what it says it is. There is some debate about what really defines a mature XDR offering, with some cybersecurity experts suggesting that some solutions are little more than EDR tools with a cloud integration. The difference being that a pseudo-XDR solution integrates with threat intelligence streams to spot known Indicators of Compromise (IOCs). Whereas a mature XDR solution also detects threats based on Indicators of Behaviour (IOBs). Without this feature the solution doesn’t really offer the ‘extended’ detection and response capabilities that got you excited about the platform in the first place.
Utilising artificial intelligence (AI) and machine learning (ML), IOBs deliver deeply contextual correlations between telemetry from disparate sources. This detects malicious activity at the earliest stages of an attack, such as the initial entrance of a ransomware attack, and enables you to identify potential attacks earlier and stop them in their tracks.
Keeping your business secure and connected
For insightful content that helps demystify and simplify our complex industry, follow us on LinkedInFollow
Open XDR vs. Native XDR
XDR solutions come in two varieties: Open XDR, also known as Hybrid XDR, and Native XDR.
Native XDR vendors provide an all-in-one platform which collects all telemetry from that vendor’s security products. It’s effectively a closed ecosystem that handles all analytics and threat detection.
This could be the ideal solution for you if you’ve gone all in with a specific security vendor. However, there’s a danger of vendor lock-in and more limited interaction options. For example, if you want to deploy a new cybersecurity tool which the vendor doesn’t offer, it won’t be integrated into your XDR platform.
It also presents a problem if your current security infrastructure includes solutions from other vendors that you don’t want to lose. Either you need to replace like-for-like with the native XDR vendor’s products, or they sit outside of the XDR.
On the plus side, a native XDR platform has been designed to work with the vendor’s other solutions. This can offer pre-built tight integrations between security tools and a more straightforward procurement and deployment process.
The alternative variety of XDR takes a more holistic approach. Open or hybrid XDR solutions are designed to integrate with multi-vendor security tools and telemetry sources, providing a central detection and response platform.
There is some confusion around the term ‘open XDR’. It doesn’t mean open source tools; instead, you’re free to pick and choose the tools you want and use the DevOps and API integrations functionality to bring everything together.
Open or hybrid XDR platforms do have one drawback. XDR vendors can’t realistically offer integrations with every security tool on the market. If you have a niche product or have bought a tool from a smaller vendor, you may struggle to find an XDR platform with the right integrations.
How to choose the right XDR security solution
The right XDR solution can give you a competitive advantage over hackers and cybercriminals, enabling you to be more proactive and less reactive.
With an XDR solution you can protect your environment by stopping or disrupting the attack before it’s fully executed. This “Defend Forward” approach takes the fight to the adversary rather than waiting for them to strike.
With key differences between XDR solutions, choosing a platform that’s right for you may seem complicated. To shortlist potential providers, use the following criteria to evaluate solutions:
1. Do I need Open XDR or Native XDR?
From the discussion above, you may already have a good idea of whether an open or native XDR is the best fit for you. To explore further, ask vendors the following questions to determine what approach will meet your needs:
- What security solutions does your XDR solution integrate with?
- Will I need to deploy new technology or change my infrastructure to use your XDR solution?
- What data sources are supported by your solution?
2. Do you really provide “extended” threat detection?
As discussed, some XDR solutions are not as advanced as others. . To understand whether the vendor’s solution really offers extended detection and response, ask the following:
- What types of threats and malicious activities are detected by your XDR solution?
- Does that include both known and unknown threats?
- What threat intelligence sources do you use?
3. Do you need a Managed XDR?
Depending on your internal security resource you may be looking for a solution that your team can deploy and manage, or alternatively a Managed XDR service. XDR platforms are not “plug and play” solutions, despite what vendors may claim. They require extensive fine-tuning for your IT environment to minimise false positives as well as ensuring you’re identifying genuine threats. Managed XDR services can be provided by the vendor or specialist 3rd party providers. When deciding on a Managed XDR provider consider the following:
- Is the XDR platform the only platform under a managed service?
- Might you outsource additional security controls in the future?
- What level of service customisation do you require?
Whatever XDR solution you select, this proactive approach utilising the latest technologies and threat intelligence is designed to cope with today’s increasingly complex and fast-moving threat landscape.
Encompassing traditional endpoints but also including the increased attack surface such as network and cloud, XDR solutions deliver much needed visibility and the ability to act proactively against threats.
- Why XDR is a ‘Must Have’ for Organizations of Every Size
- EDR, MDR and XDR: What are the differences?
- Debunking Three Common Misconceptions about XDR
Access the latest business knowledge in IT
Join the conversation...