In the small circles of Detection & Response specialists, a debate is raging around what the heck really is XDR. We at SEKOIA.IO would like to weigh in this debate by providing a point of view that is unfortunately too often eluded: that of end-users.
In the words of the NIST framework, Detection & Response solutions enable an organisation to Detect fraudulent or malevolent activities on their information system, and provide the adequate Response to prevent any significant impact (Duh…). In other words, D&R is about actively protecting1 a given organisation. No-nonsense required.
Adapted from the NIST Cybersecurity Framework – https://www.nist.gov/cyberframework
However, many have since tried to further segment this field, whether by looking at what is supposed to be detected (malware, spyware, DDoS, Ransomware, APT…) or by the place where this detection is supposed to occur (Network, Endpoint, Mobile etc.). In the end though, all of that does not matter to the end user organisation: what they are interested in is whether they can carry on their business as usual. Let us rephrase this, and let this sink in: customers don’t care about a cybersecurity product, they care about not having to care.
From this very simple observation, it follows that to provide them with this peace of mind requires three inseparable functions. First: know where to look and for what (so as to focus resources); Second: look for it wherever it might lurk (so as to provide coverage); and last: solve as many issues as possible without ringing the bell (because there are still 3M+ unfilled cybersecurity positions open in the world today). This is what XDR really is about, and this is precisely what Allie Mellen describes2 as “the three challenges that XDR looks to address”.
In her recent analyses3, she defines XDR as “the evolution of endpoint detection and response (EDR), which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management (IAM), cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”
Similarly, Gartner analysts Peter Firstbrook and Craig Lawson define4 XDR as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed security components. ”
We gladly concur with these views! Indeed, at its core, what does this mean? it means that a) current Detection & Response solutions are not satisfactory when it comes to coverage and performance, simply because there exist assets in most modern infrastructures that EDRs just can’t see; b) Efficient detection & response requires the smart conjugation of various tools (including business telemetry) but not at the cost of complexity to the end user nor at the price of a skyrocketing budget, and c) openness and transparency should enable seamless integrations, up to and beyond automation, either classical (SOAR) or AI-powered.
As a consequence, the very concept XDR was born from the combined need for wider coverage and razor-sharp operational accuracy. Both needs were targeted by previous approaches (SIEM systems were invented to ingest vast amounts of highly-volatile heterogeneous data, while SOAR systems stem from the lack of adequate workforce to properly proceed every alert or incident), however all users could see were mind-bogglingly complex technical stacks and armies of highly-specialized — and highly paid — specialists to operate them and deal with swarms of false positives. XDR is about connecting the dots, not about collecting more dots, leveraging intelligence in order to understand and act proactively instead of “just” detecting and responding.
In other words, you, as a CISO or SOC Manager, unless you are natively a cybersecurity specialist, should rather be able to rely on a high-relevance intelligence to steer your efforts (CTI), on a high-performance consolidated monitoring and analytics platform (SIEM or Security Analysis) that can interface seamlessly with everything you already have at hand (EPP, EDR, AV, FW, NDR, … you name it), and on a highly powerful native automation to spare your scarce resources (SOAR). And if you are that resource-conscious, having these three bundled as a single managed service makes tremendous sense once you look at the bottom line.
Did we at any point need to start with an EDR? Not at all. XDR stands for eXtended Detection and Response, not for eXtended Endpoint Detection and Response, and customers who are desperately looking for better and more efficient ways to protect their infrastructure and operations are not looking for a better horse, to speak in the famed Fordian analogy.
So could we please move past these byzantine debates, and instead do what we should all be doing in the first place: help decision makers make better decisions about their own active protection, and provide them with the most relevant solutions to detect what is actually threatening them & respond in the most efficient way?
To conclude this rant/contribution to the “XDR vs EDR” debate, we at SEKOIA.IO think that although XDR have their historical roots in EDR, the former are way past the sole evolution of the latter and now represent an integrative approach to efficient active protection, no EDR required. EDRs still provide invaluable coverage when endpoints are accessible to IT architects, and we are proud to be partnering with outstanding and innovative EDR vendors when relevant for our customers. What really cuts the line is: in the end, do our customers enjoy a higher security and a lower burden, all the while keeping their budgets under control?1 the NIST framework defines “Protection” as something else, which is much more passive and perimetric (access control, training, cryptography etc.); here we use Protection as the active act of… Detecting and Responding to threats.2 XDR FAQ Frequently Asked Questions about Extended Detection and Response, July ‘213 Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR, Forrester, April ‘214 Innovation Insight for Extended Detection and Response, Gartner, March ‘20
Thanks for reading this article, you can also check out our blog post on: