Extended detection and response (XDR) is a threat detection, investigation and response platform. It simultaneously integrates, correlates and contextualises data and alert from multiple security layers – email, endpoint, server, cloud workload, and network. Because of this, you gain expanded visibility into security alerts, threats are detected much faster and response times improved. All resulting in a greater level of protection.
Why is extended detection and response (XDR) important?
XDR offers significant benefits to the mid-market, delivering against the need to enhance protection and detection efficiency. Currently, attacks are increasing in both sophistication and number. On average, a mid-market organisation only has 109 seconds to respond to each alert. Security teams are struggling to meet this demand, and with the current skills shortage the challenge is daunting. Instead, they are turning to improved integration and automation of security to tools to offer relief from the alert fatigue and break down silos. XDR provides a cost-effective alternative to the more complex solutions such as SIEM and security orchestration, automation and response (SOAR). XDR helps address:
- Gaps between point products
- Alert fatigue and overload
- Lack of personnel due to skills shortage
- Slow detection and response times.
XDR unlocks the benefits of an integrated security stack and enhanced detections and response capabilities to organisations. Key XDR benefits include:
- Shared threat intelligence in real-time across security products to efficiently block threats across the whole attack surface
- Ability to leverage externally acquired threat intelligence for use in multiple detection methods, such as network, web, email, cloud and endpoint
- Combine weak signals from multiple components into stronger signals of malicious intent
- Reducing alert overload and missed alerts with autonomous alert response
- Reducing training and skills needed to complete operational tasks with a centralised management and reporting platform.
Evolution of XDR
XDR is the evolutions of Endpoint detection and response (EDR). As Forrester analyst Allie Mellen explained, “good XDR lives and dies by the foundation of a good EDR.” If you don’t start with the endpoint, there’s nothing for XDR to “extend.” XDR builds on the core functions of EDR, integrating all the data and providing full visibility.
There has been rapid acceptance and adoption of XDR in the market. Despite it originally being offered through a single vendor, more vendors are partnering with third-parties to offer a more heterogenous stack. The goal for the vendors is to supplement their individual offering to their customers – offering an XDR solution whilst mitigating risk and cost.
As XDR evolves, and vendors converge XDR offerings, the ability to delivery the benefits of XDR without the need to overhaul and replace existing solutions increases. It removes a significant barrier for adoption and avoids tie-in to a single vendor.
How to get started with XDR
Despite XDR first appearing several years ago, it is still in the early phase of adoption. There are both true believers and those who dismiss it as a fad. Forbes states “vendors jumping on the bandwagon to gain strategic advantages in Google search results and to attract more attention” as part of the problem fuelling confusion. Moving beyond the marketing hype, here are the three mistakes to avoid when starting on your XDR journey:
1. Starting from scratch
Make sure to map out potential integrations across your current portfolio first. This means talking to your existing vendors about their integration abilities. Working within your current portfolio can help avoid a costly “rip and replace” project.
However, if your existing products have limited integration capabilities, you need to judge the cost of excessive work or custom plugins. Often, being able to take advantage of native integrations often provides more immediate results. Even if that means some compromises on features, often the benefits of integration and automation can overrule that. Make sure to map out both options and decide which works for you.
2. Focusing on reducing point-products
Reducing point products isn’t everything. The key differentiator for XDR is how well it can perform as a platform – which means integration and automation are key. Enhanced integration and automation capabilities supports faster, more accurate detection and response.
Instead of focusing on reducing point-products, it’s with asking two key questions. First, can I share threat detections from one channel, and apply an automated response action across all other channels? Second, does this solution identify policy misconfigurations between channels and against threats to the organisation and notify me?
3. Ignoring the benefit simplicity
XDR platforms are supposed to make things easier for security teams. This goes beyond just have a single interface and dashboard. If that one dashboard makes configuration and maintenance complicated, then you aren’t saving time. As soon as your platform is difficult to update, or does not enable simple policy changes, its value decreases.
You also need to beware of Frankenstein platforms – or a platform that is made up of multiple technologies that aren’t natively links. Your reporting may look the same, but you are effectively still using individual point products, which isn’t XDR. Instead, focus on platforms that include native services and functionalities, without external add-ons.