What Is Extended Detection and Response (XDR)?

---

XDR helps unify data from multiple threat detection and response tools, and can provide more holistic visibility and context to security teams.

       

What is XDR?

XDR, or Extended Detection and Response, is a more advanced and comprehensive approach to security that pulls in data from other security tools that scan endpoints, networks, cloud, applications, and other areas of the enterprise’s digital infrastructure. It offers robust automation and analytical capabilities that can help security teams establish a more complete picture of persistent threats.

       

The benefits of XDR

The best XDR solutions should enable integration and correlation of multiple data streams and help SOCs reduce “chair swivel” between outputs. XDR should also make the security team more efficient and effective, reduce incident response times and employ artificial intelligence (AI) for scale and adaptation.

As a relatively new arrival in the security marketplace, XDR’s capabilities and value can still vary widely from vendor to vendor. There is ongoing debate over what it’s capable of, whether it can replace existing security tools, if it should replace a leg in the SOC Visibility Triad or acts as a complement and container to that structure. Nevertheless, Extended Detection and Response has evolved from a guiding principle into a genuine product with realized potential to improve overall security and spend.

       

XDR capabilities and features

As stated, Extended Detection and Response is a relative newcomer. The term “XDR” was coined by Palo Alto Networks CTO Nir Zuk in 2018. Many security experts consider it to be an evolution of endpoint detection and response (EDR) that provides a more systematic integrative approach with tools that monitor networks (notably network detection and response, or NDR), and log collection and management tools, such as security information and event management (SIEM).

The key to understanding XDR is to focus on the ‘X’. Like tools that preceded it, XDR is meant to help security teams monitor their infrastructure, and respond (reactively or, hopefully, proactively) to cyber threats. The ‘extension’ means that visibility extends across multiple layers of the security stack. An XDR solution should collect and intelligently correlate data from endpoints, servers, networks, cloud, and email, and provide granular visibility into each layer.

XDR should automatically weed out anomalies from the alert streams originated from each of these layers, and surface high-priority threats by leveraging advanced analytics that is pre-built into the tool. The best solutions will have sufficient automation and learning capability to relieve security teams of manual tuning and management of detection rules, thereby generating a significant time and cost savings.

When properly integrated with the rest of the security stack, XDR should enable end-to-end orchestration and response to a cyber threats by correlating threat context and telemetry, indicators of compromise (IOC), and timelines, and should provide SOC teams with a unified pane of glass that makes response workflows less complicated and faster. The solution should be cloud-based to provide data storage sufficient to detect attack patterns typical of stealthy threats, in which the initial intrusion may occur days or weeks before attackers deliver payload or make a lateral movement.

To realize this potential, an XDR solution will need to be flexible while delivering analytical power sufficient to manage multiple data streams. By automatically weeding out many of the alerts that can result in false positives or low-value investigations, it should free up security experts to respond only to the most salient threats, and to undertake a more proactive and simplified threat-hunting approach.

       

How XDR differs from, and complements, other security tools

Security experts are still discussing how Extended Detection and Response fits in with the existing security stack, and whether or not it can replace other tools as well as providing an integrated framework. To provide some insight into these open questions, it can be helpful to compare XDR to some commonly deployed tools, specifically the elements of the SOC Visibility Triad: EDR, NDR, and SIEM.

 

XDR and EDR

Endpoint detection and response, or EDR, provides an in-depth view into actual devices working within the enterprise, including laptops, servers, and workstations. EDR uses agents to monitor and analyze all activity on each endpoint, and provides a central locus at which all endpoint data can be collected. Like most other advanced security tools, it leverages machine learning and behavioral analysis functions to help detect behavior patterns, and often relies on signature-based detection and threat databases to help identify threats in real time.

EDR is known for providing threat detection that is deep—it provides significant insights into user behavior, network connections, external addresses accessed, administrative functions, file creation, among other functions — but restricted only to endpoints to which EDR agents are deployed.

XDR provides security teams with a scope that extends beyond endpoints, and integrates endpoint telemetry with other data streams. As such, XDR helps the SOC visualize a more complete presentation of the enterprise’s attack surface and overall security posture. To put it another way, EDR provides one stream of data that channels into the XDR filter.

 

XDR and NDR

Network detection and response (NDR) provides passive analysis of the enterprise’s network traffic. Using a variety of methods, including packet capture (PCAP) and inspection, machine learning, signature-based and behavioral analysis, it provides constant monitoring of network activity in the cloud, data centers, and Kubernetes clusters, the nodes or platforms on which containerized applications or workloads run. Like EDR, NDR solutions leverage databases to stay current on threat activity.

The best NDR solutions are known for providing deep visibility into network traffic without slowing down workflows, as they do not deploy agents and instead monitor various components, such as physical and virtual TAPs, cloud packet mirrors, and firewalls. Network data is highly valuable to threat hunters, as it provides an immutable record of activity, even when attackers are covering their tracks.

Here too, Extended Detection and Response can provide visibility expansion and filtering. It can harness data flows from other security layers, such as endpoints, email gateways, and cloud platforms, and embedded systems, and synthesize the indispensable network telemetry and alert systems within a broader security framework.

XDR and SIEM

Security information and event management (SIEM) operates on a similar principle to XDR, in that it collects and analyzes logs and event data from a variety of sources, including intrusion detection systems servers, firewalls, and other components. While SIEM plays an important security role, it has other use cases, including data management, forensics and compliance.

SIEM tools leverage signatures, rules, and heuristics to identify potential security issues, and also generate alerts for security teams. Many of the tool’s response actions can be automated via rules setting or scripts, and most can integrate with common security technologies (EDR and NDR most notably).

While it is a legitimate security tool, SIEM often works in conjunction with security optimization, automation and response (SOAR) software tools that are more specific to security use cases. SOAR enables integration between different monitoring tools and response, but lacks the analytical capacity of SIEM platforms.

By contrast, XDR provides more threat- and security-focused use cases than SIEM systems. It can integrate with more technologies, generally deploys more powerful analytics, and enables faster, more orchestrated response by security teams.

Because it is often considered to be an evolutionary advance over SIEM, XDR is sometimes promoted as its replacement in the SOC Visibility Triad. Every organization will need to evaluate this option based on its distinct requirements, but it is important to note that SIEM’s non-security use cases mean that this tool’s functionality cannot be replaced across the board.

       

Factors to consider when selecting XDR

The most important factor to bear in mind is that XDR is still a marketing term as well as a legitimate security product. Some vendors are looking to exploit a trend by repackaging existing tools as “XDR” without really delivering on the full potential of the technology. Some of these products can actually increase, rather than reduce, the complexity and configurations SOCs must contend with; others may result in vendor lock-in and create integration issues with the existing security stack.