The Key Components of XDR and Differences Between Them

Coined by Palo Alto Networks in 2018, extended detection and response is an evolution of endpoint detection and response, but definitions vary significantly. Cybereason predicted that more than two-thirds of companies would invest in XDR over the next year. As market inertia is growing, it’s a great time to review different XDR out there.

Companies have a few options for extended detection and response (XDR) products. But in general, there are primarily two types of XDR —Open and Native, or hybrid and closed. As XDR is still a newborn, breaking out XDR types further would not help but confuse the targeted users.

What is XDR? Everyone Has a Different Answer

As the name hints, XDR tools represent an extension of traditional EDR platforms. Coined by Nir Zuk, Palo Alto Networks CTO, in 2018, XDR aims to break down conventional security silos and deliver detection and response across all data sources. As such, according to Palo Alto Networks:

“XDR provides a far more robust view across networks, cloud workloads, servers, and endpoints. One of the limitations that we see with focusing solely on EDR (endpoints) versus XDR (endpoints, cloud, networks, etc.) is that it requires the security team to do the work manually that XDR automates.”

While its competitor, Checkpoint, said the other. Without mentioning EDR, they defined XDR in a post on its website:

“XDR solutions integrate security visibility across an organization’s entire infrastructure, including endpoints, cloud infrastructure, mobile devices, and more,”

“This single pane of glass visibility and management simplifies security management and enforcement of consistent security policies across the enterprise.”

Interestingly, analytic firms look at XDR from another angle; Gartner described XDR as:

“a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.”

It seems like none of them has a single definition of the same term XDR, but all of them did say things like “integration,” “visibility,” and “management.” let’s go one step further to look into the definition.

XDR As EDR Extension

One school of XDR said it is an evolution of endpoint detection and response (EDR). It is mostly from security vendors with considerable investments in EDR products and seeking an expansion of the telemetry to maximize visibility in the environment. Examples of this XDR school include:

• Crowdstrike Falcon XDR,
• Palo Alto Networks Cortex XDR, and
• Trend Micro Vision ONE.

EDR digs out security breaches as they happen on workstations and other endpoint devices. With XDR, companies get analytics and telemetry beyond endpoints. SaaS-based XDR collects threat data from the network, cloud, servers, email systems, and other security tools, such as:

• Identity and Access Management (IAM),
• Firewall,
• Intrusion Prevention System (IPS), and
• Cloud Acces Security Broker (CASB).

With all the collected data ingested into a single platform, security teams overlook the threat landscape altogether. In addition, with the help of machine learning (ML) and behavioral analysis, XDR provides automated response capabilities, enabling security teams to respond to threats faster.

XDR As SaaS-based SIEM Upgrade

What happens to all other security vendors that do not have Endpoint products? XDR then becomes another set of tools.

Gartner described XDR as:

“a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.”

According to Gartner, the four primary functions of an XDR system are:

1. Collection of typical security products that are integrated out-of-the-box
2. Centralization and normalization of data in a central repository for analysis and query
3. Improved detection sensitivity from the assistance of security products working in coordination
4. Correlated incident response capability that can change the state of individual security products as part of the recovery process

The second school of XDR, like SIEM and SOAR solutions, is built to integrate with a wide variety of security and IT tools. Still, XDR is differentiated from SIEM and SOAR products by the level of built-in integrations available at deployment and the focus of threat detection and incident response use cases.

Even though SIEM products have been around for a long time, many organizations have not fully deployed SIEM tools. Or they use SIEM for log storage and compliance purposes only.

Product Examples of this school of XDR include:

• Hunters XDR
• Exabeam Fusion XDR, and
• Stellar Cyber Open XDR.

Many organizations find that using SIEM for threat detection and response is a resource-heavy effort that is impossible to keep up with the emerging threats. Often security teams become overwhelmed by excessive, uncoordinated alerts that too often go unattended. They have difficulty developing detection rules and applying contextual indicators to combine multiple signals or provide full incident response capability.

Thus, some vendors believed they purposely built XDR products to solve this gap. They focus on delivering effective detection and response to targeted and advanced attacks across the attack surface, including native support for UEBA, threat intelligence, and analytics.

In some cases, XDR can provide a cost-effective, agile alternative to SIEM, especially those built on cloud-native modern data lakes. In these cases, an XDR can offer a cost-effective, always-hot data storage coupled with advanced analytics — serving as a complete SIEM replacement option.

Combining Both Schools

Ideally, security teams adopt XDR to improve threat detection, investigation and response. They can be more proactive and less reactive to potential threats with the addition of XDR. No matter company buys XDR as a super EDR or SIEM; it should be able to mitigate:

1. poor detection efficacy
2. high false-positive rates
3. many alerts for the security operations center
4. time spent mitigating threats

Security breach investigations take too long at most companies. Security teams can either respond quickly, or they can react completely, but it is very challenging to do both at the same time.

XDR can solve these problems by consolidating multiple security products into a cohesive security incident detection and response platform, which helps by providing context and visibility to each incident. In addition, it addresses the missing link between detection and response — incident investigation.

This enables a practical approach to automated response through SOAR and remediation playbooks. In addition, some XDR tools offer direct integration with SOAR, increasing the effectiveness of these tools, and some are developing built-in response capabilities.

Open XDR vs. Native XDR

As the XDR market emerges, we’re seeing two different styles of XDR being created — Open XDR and Native XDR. Open XDR focuses on third-party integrations, while Native XDR provides an all-in-one platform.

What’s Open XDR?

Image from maxpixel.net | CC0

Forrester defines hybrid XDR as:

"An XDR platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry."

Firstly, “Open XDR” does not mean open source tools. That’s why some organizations prefer hybrid XDR rather than Open XDR, and Open XDR products primarily are designed to integrate with other security analytics tools.

Instead of tearing and replacing current security tools, adopters work with a core XDR product that connects with an existing setup and provides a central management plane. Open XDR product examples include:

• VMware,
• Netskope,
• Exabeam Fusion XDR, and
• Stellar Cyber Open XDR.

As clarified by Cybersecurity Insiders, Open XDR works with tools into which organizations have already invested capital and effort, so security teams can continue to leverage those technologies from now on without needing to replace them. Additionally, open XDR can leverage multiple security tools, vendors, and telemetry types, all integrated into a single detection and response platform centralizing behavior analysis.

One downside is that companies need to ensure the Open XDR tool they select has enough integrations. Non-standard security products or products that serve specific needs may get left by the wayside. It’s not feasible for vendors to build links for all products out there.

What’s Native XDR?

Image by Ivan Radic from flickr.com | (CC BY 2.0)

Forrester defines native XDR as:

"An XDR suite that integrates with other security tools from their portfolio for the collection of other forms of telemetry and execution of response actions related to that telemetry."

For native XDR, vendor offerings collect all telemetry. Examples of Native XDR platforms include:

• Microsoft 365 Defender,
• Checkpoint XDR,
• Cisco XDR, and
• Palo Alto Networks Cortex XDR.

Native XDR component integrates with the rest of that vendor’s security products. As a result, security teams don’t have to worry about integrations, as one platform handles all analytics and threat detection. However, implementation of Native XDR can be tricky, as security teams need to configure existing tools in favor of one new and complete platform. In addition, the lack of third-party integration capabilities is also a downside.

A Native XDR platform can’t interact with solutions offered by its provider. This burden is unlikely to motivate organizations to leave their existing security investments and substitute them with the provider’s counterparts as they would lose money in the process.

Final Words — One More XDR Type

In a recent survey by Enterprise Strategy Group (ESG):

• 73% of IT and security professionals said their organizations already have a Managed Detection and Response (MDR) provider or
• are in the process of working to adopt MDR services
• More than half of those respondents articulated the belief that an MDR provider could do a better job at threat detection and response for their organization than they could do on their own.

One step further, it becomes Managed XDR — or MXDR. Ideally, MXDR doesn’t just provide a managed service. It also extends the skills of existing staff members, functionality which helps simplify all security processes and operations while cutting down on manual tasks.

After all, as XDR matures, XDR types will narrow down.

The biggest hurdle for XDR in 2021 is that potential customers don’t understand it or how it helps security teams. Therefore, vendors need to show security teams how XDR differs from EDR, SIEM, and SOAR. With more feedback and use cases adoption, we will finally see a more precise direction of how XDR will become in 2022.

------

Thank you for reading. May InfoSec be with you🖖.

Also Published Here