If you haven’t heard about it yet, there has been a ground swell of activity over the past 12-18 months with security vendors rallying around a new theme: XDR. There have been different interpretations of what the “X” in XDR stands for, but the general concept is built on the success of the endpoint detection and response (EDR) model, now extending that model to aggregate and correlate telemetry from additional security controls, adding network, cloud, email, and more. The promise is that with a broader view of activity across security controls, more automation can be applied to deliver better coverage, insights, and ultimately more automated response actions for today’s sophisticated attacks.
For me, this just makes sense. Frankly, it’s not a new story, but instead, a new approach. Security operations teams have been working with SIEM and SOAR tools to achieve these same results for some time now. There are varying opinions regarding the outcomes of these efforts, but for most, SIEM tools have become the center of the security universe, as an overall aggregation point for telemetry across the many security tools protecting an infrastructure.
So why do we need a new approach to solving this problem? Here are my top-5 reasons why I think XDR is a good idea.
- Alert aggregation into the SIEM is too noisy. And while a ton of effort has been invested in attempting to reduce the amount of noise, SIEMs are an amalgamation of just too much uncorrelated data.
- The data is all too often apples and oranges. Correlating network telemetry with endpoint telemetry is difficult at best. The correlation process across controls is heavy lifting, and while the SIEM vendors work hard to deliver integrations, fidelity gets lost in translation.
- Response often requires action across multiple security controls. When shutting down an attack in progress, security analysts often need to work together with network admins, firewall admins, cloud security teams, and endpoint teams. SOAR tools attempt to automate this process, but again, too much heavy lifting is required to make all this happen.
- The SIEM is too fat. Organizations are paying way too much to house all the data in the SIEM, while a layer of advanced aggregation and correlation could squeeze out more than 50% of the duplicate alerts.
- The entire EDR/SIEM/SOAR stack is too complicated to create and manage. SOC teams are buried with too many tools, too many policy configurations, and too many consoles, and frankly waste an inordinate amount of time managing them all.
Pala Alto Networks and Trend Micro got this party started in 2019 delivering their initial XDR offerings. Endpoint security vendors are now getting on board, with VMware/CarbonBlack, Cybereason, SentinelOne, and Crowdstrike already talking about extending their EDR solutions by enabling the ingestion or integration of other telemetry either natively or through partnerships to enable XDR. Cisco’s SecureX announcements around RSA deliver XDR-like capabilities as well, while Microsoft is heavily focused on solving these problems with its MTP offering. XDR will be somewhat of a packaging and branding exercise for the bigger players like McAfee and Symantec, as they have offered ways to integrate other telemetry for a number of years now.
While still somewhat unproven, I am bullish on the future of XDR. ESG research tells us that detection and response is a top priority for most organizations, with the need for better threat detection and response capabilities leading the list of reasons why organizations have recently switched or have active projects to switch endpoint security vendors. My colleague Jon Oltsik and I will be digging into XDR more with our upcoming research where we will explore how companies are thinking about XDR, what problems they think it will solve, and if they plan on trying it out in the coming year.
Oh, and my interpretation of the “X” in XDR is that it conveys that this is a cross-controls detection and response solution, using the “X” to represent cross-controls.