The term XDR was birthed in 2018 by Nir Zuk of Palo Alo Networks.
Since then, vendors seeking to differentiate their products in the competitive security market have locked on to the latest 3-letter abbreviation in an effort brand their own remix of the same tools and techniques everyone is already using. It’s an effort to birth a marketing baby they’ve named XDR.
Today’s unrelenting threat landscape has brought about a paradigm in the industry where the common sense thing to do is continually evolve and mature security and defenses for worry of being caught behind the curve. With security departments eager to adopt “next-gen” platforms, and the current detection and response sector abuzz, and it’s all about XDR, or EXtended Detection and Response.
But…it’s not really next-gen technology as some say, and XDR doesn’t live up to the hype or marketing buzz that is all over the internet.
What is Extended Detection and Response?
XDR isn’t more evolved and holistic as Forbes claims, it’s merely a dressed-up package of tools you already use.
In 2013 Anton Chuvakin from Gartner gave birth to the term EDR. It was a new class of security tools developed to provide better visibility into systems.
To understand where XDR came from its important to understand where EDR came from.
Endpoint Detection and Response or EDR came as a response to traditional anti-virus (AV) and anti-malware vendors no longer being able to stop most malicious activity occurring on end points.
AV works by maintaining a known bad list of virus and malware hashes on the end point supplied by the vendors team of researchers. At its inception this worked great but over the years efficacy rates fell as software vendors’ research couldn’t possibly match the rate of new threats.
In the best light XDR is a response from non-endpoint focused security tools to copy the EDR model of collecting large amounts of telemetry for correlation, analysis, and threat hunting.
A more cynical view is that XDR is a response from the security market losing customer spending to EDR tooling.
Vendors are lining up to offer XDR as the next advancement from EDR. Some have gone so far as to acquire new partners to create the illusion that their new brand of XDR is more reputable, but it’s just smoke and mirrors.
- Feb 18th, 2021 – CrowdStrike to Acquire Humio and Deliver the Industry’s Most Advanced Data Platform for Next-Generation, Index-Free XDR
- Feb 21st, 2021 – SentinelOne Acquires Scalyr to Revolutionize XDR and Security Analytics
- Apr 24th, 2018 – Palo Alto Networks Closes Acquisition of Secdo
- September 1st, 2021 – LogPoint acquires SecBI, to add native SOAR and XDR capabilities
Is there a standard for XDR?
Since XDR by one vendor is different from every other vendor, comparison shopping is literally impossible as no two versions of XDR are the same. The only consistent definition of the XDR tooling is collecting some set of data for correlation, analysis, search, and hunting.
Each vendor’s XDR approach differs. For the Firewall vendors they can say “Look! Now you can search our dataset too, right from our toolset.”
For the SIEM vendors XDR is being used to say they compete with the EDR tools.
For the EDR tools “adding” XDR is pretty much saying “we’re already collecting all the endpoint data now we’ve added the ability to collect everything else too.” Our bet is on EDR tools prevailing.
XDR vs SIEM
Since the term “security information and event management” hit the scene in 2005, it has evolved into the tool we use now. It offers many capabilities that solve a broad spectrum of problems.
The goals of a SIEM and that of XDR appear to have some similarities on the surface. SIEM collects, stores, aggregates, and analyzes large amounts of log data. The broad scope of what a SIEM does gives it a level of unparalleled visibility from operating systems to apps to firewalls to switches; they are all under the purview of a SIEM as a common collection point.
SIEM and EDR have a natural relationship along with network detection and response (NDR).
XDR vs EDR vs MDR
EDR and MDR (Managed EDR) work to monitor endpoints proactively and detect issues. The difference between the two comes down to scope.
EDR looks specifically at endpoint environments to detect threats. It detects the threats that have somehow managed to get past predictive and preventive defenses in your security framework before they can pose a bigger problem for the network.
MDR is a managed service that bolsters capabilities of EDR with the expertise of security analysts behind the curtain who have their eyes on the glass. These experts can tune EDR tools to specific environments and customer scenarios to make them as efficient and effective as possible.
XDR is essentially EDR or MDR with a few other data sources thrown in – which ones depend on the marketing – so that it can be branded as XDR.
Is XDR the next generation solution in security?
No. There’s nothing truly innovative about XDR. It isn’t new or cutting-edge technology in the way the Endpoint Detection and Response (EDR) was that vastly changed security.
XDR is the current buzzword vendors have coined to market a grouping of security technologies as their XDR branded product, often by acquiring security brands to help enhance the illusion that XDR is better.
But if the goal is to buy the remix, the re-envisioned combination of today’s standard tooling, perhaps XDR is a good way to spend money.