From EDR to XDR: Inside extended detection and response
As the definition of endpoints evolves, so too must the technology to protect them. Enter extended detection and response, or XDR -- one of cybersecurity's hottest acronyms.
XDR, which is short for extended detection and response, is one of the latest acronyms to rock the cybersecurity world. A descendent of endpoint detection and response, or EDR, its relatives include network detection and response, or NDR, and managed detection and response, or MDR, which has subsets of MEDR, MNDR and now MXDR.
If you haven't heard the term yet, you will soon. Coined in 2018 by Palo Alto Networks and with market hype in full swing today, XDR is shaping up to be the next big thing in enterprise security. On one hand, it's already seeing some early adoption, Forrester analyst Allie Mellen said. On the other hand, she added, "Even the early adopters are confused as to what it is."
But, before it can earn its keep, XDR's definition and use cases need to be fleshed out. Enterprise buyers also need to sort out how to evaluate vendors touting XDR products.
From EDR to XDR
"XDR is the next evolution of EDR," Mellen said. "It's taking EDR -- which has been validated by the market as a beneficial tool for detection and response on the endpoint -- and extending that to other types of telemetry." This telemetry includes the cloud, network and specific security tools, such as email security products.
The cloud is a major catalyst behind XDR's growing popularity. Where EDR was once sufficient to protect physical endpoints, the cloud has changed the definition of endpoint. In XDR, Mellen said, the endpoint is no longer a physical device but the end of the communication chain.
Allie MellenAnalyst, Forrester
"Data we used to store locally is now mostly accessible through the cloud. A part of EDR expanding into XDR is about accepting that shift and taking in other data sources that are going to be beneficial," Mellen said. "The end of the communication chain we're using more and more is the cloud."
XDR's benefits extend into the security operations center (SOC). For example, XDR's ability to automate root cause analysis can ease the burden for SOC employees by handling many tedious manual tasks and reducing the high number of false positives inherent to other security systems.
"XDR aims to deliver a simpler, faster and more automated way to respond to these challenges," Mellen said.
XDR vs. SIEM and SOAR
Despite its strong similarities to SIEM and security orchestration, automation and response (SOAR), XDR isn't an extension to these technologies. In fact, XDR siphons many use cases away from the two technologies.
One major benefit of XDR over SIEM and SOAR, Mellen said, is that, while the latter rely on playbook integrations to execute responses, EDR and XDR execute responses natively. And, unlike SIEM or SOAR systems -- which gather data, perform analytics and often end up with a high number of false positives and other security challenges, Mellen said -- XDR completes responses on the endpoints themselves, be it on a physical device, in the cloud or in integrated technologies.
"It's not to say security analytics platforms or SIEMs are bad technologies. They're great for what we have today," Mellen said. But XDR takes the detection and response innovation further than ever possible before, she added.
As XDR matures, Mellen expects it to displace security analytics platforms -- including SIEMs and SOAR -- for everything except compliance, a capability XDR does not offer.
Confusion around buying XDR
Warning: Not all vendors who tout XDR products are truly offering XDR.
"A lot of vendors are saying, 'We enable faster detection, faster response and better integration, so we must be XDR.' But that's not what XDR is," Mellen said.
Offering the same outcomes doesn't mean they're in the same product category, she cautioned.
Some vendors saying they offer XDR are, in reality, selling security analytics platforms that incorporate SIEM. To understand if vendors are truly selling XDR, Mellen advised asking if the vendor sells EDR. If it doesn't, chances are it isn't an XDR vendor either. And just because a vendor integrates with EDR and XDR products doesn't mean it specifically sells XDR, either.
If a customer asks a vendor what its XDR product replaces in the SOC, the answer should always be EDR, never SIEM or SOAR, Mellen added.
XDR is all about the integrations
EDR becomes XDR when integrations come into play, Mellen said. If an XDR platform is integrated with an enterprise email system and an employee falls victim to a phishing attack that deploys a Word doc with malicious macros, for example, XDR could detect what happened on the endpoint and give SOC analytics deep context into the incident.
Email security, cloud security and network security are three of XDR's greatest integration capabilities, Mellen said. These integrations will truly set vendors apart.
Beyond asking if a product is based in the endpoint, Mellen suggested evaluating the product's native and third-party capabilities. For example, companies with large product suites may only integrate with their own security technologies natively. Other third parties may not have native XDR because they are startups or don't have fully baked product suites, she added. (See sidebar for more info on native vs. hybrid XDR.)
Types of XDR
XDR has two categories: native and hybrid, Mellen said.
Forrester defines hybrid XDR, also known as open XDR, as "an XDR platform that relies on integrations with third parties to collect other forms of telemetry and execute response actions related to that telemetry." Hybrid XDR vendors include SentinelOne and McAfee.
"'Open' isn't a great descriptor as it isn't open source. 'Hybrid' is a better adjective because part of the point is that you integrate with other vendors," Mellen noted. The hybrid option gives security teams the ability to choose the best tools from various vendors for their organizations' specific needs, but they need to be aware that some vendors that claim they have integrations may not always offer them.
Forrester defines native XDR, or closed XDR, as "an XDR suite that integrates with other security tools from their portfolio for the collection of other forms of telemetry and execution of response actions related to that telemetry." Native XDR vendors include Microsoft and Palo Alto Networks.
Mellen advised that native XDR may not be suitable for all companies because of vendor lock-in, but "that's not necessarily a bad thing, just a different approach." Smaller security teams, she added, may benefit from such a unified system as it can be easier to deploy and manage.
When it comes to integrations, Mellen sees many vendors claiming to offer hybrid XDR, but that's not always the case. The difference, she said, is in the depth and breadth of the integrations.
"Some vendors are taking a really great approach with it. They may have a store available where you can just plug and play integration," she said. "I think it's an awesome way to go -- it just makes it so easy."
In other cases, vendors may be so new that their integrations are providing an API without enough guidance for the SOCs using them, she said. "Security teams aren't meant to be doing that work," she said. "Whenever somebody says it's plug and play, it isn't necessarily at first."
Despite the challenges -- and the needed product maturity -- Mellen is optimistic about XDR's future. "It's just going to take time. It's still such an emerging technology. There are vendors that are using the term XDR correctly, and there are end users that are using it. Many end users don't know what the name means but are using it because it solves their problems."