XDR for that confident, secure look

XDR- 3 letters which could be the name for a new brand of shampoo. If it was, you can expect to see a long-haired model moving about to show off the transformative effect of some kind of herb or oil in the shampoo. Irresistible. Add this to your shopping list.

The shampoo market in the US, is estimated to be worth $3.3B. It's a competitive market.

Sound familiar? By 2028, the global XDR market is expected to reach $2B in size, growing at ten times the speed. Intense competition in the cyber security market is having a parallel effect.

What is XDR?

Nir Zuk, CTO and founder of Palo Alto Networks, is said to have first used the term Extended Detection and Response (XDR) in 2018.

According to Gartner®, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components”1 as depicted below.2

XDR technology is the latest development in cyber security threat detection and response technologies, but how did we get here?

A brief history of detection and response technology

William Cheswick and Steven Bellovin, wrote the definitive book on firewalls in 1994, and can claim to have one of the first firewalls on the market. 

But firewalls protected the front door into organizations’ networks, leaving the back doors wide open. Prevention alone was insufficient, so organisations started to use the logs of network activity, collected to comply with regulations, to deter inside threats and to understand and respond to external attacks. Around 2005, the security incident and event management system (SIEM) was born. SIEMs can aggregate and analyse data from any device capable of producing logs, but as environments grew more complex and attackers more sophisticated, SIEMs became less effective at detecting cyber threats; the signals in log data were just too weak to detect reliably. 

Endpoint Detection and Response (EDR) systems, which can detect threats by analyzing a rich variety of Operating System data in unencrypted form, have proved much more effective. EDR solutions appeared on the market around 2013. By 2027, the global EDR market size will be $8.1B, growing at 25% per year, comfortably exceeding the SIEM market size of $6.4B, which is growing at around 7% per year. 

Then cloud services came along to ruin the EDR party. 95% of organizations now use cloud services, using 5 different cloud platforms on average. Hybrid, multi-cloud environments cannot be adequately protect by EDR technology alone, giving rise to extended detection and response Extended Detection and Response (XDR) solutions which use additional data sources to eliminate the EDR blindspots. Unlike SIEM solutions, which can take in almost any data but require huge configuration effort to become effective, XDR provides simple integration and native functionality to make use of the select set of data sources that are genuinely useful for detection and investigation.

Last and most importantly, XDR provides response, whereas SIEM is a detection-only technology. Security Orchestration, Automation and Response (SOAR) solutions can be grafted to SIEM systems to improve efficiency and provide a response capability, but it is complicated to set up and manage. XDR solutions provide out-of-the-box integrations that are easier to manage. 

Why would I need an XDR solution?

If you take vendors’ claims at face value, then XDR allows you to:

  • consolidate vendors by replacing security solutions that deal with specific threats with an XDR solution that provides a more comprehensive solution for workspace security, network security or workload security domains.
  • improve security efficacy and security operations productivity by:
  • converting a large stream of alerts into a condensed number of incidents that can be manually investigated efficiently.
  • providing response options that go beyond infrastructure control points (i.e., network and endpoints).
  • improve the productivity of security operations teams that have difficulty managing a best-of-breed solutions portfolio or getting value from a SIEM or SOAR solution.

XDRs today are ideal for less mature organizations that do not have the resources to build a complex matrix of point solutions with a SIEM/SOAR overlay but are looking for solutions that can provide more immediate value with lower operational overhead.

Whether you would benefit from an XDR solution depends on the threats you face and the quality of your security controls.

SIEM solutions are superior at:

  • detecting policy violations and demonstrating compliance: XDR can only do this insofar as rules violations can be detected on the endpoint
  • fulfilling very specific detection needs like internal threats, policy violations and lateral movement, although the alert quality may be low.

XDR solutions are superior at:

  • external threat detection: XDR alert quality is vastly higher for external threats, giving greater coverage of attacker TTPs and generating far fewer false positives
  • Investigation: XDR platforms are optimized for investigative work. The alerts they generate are easier to interpret because they link to an underlying hypothesis about attacker behaviour
  • Containment and remediation actions to minimise business impact. 
  •  

What capabilities does an XDR solution provide?

Authentic XDR providers will have:

  • extensive and cost-effective data storage, analytics and machine learning (ML) capabilities.
  • effective detection that provides fewer, higher-value alerts.
  • integrations, often via API, to enable better response use cases;
  • integrations with IT operations tooling like an ITSM tooling for ticketing workflow.
  •  

What sort of XDR solution would I need?

Each vendor’s XDR approach differs:

  • some firewall vendors accrete to their products a detection and response capability and the means to integrate other data sources and claim that their product is now an XDR product.
  • some SIEM vendors claim that by being able to ingest EDR logs they have an XDR product.
  • some EDR vendors now offer XDR solutions have added the ability to collect logs from other sources to add to the endpoint data they already collect.

Many vendors have jumped onto the XDR wagon. In a report, Gartner defines XDR as 

“a platform that integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components”.3

and notes that,

"There has been an inrush of vendors whose offers do not align with the definition of XDR. They have co-opted the definition of XDR in ways aligned to their own world view as well as other ambiguous terms like OpenXDR".3

A cynic, speaking with some truth would say:

"It’s the same thing, you have vanilla, you have chocolate, you have strawberry flavours, but it is still all ice cream. Don’t get confused because it has sprinkles on it. They are not even real sprinkles, you get those already, but you are going to pay a lot more for the same thing."

Feras Tappuni, CEO, SecurityHQ

What we think

  • The real new black arrived 10 years ago with the advent of the EDR solution, in response to the failure of network-based detection approaches to provide good results. Sure, some of the anomalies found on the network may be security incidents, but the complexity of modern enterprise environments means that most are false positives and it’s hard to tell the difference, so alerts aren’t actionable. XDR solutions based on integrating network data with EDR data doesn't feel like progress; the most important network data can be collected from the endpoint anyway. There are less 'Heath Robinson' ways to detect threats. Network data can, however, be useful for investigating after the point of initial detection.
  • In 2022, XDR is the new black: whether or not the old black needs upgrading depends on the threats you face, your IT environment and the quality of your security controls. XDR has the potential to solve security problems that EDR cannot, like threats directed at cloud-native services. Identity data, for example from Azure Active Directory, and Cloud control plane logs such as AWS CloudTrail, give visibility of environments where there simply is no endpoint to install an agent into.  EDR and identity data together are a powerful combination, detecting attacks on endpoints and in the Cloud, as well as those which pivot from one to the other.
  • Choose your solution technology based on the threat you face. If you wish to improve your compliance posture or insider threat detection, a SIEM solution will be more suitable than an XDR solution. If you wish to improve your detection and response controls, XDR is a better bet, as depicted in the table below.
  • Technology is just one of eight capability components that you should consider. Without the right people, policies, organisation, management, training, facilities and support, success will be elusive. Take people for example:, the most effective operators are part offensive thinker, part responder, and part data scientist – not a fresh college grad. Tech without the right capabilities is like putting Mr Bean in the cockpit of your Redbull F1 car and expecting a podium finish. It won’t happen.
  • There is a big gap between what is theoretically possible and what has been demonstrated in practice, so ask for evidence. Gartner* in its report states says that “by 2023, at least 30% of EDR and SIEM providers will claim to provide XDR, despite them lacking core XDR functionality”.
  • XDR provides a means to curb the proliferation of point cloud solutions. According to Gartner4, “by year-end 2027, XDR will be used by up to 40% of end-user organizations to reduce the number of security vendors they have in place, up from less than 5% today”.

Questions you should ask a vendor

 
  1. How will your product improve D&R outcomes for me?
  2. What are the most common threat use cases you cover?
  3. Can you give me examples of your product detecting something that you would not have otherwise detected?
  4. What are the most sophisticated attacks that you have detected and how did you respond to them? 
  5. Can you give me examples of efficiency gains that your product will bring me?
  6. Can I do away with SIEM or IDS/NDS technologies, or reduce the size of my security operations?
  7. What level of expertise do I need to get the most out of your product?
  8. Who is responsible for keeping the detection capability fresh? 
  9. What additional data costs must I budget for (eg storage, threat intelligence)? 
  10. What third-party integrations do you offer that enable better response use cases?
  11. What integrations with IT operations tooling like an ITSM tooling for ticketing workflow, does your product offer?
  12. What are the limitations of your product? 
  13. What other tools do I need?
  14. Who's driving the your product capability roadmap and also, what is in it?

The big question

Like shampoos, there are scores of XDR technology providers. The best selling shampoo is Pureology Nano Works Hydrate Shampoo. It's zero sulfate formula with the exclusive anti-fade complex forms a rich lather while it infuses hair with essential hydration and colour retention.

It is hard to know why and it doesn't much matter. Hairdressers have their own ways of delivering the outcome that clients seek. Good ones retain their clients for years.

And here is a lesson for organisation for whom security matters: are you are confident that you can cut your own hair? If not, find a partner that can deliver the outcome that you seek.

How to find the right partner

Give the same attention to choosing a security partner as lovers would to getting married: a long term relationship that is delightful when it goes well, but can be expensive and painful when it doesn’t. This is especially true if you are selecting a Managed Security Service provider. 

When selecting a company, price and risk should be considered alongside the following criteria:

  • Pick a partner: they will have an intimate knowledge of your business and when things go wrong, you need to be confident that they will respond in the right way.  Your company should be as important to your partner as you are to it. Seek evidence of:
  • An understanding of your company, its business goals and the market in which it operates
  • Long term perspective: are they thinking of your long-term interests as well as their own?
  • Transparency: are they joined up, do they communicate openly?
  • Responsiveness and flexibility, underpinned by meaningful SLAs
  • When things go wrong, lessons are learned and improvement demonstrated
  • Pick a company for whom security and D&R specifically is its core business: their reputation depends on it.
  • Look at their heritage: companies that are stable and live off their profits form deeper, long-term relationships and have more resources to draw on in a crisis. They are less likely to cannibalize the future to meet their immediate needs.
  • How detailed is the roadmap: to what capabilities and business outcomes are they committing to deliver? Would you be consulted and what influence would you have over the roadmap?
  • Verify what the prospective partner tells you: again, you will learn much more about them by talking to their customers.
  • Price transparency: is the price model predictable and within your control?
  • Find out who is delivering the service. Effective D&R depends on a skilled threat hunting team, proven methods and a purpose-built technology platform - in that order.

Lastly, start small: test your compatibility with a modest consulting project or a service trial. Focus on the service experience you have with them as your trusted security partner. If you end up fighting like a bag of ferrets, you will be pleased to be free of each other when the trial ends

To learn more about detecting and responding to cloud threats, the following resources will help:

To learn about testing the effectiveness of your detection and response investment, the approach described in this paper has proved effective:

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

Paul Brucciani

Head of Product Marketing, Solutions
paul.brucciani@withsecure.com