kras99 -

The differences between open XDR vs. native XDR

With extended detection and response, security teams get improved threat analytics and response capabilities. Here's what they need to know to choose the right type of XDR.

Coined by Palo Alto Networks in 2018, extended detection and response is an evolution of endpoint detection and response. Analyst firm Enterprise Strategy Group, a division of TechTarget, predicted that more than two-thirds of companies will invest in XDR over the next year.

Companies have a few options for extended detection and response (XDR) products. There are primarily two XDR types: open and native, also sometimes referred to as hybrid and closed. As XDR is still new, analysts are divided over whether to break out XDR types further.

What is XDR?

XDR is described as an evolution of endpoint detection and response (EDR). EDR searches for security breaches as they happen on workstations and other endpoint devices. With XDR, companies get analytics beyond endpoints. SaaS-based XDR collects threat data from the network, cloud, servers and email systems. With all of the collected data ingested into one location, security teams have a more complete view of the threat landscape. Through machine learning and behavioral analysis, XDR provides automated response capabilities, enabling security teams to respond to threats quicker.

Confusion remains over what constitutes an XDR product. Ask IT industry analysts, and each one might give you a different answer about XDR.

"At first blush, it can appear that XDR is just EDR taking the opportunity to become a better SIEM," said Forrester Research analyst Allie Mellen. "But the reality is very different."

Security teams adopt XDR to improve threat detection, investigation and response. Security teams can be more proactive and less reactive to potential threats with the addition of XDR.

Mellen said that XDR solves four issues plaguing IT security in companies:

  1. poor detection efficacy
  2. high false positive rates
  3. many alerts for the security operations center
  4. time spent mitigating threats

Security breach investigations take too long at most companies. "Security teams can either respond quickly, or they can respond completely, but it is very challenging to do both at the same time," Mellen said.

Open XDR vs. native XDR

XDR is largely broken out between two types: open and native. Open XDR focuses on third-party integrations, while native XDR provides an all-in-one platform. Some analysts see XDR platforms split even further, with up to five approaches available.

Native XDR

For native XDR, vendor offerings collect all telemetry. Examples of native XDR platforms include Microsoft 365 Defender, Cisco XDR and Palo Alto Networks Cortex XDR. The XDR component integrates with the rest of that vendor's security products. Security teams don't have to worry about integrations, as one platform handles all analytics and threat detection.

Implementation of native XDR tools can be difficult, though, as security teams need to rip out existing tools in favor of one complete platform. The lack of third-party integration capabilities is also a downside. "These vendors need to embrace the notion of third-party integrations and APIs," said Enterprise Strategy Group (ESG) analyst Dave Gruber.

Open XDR

Open XDR does not mean open source tools, so some organizations prefer the term hybrid XDR.

Open XDR products are designed to integrate with other security analytics tools. Instead of ripping and replacing current security tools, adopters work with a core XDR product designed to connect with an existing setup and provide a central management plane. Open XDR product examples include ReliaQuest GreyMatter, Exabeam Fusion XDR and Stellar Cyber Open XDR.

One downside is that companies need to ensure the open XDR tool they select has enough integrations. Niche security products may get left by the wayside. It's not feasible for vendors to engineer connections for all products out there.

Additional XDR types

Industry analysts see the market differentiated by more than just open and native XDR.

ESG's Gruber says three or four XDR types exist: overlay (open), full-stack (native), full-stack modified and ecosystem offerings. Full-stack modified is where full-stack providers offer a tweaked architecture option that integrates more with third-party security products. It creates a middle-ground XDR tool that mixes native with open. Ecosystem providers don't have a complete platform themselves, so they partner with other vendors. Together, they offer something akin to native, but it's not a true full-stack offering.

According to Gartner analyst Peter Firstbrook, customers have five XDR options. Alongside open and native, other XDR types include single product offerings, security orchestration and automated response (SOAR) and SIEM, and managed security service provider (MSSP). Vendors with single base products lack much in the way of integrations today but can add them. Firstbrook included SOAR/SIEM vendors because see their products offering just as much as what XDR promises. XDR is designed for ease of use, meaning integrated out of the box, and SOAR/SIEM don't have that design, but vendors are working to make it possible, he said. Similar to the SOAR/SIEM argument, MSSPs believe what they offer is XDR, too.

As XDR matures, XDR types will narrow down.

The biggest hurdle for XDR in 2021 is that potential customers don't understand it or how it helps security teams. Vendors need to show security teams how XDR differs from EDR, SIEM and SOAR.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing