Understanding current XDR elements and options

Defining and delivering XDR

Gartner defines XDR as a platform that "integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components." ​XDR also aims to reduce product sprawl, alert fatigue, integration challenges and operational expenses.

The three basic elements of XDR are the following:

1. Broad coverage. There is more than one telemetry source.
2. Central depository for analytics. There is visibility into data collection, processes, alerts and workflows.
3. Automation. Workflows result in faster decisions to coordinate responses across multiple tools.

This high-level definition results in extremely broad interpretations of which companies fall into the XDR vendor category. Initially intended to be an evolution of endpoint detection and response (EDR), mature SIEM products also satisfy XDR criteria. As result, a number of vendors claim to offer XDR.

Let's examine the most common current variations of XDR delivery:

1. EDR+ -- endpoint + telemetry/data + endpoint response. Often the path of EDR vendors, this type of XDR brings another telemetry or data source to an existing endpoint. While this approach may be easy because it uses current EDR investments, the challenge is ensuring coverage across the entire IT environment. Coverage may vary significantly based on what additional data sources and telemetry points are used.
2. SIEM+ -- SIEM + logs + analytics. For those with mature security postures, this SIEM-centric option offers flexibility and scalability. SIEM may include response integrations or automated investigation enrichments to satisfy the automation requirement. The challenge can come from lengthy deployments, numerous processes for add-on modules that need to be integrated into existing process and in-house team availability to constantly tune data models to update policies for the environment.
3. Comprehensive -- endpoint + telemetry/data + logs + analytics + intrusion detection system + file integrity monitoring + response (identity, endpoint and firewall/web application firewall). This approach provides visibility across the full IT environment. It combines prevention and detection, tapping into known and unknown challenges. The many tools involved may require organizations to partner with a team that collectively offers expertise and knowledge to manage the environment to generate the best outcomes.

Assessing XDR against outcomes

Let's assess these XDR options against the key XDR outcomes mentioned earlier.

Outcome 1

EDR+ fails to provide complete visibility of IT environment and tooling. It only provides a narrow view that barely meets Gartner's XDR definition. Comprehensive leads on visibility, with SIEM+ not far behind, lacking true insight into network traffic via an intrusion detection system.

Outcomes 2 and 3

These XDR outcomes are directly linked to IT visibility and tooling, which, again, isn't good news for EDR+.

Performing analytics on many data sources is crucial to ensuring visibility into all areas that introduce risk. Mitigations can be applied based on the perceived significance -- and resources available -- of the risk. For example, business-critical assets demand the lowest acceptable level of risk. SIEM+ and Comprehensive XDR systems fare better and are essentially equal here, assuming they include integrations with, or native, exposure assessment analytics.

As for detecting and responding to threats, EDR+ is a good option for endpoint-based threats, but neglects areas like compromised credentials and cloud compromise. SIEM+ does well at identifying a broader range of threats but is overly reliant on logs and lacks response automation. Comprehensive performs analytics of a broad range of sources and connects these with response mechanisms, which enables the speediest disruption or containment responses to threats.

While XDR can be used to describe a range of different approaches to security, XDR products alone do not solve staff expertise shortages or the burden of managing and extracting value from the security stack.

Realizing the value of XDR

When evaluating feature-rich products such as XDR, it's easy to get caught up in the potential security value they provide. XDR is a positive step toward unifying the visibility and management of security data and controls, but it is not a silver bullet and still requires daily operational commitments.

Organizations should be pragmatic in assessing the value they will be able to realize based on the resources, expertise and management they can dedicate to any tooling. Threat research and hunting, 24/7 monitoring, advanced and custom analytics and tuning, alert investigation, log analysis, false positive reduction and actionable insights on remediation are needed to realize the value XDR offers.

About the author
Josh Davies is product manager at Fortra's Alert Logic. Formerly a security analyst and solutions architect, Davies has extensive experience working with midmarket and enterprise organizations. He conducted incident response and threat hunting activities as an analyst before working with organizations to identify appropriate security solutions. Presently, Davies remains close to security operations center and threat intelligence initiatives.