researchHQ’s Key Takeaways:
- Extended Detection and Response (XDR) is a SaaS-based, “vendor-specific security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components”.
- Challenges in delivering XDR include dependency on other vendors and potentially insufficient investigation and validation capabilities.
- Effective XDR solutions collect organization-wide data and accordingly correlate and analyze it to gain high fidelity details about potential incidents.
- High-performing XDR solutions often utilise artificial intelligence to automatically investigate alerts.
- After investigation and validation, an effective XDR solution responds appropriately to mitigate the incident.
Given the volume, sophistication, and potential harm of today’s cyberthreats, it is essential (and unfortunately, also impossible) for security teams to leave no stone unturned in the discovery of potential security attacks and breaches. In an ideal world, this effort would include such tasks as inspecting every URL embedded in every blocked email, every file hosted by every blocked website, every login request allowed or blocked, and so on.
However, the average organization uses a dozen (or more) security tools, often from a variety of vendors. These solutions already generate thousands of alerts each day that need to be reviewed. And most of these tools operate in isolation, which means that chasing down these alerts often involves hand-correlating events between different management consoles. As a result of this complexity, security teams already often respond too slowly to alerts, have time for fewer investigations, and run a greater risk of missing an attack in progress.
So it’s not surprising that nearly half of security leaders report the “complexity of their environment as among the most challenging aspects of security.” Worse, over three-quarters of organizations admit their security architectures are disjointed due to nonintegrated security products. And given the rate that the digital footprint of most organizations is expanding, there are simply not enough hours in the day, nor enough security experts in the industry, to investigate each and every alert.
Capturing the Attention of Cybersecurity Professionals with XDR
One new security concept understandably capturing the attention of cybersecurity professionals is XDR. Gartner defines Extended Detection and Response (XDR) as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” The challenge faced by most security solutions is that, while they may be effective within their own sphere, the scope of their capabilities is limited. For example, a firewall may be world-class, but it can only provide a snapshot of traffic moving across a particular point in the network. However, defending against today’s sophisticated threats requires visibility and control that spans the entire distributed network.
XDR represents a new security paradigm in which individual security controls see, share, and correlate data as part of a coordinated security platform to more effectively detect threats and to then deliver a coordinated response that covers the entire attack surface. Simple, right? Actually, it is quite complicated.
Challenges in Delivering XDR
The idea of enabling different technologies to work together as a single, integrated system provides powerful advantages for the detection of and response to threats—which is why so many vendors are jumping on the XDR train. But most XDR solutions suffer from one of three challenges.
The first is that many vendors only cover one or, best case, a few attack vectors—endpoint, email, network, or cloud. But the promise of XDR is multiple solutions collaborating together. So, the value of their XDR solution is entirely dependent on other vendors developing to their technology. Which means the scope of your XDR solution may be limited to only a portion of your organization and its attack surface.
Second, for those vendors that offer a full suite of security solutions, delivering an effective XDR solution may still be a challenge. Just because a company offers multiple products doesn’t necessarily mean that they have invested the resources needed to integrate them. Especially when components were acquired through large acquisitions, the requirements that accompany large install bases can dominate development resources and block substantial changes that are needed for integration. In these cases, XDR functions as a thin overlay to compensate for the fact that these tools don’t really interoperate and that there are significant limitations in the way they can function, which can create serious challenges for IT teams.
Third, most all vendors seem to focus on extended detection and extended response, skipping over the middle stage of investigation and validation. As a result, human security professionals still have significant effort ahead of them—especially as threat and alert volumes continue to grow.
