Extended Detection and Response (XDR)
is an emerging technology that provides superior
detection and response capabilities while optimising
your security program’s risk and resources.
As XDR evolves, one would expect its definition to
evolve with it. It’s now clear, however, that defining
XDR is anything but straightforward, not least because
‘extended’ is virtually impossible to pin down – which
is precisely how it should be. With the global XDR
market expected to reach USD 2.06 billion by 2028, expanding at a CAGR of 19.9% from 2021 to 20284, we will undoubtedly see new pure-play XDR vendors
entering this market and veteran vendors pivoting
existing solutions to offer XD
With Forrester1 defining XDR as the evolution of EDR and Gartner suggesting that XDR should include a combination of at least three security solutions, with EDR potentially being one of them, it’s not surprising that security vendors are taking advantage of this unconstrained definition and pivoting their existing products to offer XDR. Moreover, security vendors are accentuating the importance of the core capability offered by their existing products to the definition of XDR in their favour. There is also an indication by Gartner2 that XDR could be the coming together of SOAR or SIEM with other point security products as they recommend that organisations first evaluate this as a solution to fulfilling gaps in current threat detection and incident response capabilities. However, Gartner3 also defines the primary value of XDR products and identifies that they improve security operation productivity and enhance detection and response capabilities.
Wherever the definition of XDR lands – and whether it ever does – we can all agree on the problems and
challenges XDR strives to address, and the benefits organisations could gain by investing in it. It’s therefore
critical to understand what outcomes XDR will deliver, its benefits to an organisation’s security program and
how it will optimise IT resources when exploring XDR solutions.
We should avoid attributing existing security solution benefits to those provided by XDR.
As much as possible, the benefits of XDR should be exclusive to XDR, particularly taking the following into account:
1. The benefits provided by existing point products should not be listed as XDR benefits.
XDR must continue to deliver the benefits with or without any other product.
2. Existing solutions have attempted to deliver some of the benefits promised by XDR;
however, where many have failed or been confined, XDR must prevail by delivering tangible gains.
Considering the points above, the major benefits of XDR must include:
Whereas SIEM and Security Analytics platforms have left security analysts with alert fatigue by putting out so many alerts that
they simply get ignored, XDR lowers the number requiring manual investigation by automating the steps required to triage and
investigate events and thus arrive at a conclusive verdict.
Even though this benefit overlaps with that of SIEM, XDR is not required to include SIEM or try to replace SIEM. It could increase detection efficacy using an approach other than event correlation or anomaly detection, on which SIEM depends.
Today, security teams must access multiple tooling to implement changes following an incident or when taking proactive measures as part of an advisory. XDR must allow these changes to be implemented from a single interface, at minimum on endpoints and perimeter network defences, including on-premises and on-cloud chock points.
Much like the benefits offered by SOAR platforms, XDR must, at the very least, provide tight integration between endpoints, network, email and cloud security defences. There should be little to no need for utilising resources to integrate telemetry between these defences.
Forensic analysis and threat hunting are considered tasks that only highly skilled security resources can perform. However, with
the scarcity of such resources, XDR must assist organisations by enabling less-skilled resources to perform these tasks.
Types of XDR
Given that the XDR market is new and evolving, there isn’t a single pure-play XDR company leading the market. Security vendors are stepping up development to add capabilities to fill gaps in their existing products to offer XDR. Some of these vendors are better placed than others as they have a larger number of the XDR puzzle pieces in their existing solutions. However, each vendor inevitably lacks one or two major capabilities that are hard to attain. Whereas some vendors will develop these missing capabilities, we are also likely to see others acquire companies that provide point solutions that would help them bridge the XDR gap sooner. Either way, since XDR is an upgrade to existing detection and response capabilities, we can expect the market entry price for acquiring XDR to be greater than the cost of existing solutions like EDR, SIEM and SOAR.
Today’s market offers two types of XDR solutions: Native XDR and Hybrid XDR. However, these are expected to converge as each vendor adds additional capabilities to their solution to meet growing market demands and remain competitive.
The key capabilities we expect from XDR include:
When exploring the capabilities of XDR solutions, also consider the following aspects as they will drive higher value
and deliver on the benefits that XDR promises.
The following capabilities truly ‘extend’ XDR:
Can the solution integrate with the wider ecosystem? Can it integrate with any tooling? If not, does it integrate with the current
and foreseeable ecosystem? What does integration mean? Is it simply to gather telemetry or to implement response actions as
Does the solution provide additional defences using a completely independent approach to protection, detection, hunting and
incident response? For instance, how does it specifically complement EDR and NDR detection capabilities?
The primary reason for threat detection, hunting and incident response solutions is the lack of information to protect organisations from all types of attacks. XDR must bridge the gap between protective controls and detection and response. It must enable organisations to transform detection and response into continuous response, allowing them to implement protective controls dynamically in real-time in line with their risk appetite.
XDR must not only facilitate threat hunting but also automate it. Organisations should not depend on security analysts to drive
the hypothesis but rather hunt for breaches independently using an independent methodology. Furthermore, it should automatically triage and enrich the discovered leads and assign a threat level to each.
XDR should be capable of responding continuously: allowing blocking, exceptions, and any other actions to be taken automatically, based on the level of threat (or lack thereof), data enrichment, and contextualisation using the wider ecosystem.
Single-click response actions to implement controls at the endpoint or the network edge are considered minimal XDR response
capabilities. XDR should, however, extend to apply single-click response to other controls in the wider ecosystem.
Complex security investigation tasks include forensic analysis, reverse engineering, and threat hunting. Does the XDR facilitate
these tasks to reduce manual effort and expedite outcomes?
Collecting and preserving forensic evidence following an incident can be a massive undertaking, and most organisations don’t
have the skilled resources for it. Moreover, businesses operating from different regions will find it particularly challenging. XDR
must, therefore, facilitate the secure collection and preservation of forensic evidence to reduce manual effort and undue dependency on skilled resources
CTo reduce the manual effort involved in this task, XDR should extend response actions to restoring a breached system to its prebreach ‘clean’ state. The response could leverage the Microsoft Windows Volume Shadow Copy service or tap into the restore capabilities offered by enterprise backup software.
An XDR solution will likely include the following core components; however, the important factor is not the components but
whether the solution delivers the promised benefits.
When evaluating XDR, avoid comparing the capabilities vendors offer. Instead, try and understand how the solution provides better detection and response capabilities while optimising your security program’s risk and resources.
Here are 10 considerations when evaluating XDR:
- Map the capabilities to the problems and challenges your security operations face and must solve.
Here is a shortlist of problems a security program could be facing that XDR could solve:
- Business impact because attacks are not detected
- Concerted effort to investigate security events and incidents
- Attacks detected too late by existing defences
- Challenge in differentiating real attacks from the noise
- Unable to respond effectively to an active attack or a compromise
- High expenditure on security resources
- Resource overhead due to context switching between point solutions
- Look at the truly ‘extended’ capabilities and place a higher value on these as they will deliver additional detection and response capabilities and result in significant risk reduction and resource optimisation.
- Following on from point 2 (above), avoid paying for capabilities that you already get from existing solutions. To increase ROI, XDR must either replace an existing solution or provide an independent method of detection and response that does not overlap.
- Look for solutions that take advantage of the advanced features provided by your vendor’s XDR platform natively, which can simplify tasks involving security event investigation and incident response.
- Ensure threat intelligence from the XDR platform is vendor-agnostic and provides out-of-box integrations with open-source and commercial threat feed providers.
- Look for solutions that automate detection and response natively instead of requiring manual configuration to set up the work-flows. Subsequently, look for solutions that depend less on skilled human resources to contain threats and active attacks but require minimal resource overhead to create security exceptions.
- Ensure you have the necessary resources to help integrate, maintain and use the platform to drive improved detection and response outcomes. If you lack resources, consider MDR vendors who leverage XDR to deliver the outcome.
- As XDR is an emerging solution, expected to mature only after 3 to 5 years, review the roadmap from each vendor and consider whether your organisation will definitively gain additional value and benefit from the capabilities available in future releases.
- Consider the total cost of ownership (TCO) for gaining the benefits that the XDR solution can provide. Consider whether delivering the desired outcomes depends on acquiring additional technologies, licenses and skills to integrate and operate – all of which add cost to the bottom line.
- Avoid falling into the trap of collecting vast amounts of telemetry and integrating it with an increasing number of point solutions. XDR is not about more data or greater integration but superior detection and response. Look for XDR solutions that deliver the benefits your organisation needs without setting up complex integrations and workflows.
eclipse.xdr is an intelligent, proactive security platform from CyberStash. Using automated protection, detection, and incident
response, eclipse.xdr safeguards your most critical assets and allows you to establish and maintain trust in your IT environment by stopping attacks in their tracks.
Our advanced vendor-agnostic threat intelligence data, geofencing and infrastructure-blocking significantly reduce your exposure to risk from the emerging sources of the cyber-attacks responsible for most of today’s breaches, no matter how sophisticated the attack may be.
What’s more, eclipse.xdr runs periodic compromise assessments using completely independent, automated forensic-depth analysis techniques that comb through your fleet of endpoints to detect every digital change in your environment and assess the risk each change poses to your business. It also detects In-Memory Living-off-the-Land attacks!
Easy to manage, eclipse.xdr provides automated threat hunting and security orchestration, so there are no expenses for additional skilled resources. Alternatively, the CyberStash security experts can respond to the task on your behalf.
eclipse.mdr | Managed Detection and Response
When delivered as a Managed Detection and Response (MDR) service, our team of experts at CyberStash do all the leg work to hunt for breaches missed by existing controls and thus prevent potential business impact. We constantly monitor, detects, hunt, investigate and respond to cyber threats to keep your business safe
Talk to us today about eclipse.xdr and get ahead of the business impact.
- Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR (forrester.com) (1)
- Market Guide for Extended Detection and Response (gartner.com) (2)
- Innovation Insight for Extended Detection and Response (gartner.com) (3)
- https://www.businesswire.com/news/home/20211210005447/en/Global-Extended- Detection-And-Response-Market-Size-Share-Trends-Analysis-Report-2021-2028— ResearchAndMarkets.com (4)
- https://www.forrester.com/blogs/introducing-the-forrester-new-tech-extended-detection- and-response-xdr-a-battle-between-precedent-and-innovation/
- https://www.grandviewresearch.com/industry-analysis/extended-detection-response- market-report.
- https://www.fortunebusinessinsights.com/extended-detection-and-response-market- 105900