XDR 101: What's the Big Deal About Extended Detection and Response?

When endpoints become extended, does security necessarily improve? What, as Shakespeare would say, is in a name? And is there enough to make a security professional choose one category of product over another? The terms here are endpoint detection and response (EDR) versus extended detection and response (XDR). The differences -- and their relative importance to your organization -- could have an impact on your security infrastructure for years to come.

What Is XDR?
Just a moment...let's exame EDR first. EDR has become critical for many organizations as threat actors have focused more attention on users and their workstations, whether those devices are desktop, laptop, or handheld. So what is EDR?

There are two broad pieces to EDR technology. The first is continuous monitoring and threat detection. The second is automated response to threats discovered during monitoring. It should be obvious that an analysis step sits between the two basic pieces, and in many products there is logging and forensic analysis that enhances security analyst work on understanding threats.

The key, though, is that all of this is focused on the endpoint: The technology's laser focus doesn't extend to the network, servers, cloud, or applications.

XDR takes a much broader approach.

XDR provides visibility across all an organization's endpoints, as well as the network, and cloud workloads. It will typically analyze the collected data, act upon the threats, and send unified alerts and action items to security analysts.

An astute reader is probably now asking, "How is this different than SIEM?"

SIEM pulls data from a variety of sources, performs automated analysis, and then provides alerts and action signals to human security analysts and other parts of the security infrastructure. XDR, on the other hand, actually includes additional security functions within its technology borders -- functions that can include antivirus, firewall, and even EDR protection.

Because of this, some companies position XDR as the next evolution for EDR, while some customers are wary of potential vendor lock-in with a single product that covers so much of the security infrastructure.

The XDR Players
Because XDR contains so much, the vendors providing XDR can come from many different backgrounds. Microsoft and VMWare, for example, each touts an XDR service offering among its security arsenal. Hardware companies such as Palo Alto Networks and Cisco have XDR products, and traditional enterprise security companies including FireEye, TrendMicro, and McAfee have added XDR products or services to their overall security platforms.

Each of these companies, and others that are entering the market, provide options that can meet the needs of an enterprise. The question in selecting between them will often come down to whether or not a company is already engaged with one or more of their products, and the extent to which an enterprise is willing to have a single vendor provide the majority of its security infrastructure.

Why XDR?
There are organizations that prefer the simplicity of a single primary security vendor to the "tool overload" that many security professionals complain about. With EDR already widely accepted as a security tool category, XDR can be an evolutionary step, rather than a massive change in security strategy.

For some organizations, XDR is an opportunity to get ahead of the skills shortage that plagues enterprise cybersecurity. If XDR can provide alert triage, the thinking goes, then the human security analysts can focus their time and energy on the most critical incidents.

In any given organization, the ease of shifting to XDR will depend on a number of factors, including the existing set of security tools, the size and expertise of the in-house security team, and the relationship(s) that exist with current vendors. For those organizations looking for security analysis and management beyond SIEM, though, it could be worth taking a serious look at the possibilities of XDR.