Extended Detection and Response (XDR) is a security technology that provides extended visibility, analysis, and response across networks and clouds in addition to apps and endpoints. XDR is a more sophisticated and advanced progression of endpoint detection and response (EDR) security.
Where EDR contains and removes threats on endpoints and workloads, XDR extends those capabilities beyond endpoint to multiple security control points (including email, networks, server and cloud) to detect threats faster using data collected across domains.
Detection and response technology employs real-time, continuous monitoring of systems to detect and investigate potential threats. A detection and response system then uses automation to contain and remove those threats.
There are a number of different types of detection and response solutions today, including:
EDR (Endpoint detection and response): EDR monitors and responds to threats on endpoints. It was the first type of detection and response system, and compared to earlier security technologies, it allows better visibility and a faster response to threats. It also boasts improved malware detection that allows it to catch more sophisticated threats, such as fileless malware. However, its scope is limited to endpoint and workload security, which makes it difficult to correlate threats across a complex environment.
NDR (Network detection and response): NDR scans for threats within the network and deploys a response when it detects a threat. This type of detection and response focuses on the internal network, allowing security teams to see threats that have breached it. This technology applies detection and response techniques to networks, allowing organizations to expand their visibility beyond the endpoint.
MDR (Managed detection and response): MDR is run as an outsourced service, where outside professionals perform detection and response on an organization’s systems, often with the use of EDR and NDR tools. This can be a good option for organizations that do not have the in-house expertise or resources to operationalize detection and response tools. Unlike other outsourced security services, such as MSSPs (managed security service providers), MDR services are focused on detecting and responding to the latest threats detected on endpoints, workloads and within the network.
EDR was the first technology to approach security from the standpoint of behavioral analysis and investigation, allowing security teams to quickly detect suspicious behavior even if it did not resemble previous known attacks. Instead of relying on definition-based detection methods, EDR uses machine learning and behavioral analysis to detect zero-day threats before they can damage the network—a major step forward. However, the amount of data collected by EDR and its complexity often defies an organization’s attempts to analyze it, and its sole focus on endpoint protection can leave teams with a blinkered view of activity across systems.
XDR extends the capabilities of EDR across all the security layers in the environment—email, networks, server and cloud. Rather than the single point of view that EDR provides, XDR enables telemetry and behavioral analysis across multiple security layers, allowing security teams to see the big picture.
Bad actors don’t limit their attacks to a single security layer, and security teams can’t afford to limit their view to one layer, either. EDR gives security professionals visibility into endpoints that might be compromised, but this isn’t enough when an attack has moved across the network and into other systems by the time the security team is aware of it. This is where XDR comes in. By providing a holistic view of activity across the system that avoids visibility gaps, XDR allows security teams to understand where a threat comes from and how it’s spreading across the environment—in order to eliminate it. In other words, XDR offers greater analysis and correlation capabilities and a holistic point of view.
XDR is fundamentally a security technology, and it represents a major step forward in enterprise security capabilities. Since XDR has access to raw data collected across the environment, it can detect bad actors that are using legitimate software to gain access to the system (something security information and event management software, or SIEMs, are often unable to do). It performs automated analysis and correlation of activity data, allowing security teams to contain threats more effectively. For example, it can match up a threat detected at the endpoint with the email or workload where it originated to find out what other endpoints the threat might have affected.
Finally, like EDR, XDR responds to the threat in order to contain and remove it—but XDR’s superior data collection and integration with the environment allow it to respond more effectively to the impacted asset. True XDR platforms provide the holistic visibility and context that security analysts need to respond to threats in a manner that is both targeted and effective. This tailored response helps to contain not only the threat itself, but also the impact of the response on systems—for example, reducing downtime on critical servers.
There are three parts to XDR: telemetry and data analysis, detection, and response.
Telemetry and data analysis: XDR monitors and collects data across multiple security layers, including not just endpoints but also network, server and cloud. It then uses data analysis to correlate context from thousands of alerts from across those layers in order to surface a much smaller number of high priority alerts, helping to avoid overwhelming security teams.
Detection: As we’ve seen,XDR’s superior visibility allows it to sift through alerts and report on the ones that require a response. That same visibility allows it to create baselines of normal behavior within an environment to enable the detection of threats that leverage legitimate software, and to investigate the origin of the threat in order to stop it from affecting other parts of the system.
Response: Just like EDR, XDR has the capability to contain and remove threats it detects, as well as update security policies to prevent a similar breach from occurring again. Unlike EDR, however, which performs this function only on endpoints and workloads, XDR goes beyond endpoint protection to respond to threats across all the security control points it touches, from container security to networks and servers.
XDR’s additional capabilities above and beyond EDR give it several tangible benefits for securing an organization’s IT environment. These benefits include:
XDR is a powerful security technology, but to realize its full benefits, it’s important to choose a solution that makes the most of its capabilities. When choosing a platform, look out for the following problems:
vRealize Log lnsight delivers log management with intuitive, actionable dashboards and sophisticated analytics. It provides deep operational visibility and faster troubleshooting across physical, v...
While Extended Detection and Response (XDR) is seen as the next evolution of security incident detection, investigation and response, there still seems to be some confusion about what it is and wha...