The security industry has been witness to many technological revolutions over the past decades.

Notable recent milestones were the introduction of the web application firewall (WAF), user and event behavioral analytics (UEBA), next-generation antivirus (NGAV), and endpoint detection and response (EDR).

While each of these, and many other technology innovations, helped security teams protect better against emerging threats, they also made the security stack cumbersome and complex to operate, with a multitude of security tools managed by separate teams, data locked away in separate silos, and no way to assemble a complete picture of threats facing the organization.

eXtended Detection and Response (XDR) is a new technology that, instead of adding one more tool, aims to change this security landscape and enable more effective operation of the security stack.

What problem does XDR solve?

Historically, endpoints have been a preferred entry point for attackers. But the definition of “endpoint” has become much broader in recent years, with the advent of containers, IoT devices, mobile devices, and many other types of connected systems. 

Attackers target other layers of the IT environment as well—the corporate network, email servers, cloud systems—and may jump between layers, or hide in the interface between them, avoiding detection. 

In addition to these security challenges, modern security teams are facing operational challenges. According to Gartner, the two main challenges are:

These two problems are in conflict, because the more tools an organization adopts, the more difficult it is to find and train relevant staff. Most SOCs are facing a severe shortage of skilled analysts.

XDR kills two birds with one stone, helping resolve both security and operational challenges. It is a security solution that:

How does XDR differ from SIEM?

Security information and event management (SIEM) are a key element of the modern security operations center (SOC). Log data is pulled from dozens or hundreds of security tools and correlated to generate meaningful alerts.

On the face of it, this sounds similar to XDR. SIEM pulls together data from the entire environment and provides one interface for security analysts. 

However, the downside to SIEM is that it only provides a summarized view of security data. It gathers information from various systems, but applies the lowest common denominator, resulting in a very low level of detail.

SIEM cannot request additional information from security tools to further investigate a specific incident. In addition, SIEM’s has a limited ability to process new types of security data from tools like endpoint detection and response (EDR) and endpoint protection platforms (EPP).

Most importantly, traditional SIEMs don’t have built-in response capabilities. SIEm is a detection tool that can identify security incidents, but cannot contain or eradicate threats.

XDR can complement existing SIEMs and add some of its missing features:

How does XDR relate to AWS and other CSPs?

Organizations running workloads on a public cloud like AWS are facing numerous security risks, including misconfiguration, unauthorized access over public networks, unsecured APIs, and a magnified risk of insider threats.

XDR can help in three ways: 

Want more info about the AWS market?

Find out the latest salary averages, key industry insights, and invaluable hiring advice for organizations building AWS teams across the world with the Jefferson Frank AWS Careers and Hiring Guide.

Key features of XDR

Now that we understand the difference between XDR and the more familiar SIEM, let’s look at some of the key capabilities of XDR platforms:

A focus on response

A key element of the XDR promise is faster, more automated responses to security incidents. XDR can automatically identify incidents based on one of the following triggers:

Once an incident is identified, either human analysts or AI determine the appropriate steps to take next. This may include automated responses, or collaboration with other security staff or other parts of the organization—for example, operations or development. 

Responses can include:

Threat hunting with XDR

Another impact XDR will have on the security environment is promoting and enabling threat hunting. Threat hunting is a network security practice that involves actively searching networks, data assets, and infrastructure for advanced threats that have bypassed existing defensive measures.

XDR always assumes that the environment has been breached, and threats exist within the environment. With traditional event correlation and aggregation solutions, it is extremely difficult to identify such threats. XDR can do this much more effectively. 

XDR solutions can collect data more comprehensively, and analyze it more deeply, on behalf of an analyst conducting threat hunting. This includes deep analysis of log files, access requests, application events and endpoint-related events. 

XDR facilitates threat hunting by checking three types of inputs.

Based on these inputs, XDR solutions can help analysts find targets for threat hunting faster and more effectively than ever before. 

However, XDR is not enough for successful threat hunting. It must be supported by other security tools and organizational practices:

Considerations for evaluating XDR solutions

Now that we have covered the significant value XDR can have for a security organization, let’s review some key considerations when evaluating and selecting an XDR platform:

I hope this will be valuable in helping your organization consider how XDR can help create a more effective, cohesive and responsive security environment.

About the author

Eyal Gruner is Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s atm to show the weakness of their security, and has been recognized in Google’s security Hall of Fame.

Leave a Reply

Your email address will not be published. Required fields are marked *