XDR and What Executives Should Know
What does XDR (really) mean?
Coined by Nir Zuk at Palo Alto Networks in 2018, eXtended Detection and Response, or XDR, originated in response to challenges in siloed approaches to data analysis for security. Previous approaches would only focus on a single type of device or area, like endpoint, network, or user behavior, missing context and indicators from the other focus areas that would have led to identifying risk. XDR analyzes all of these focus areas, bringing them into a holistic platform that can understand all of the data involved in an event, and then provides tracking and remediation steps across the entire environment as the SOC is responding to any events that are malicious or risky.
How did XDR originate?
As Palo Alto Networks looked at the challenges enterprises kept bringing up around visibility and understanding which significant security events were occurring in their environments, they realized that there was a gap between the focused and siloed products vendors released and how enterprises needed the broad coverage of a unified platform. XDR was designed to bridge this gap by connecting information from all sides of an enterprise IT infrastructure.
It then became exceptionally important to also include a machine learning engine that can correlate this massive increase in raw data to verify only significant events are brought to an analyst’s attention so they are not drowned in unactionable or irrelevant alerts. The “X” in XDR is key to this philosophy of extending detection and response to any and every IT operation, and to demonstrate this, Palo Alto Networks created a vision map of how XDR came about and where they believe it will grow into in the future.
Why is XDR important in cybersecurity?
Moving from segregated datasets for endpoint vs. networks vs. threats into a view that aggregates all of these, and much more, into a single platform creates a fundamental shift in the way enterprises can understand their entire security operations and IT footprint. Having a single view for everything reduces missed significant events, false positives and negatives from lack of context, skill barriers, manual aggregation, and reporting. All of these combined datasets being analyzed by machine learning systems have already been transformational in how businesses can cope with the shift in cybercrime growing from individual “hacktivists” to businesses in their own right, to nation-state level operators and all the increasingly complex attacks that you can expect from this evolution.
What is the spin around XDR?
When looking at how the market has reacted to the idea of XDR, we see a lot of vendors begrudgingly adopting the term, while trying as hard as they can to pass off their EDR or NDR/NTA products as XDR. Multiple vendors have redesigned their UI/UX so that all the information is presented as a “unified single source” without actually changing the underlying application to properly ingest data from all sources, merely showing the siloed data streams in one view. There has also been a rise of new players in the space who are focused on gaining in-depth visibility but do not have the coverage across all the different types of equipment that make up an IT infrastructure, leaving holes in what they can even present. Finally, and most egregiously, we see a lack of automation via machine learning leaving businesses with a deluge of alerts that cannot be given proper attention, or data that is incomplete so an analyst can’t understand the full chain of events leading to an incident.
Our advice: What should executives consider when adopting XDR?
The concept of XDR focuses on two main topics that must be fundamentally intertwined: 1) All data streams need to be brought together and correlated into a single understanding of an event, and 2) Some sort of system must exist to automatically determine the severity of an event and whether it constitutes an incident that needs further investigation by an analyst. Neither of these can be lacking, and they must work in tandem for a business to achieve success in today’s cybersecurity defense programs