XDR: beyond the buzzword

XDR: beyond the buzzword

No doubt you’ve heard the buzz about eXtended Detection and Response… but do you fully understand what it’s all about, asks Zeki Turedi, CTO of EMEA at CrowdStrike.

Jargon and buzzwords are commonplace in the cybersecurity industry. It can often be challenging to demystify the latest phrase or product category. In fact, these new applications or solutions that have been designed to tackle a new wave of threats and make everyone’s life safer can often do more to confuse clients and end-users than it does to describe anything useful. XDR, or eXtended Detection and Response, is the latest technology being given this treatment. This is why it is vital for IT professionals to fully understand the true meaning of XDR and what is available in the market to ensure they make the correct decision for their business.

Defining XDR

True XDR is the next frontier in threat-centric security prevention. XDR is a holistic approach that combines traditional security solutions into a unified system providing total protection and visibility across an organisation’s network. The crucial criteria of an XDR extension is its ability to both collect and correlate data from all sources, including endpoints, cloud workloads, networks and email. It then analyses and prioritises them and delivers them to security teams in a normalised format through a single console, easing the ever-present security staffing burden.

The core difference between XDR and more established solutions such as Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) is XDR’s ability to extend across the infrastructure to protect networks, cloud workloads, servers, email and endpoints. The key takeaway here is that XDR is not an addition but an extension. Every organisation’s needs are different, but to ensure the highest level of protection across the network architecture and to eliminate silos and gaps that put the organisation at risk, XDR is the way forward.

Unfortunately, not all XDR is equal

The reality is, not every XDR solution has the same capabilities. In order for XDR to deliver on its promise of the highest level of optimised detection, investigation, hunting and response, the platform must offer a number of core components. As XDR is ideally an extension of EDR, in order to achieve true XDR, the endpoint must remain as the foundation and be built upon. The best XDR extension offers improved detection quality in addition to improved reach and ensures that security teams avoid a deluge of false positives, allowing meaningful and efficient investigations. Another core component of XDR is integrated workflows that allow swift and often automated action to mitigate and remediate the threat. Also, IT professionals should ensure that the XDR offers advanced analytics in forms such as AI and ML that are applied to search for previously hidden threats.

Why XDR is a necessity

In most cases, threat detection and cybersecurity solutions focus on one layer of the ecosystem at a time. For instance, EDR solutions only operate on endpoints and network traffic analysis solutions only operate on network traffic. The result? Organisations will purchase numerous security products to build their own multi-layered security, which results in a complex security stack that delivers too many alerts, not enough context, and overloaded and overworked security staff.

XDR addresses the problems created by traditional detection and response technologies. It is designed to work with today’s hybrid infrastructures and cloud workloads, as well as with both on-premises environments and large remote workforces.

One of the main benefits of XDR is its ability to allow visibility by working across multiple layers. This means that detection is faster and responses are better informed. It also enables security teams to track and even reconstruct attack paths. This insight makes it possible to discover where in the infrastructure attackers are currently dwelling and which assets they may have compromised. This information can be used for mitigation, remediation and also to make better decisions about security improvements.

As mentioned above, XDR can replace multiple tools. This means that it is a far more efficient use of resources and significantly lowers the required management time, allowing investigations to be completed more quickly. Not only that, but XDR’s replacement of various tools can also reduce the total cost spent by security teams.

Why XDR can be so effective

The reality is that threat actors are intelligent and will only continue to become more sophisticated. Attackers know how to find gaps in security products. Once they find a way to slip into a network, they can dwell for prolonged periods, move laterally across the network, collect payloads and vital company information and learn more about evading the network’s defences in a future attack.

Luckily, XDR’s streamlined nature allows it to collect data from cross-layer sweeping, feed the results into a data lake, sterilise them, and correlate them to the attack surface they penetrated. The data is centralised, normalised and made accessible through a single pane of glass, resulting in the highest level of visibility, leaving the attackers nowhere to hide.

Weighing it all out

Finding an effective XDR solution can often be tricky. It is vital for companies to carry out their own research and ensure the solution they choose meets the high standard of protection that true XDR offers. Before purchasing, they should ask themselves or the vendor some key questions: How does this specific XDR differ from traditional EDR? Is this XDR solution up to the challenge of collecting, monitoring and analysing the ever-growing volumes of event and log data? Can this XDR capture and correlate data from any log, application or feed to deliver actionable insights and real-time protection?

Understanding and comparing different XDR specifications and solutions is the only way to know whether you’re purchasing a buzzword or a highly effective cybersecurity solution.