You Were The Chosen One, XDR

Cybersecurity solutions have an intermittent success rate, albeit, not as predictable as how well-received Windows editions are. The failure rate is higher.

Certain solutions evolve. Anti-virus grew into endpoint protection and layered in better detection and action for endpoint detection & response (EDR). Managed security service providers spawned or caused, perhaps, the managed detection and response emergence as true security expertise was crystallized into a single service delivering a higher quality of service in a much-needed area.

Help me XDR, you're my only hope

So what of eXtended Detection and Response, XDR? The popular view we read about is that it has evolved from EDR - that EDR vendors are adding more sources to their platform to improve detection & response.

This is a misleading representation of the market. The truth is that the need for broader coverage, earlier detection and faster, targeted response is driving customer need - but unlike the relatively linear evolution of endpoint-centric protection - nearly all vendors can jump on this bandwagon and create a proposition that seems to tick all the boxes.

"My discussions at both RSA Conference and InfoSecurity Europe made it clear to me that visitors do not understand what XDR is meant to be and many security vendors are not doing anything to resolve that problem."

Dan Pitman, Director of Product and Technical Marketing

There are a number of different ways XDR is being taken to market, including:

"Next-generation" SIEM platformsre-labelledd as XDR
Completely separate network, log or endpoint detection solutions bundled up as XDR
Traditional SIEM and average SOAR products mashed together

Don't get cocky

Unfortunately, all of these approaches risk damaging the reputation and restricting the amazing potential of XDR. There are some clear facets of XDR which must be present:

Business-focused coverage - this means not just Endpoint and Network but other sources of detection and context such as productivity applications and identity.
A shared detection layer with built-in detections - Separate products do not make a solution, many companies are putting the onus on their customers to integrate products using process and other platforms for incident management
Built in response - XDR must provide the security teams with response capabilities. Including both automated responses (like blocking malicious network connections) to recommended one-click manual response capabilities, like machine isolation or user credentials reset.
An integrated experience for the analysts - More coverage, more detections and more information is useless if it increases the work for the security teams proportionally, XDR must include these shared layers and an integrated analyst experience or it is just more of the same.

Depending on your needs you might also have other requirements, different integrations or other technology facets of the solution - but the list above contains the solution components which can mean a real difference to the security of your organization and the effectiveness of your security team.

Prefixes are easily startled, but they'll soon be back, and in greater numbers

So where do prefixes come into it? If we look to industry definitions, we see that XDR is gaining a variety of prefixes applied to it - native, comprehensive, open, hybrid - all of these can be found on product pages, websites and blogs.

A prefix is dangerous, it causes confusion for customers and is a clear indicator of a fragmented market. Cybersecurity is already significantly fragmented and complex to navigate when searching for a solution.

XDR should have been the chosen one to bring balance between the promise of SIEM and the value of EDR. The fear is that the security industry fragmentation will cause XDR to derail itself by not delivering on its promise, damaging the reputation of EDR and MDR in the process.

The end result is that when buying XDR...check under the hood, it might be an SIEM trap after all!

itsatrap