Cybersecurity professionals know this drill well all too well. Making sense of lots of information and noise to access what really matters. XDR (Extended Detection & Response) continues to be a technical acronym thrown around in the cybersecurity industry with many notations and promises. Every vendor offering cybersecurity has an XDR song to sing. Interestingly, some either miss a beat or require tuning since it’s still quite an emerging market. This can be intriguing and nagging for cybersecurity professionals who are heads down defending against the persistent adversaries. The intent of this blog is to clarify XDR and remove the noise and hype into relevant and purposeful cybersecurity conversations with actions. And observe the need for a proactive approach.
Let’s begin with what does XDR refer to and its evolution. As noted earlier, XDR stands for Extended Detection and Response. “extended” is going beyond the endpoint to network and cloud infrastructure. You will find this cross-infrastructure or cross-domain capability is the common denominator for XDR. XDR is the next evolution of a solid Endpoint Detection and Response (EDR). Ironically it was a term introduced by a network security vendor with aspirations to enter the emerging Security Operations market.
A Look at the Industry Point of Views
Industry experts have weighed in on this XDR capability for cybersecurity and agree it’s still relatively early to market. Gartner’s definition, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Gartner notes three primary requirements of an XDR system are; centralization of normalized data primarily focused on the XDR vendors’ ecosystem, correlation of security data and alerts into incidents and centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting. If you want to hear more from Gartner on this topic, check out the report.
ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. The cross-vector analytics must be enhanced to track advanced multi-stage attacks. In addition, implementation guidance such as reference architecture is needed to assure successful integrated workflows.
Forrester views XDR as the next generation of Endpoint Detection and Response to evolve to by integrating endpoint, network and application telemetry. The integration options are native where the integration is with one vendor’s portfolio or hybrid where the vendor integrates with other security vendors. The key goals include empowering analysts with incident-driven analytics for root cause analysis, offer prescriptive remediation with the ability to orchestrate it and map uses cases MITRE ATT&CK techniques and chain them into complex queries that describe behaviors, instead of individual events.
XDR Themes
The common XDR themes from these XDR discussions are multiple security functions integrated and curated data across the control vectors all working together to achieve better security operational efficiencies while responding to a threat. Cross control points make sense since the adversary movement is erratic. Emphasis is on removing complexity and offering better detection and understanding of the risk in the environment and quickly sorting through a possible response. The range of detect and response capabilities also suggest that it cannot be done by one exclusive vendor. Many advocates an integrated partnership approach to unify defenses and streamline efforts across domains and vectors. It’s a more realistic approach as well since most organizations do not fulfil their entire security function with one vendor. While buying an XDR “suite” from one vendor is easier where most of the security tools come from one vendor, some critical security functions from another vendor should be included to drive a more effective detect and response. This is not a new concept to connect the security disciplines to work together, as matter fact, McAfee Enterprise has been professing and delivering on Together is Power motto for some time.
One more consideration on this unified and integrated security XDR theme, many vendors may proclaim this but look under the hood carefully. They may have a unified view in a single console but has the data from all the separate vectors been automatically assessed, triaged and providing meaningful and actionable next steps?
Another common XDR theme is the promise to accelerate investigation efforts by offering automatic analysis of findings and incidents to get closer to a better assessment. This makes your reactive cycles potentially less frequent.
Integrating security across the enterprise and control points and accelerating investigations are critical functions. Does it address organizational nuances like is this threat a high priority because it is prevalent in my geo and industry and it’s impacting target assets with highly sensitive data. Prioritization should also be an XDR theme but not necessarily noted in these XDR discussions. Encourage you to read this blog on The Art of Ruthless Prioritization and Why It Matters to Sec Ops.
Net Out the Core XDR Functions
After distilling the many point of views and the themes on XDR, it seems the core functions all focus on improving security operations immensely during an attack. So, it’s a reactive function
| XDR Core & Baseline functions | Why? |
| Cross infrastructure—comprehensive vector coverage | Gain comprehensive visibility & control across your entire organization and stop operating in silos
Remove disparate efforts between tools, data and functional areas |
| Distilled data and correlated alerts across the organization | Remove manual discover and make sense of it all |
| Unified management with a common experience | From a common view or starting point removes the jumping between consoles and data pools to assure more timely and accurate responses |
| Security functions automatically exchange and trigger actions | Some security functions need to be automated like detection or response |
| Advanced functions—not noted in many XDR discussions | Why? |
| Actionable intelligence on potentially relevant threats | Allow organizations to proactively harden their environment before the attack |
| Rich context that includes threat intelligence and organizational impact insight | Organizations can prioritize their threat remediation efforts on major impact to the organization |
| Security working together with minimal effort | Simply tie a range of security functions together to create a united front and optimize security investments
|
Key Desired Outcomes
The end game is better security operational efficiencies. This can be expressed in a handy outcome check list perhaps helpful when assessing XDR solutions.
| Visibility | Control |
| More accurate detection | More accurate prevention |
| Adapt to changing technologies & infrastructure | Adapt to changing technologies & infrastructure |
| Less blind spots | Less gaps |
| Faster time to detect (or Mean Time to Detect-MTTD) | Faster time to remediate (or Mean Time to Respond-MTTR) |
| Better views and searchability | Prioritized hardening across portfolio—not isolated efforts |
| Faster & more accurate investigations (less false positive) | Orchestrate the control across the entire IT infrastructure |
A More Proactive Approach is Needed
McAfee Enterprise goes beyond the common XDR capabilities in the recently announced MVISION XDR and offers unmatched proactivity and prioritization producing smarter and better security outcomes. This means your SOC spends less time on error-prone reactive fire drills with weeks of investigation. SOCs will respond and protect what counts a lot quicker. Imagine getting ahead of the adversary before they attack.
Solution or Approach?
Is XDR a solution or product to be bought or an approach an organization’s must rally their security strategy to take? Honestly it can be both. Many vendors are announcing XDR products to buy or XDR capabilities. An XDR approach will shift processes and likely to merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.
Is XDR for everyone?
It depends on the organizations’ current cybersecurity maturity and readiness to embrace the breadth and required processes to obtain the SOC efficiency benefits. With the promise to correlate data across the entire enterprise implies some of the mundane and manual efforts to make sense of data into a better and actionable understanding of a threat are removed. Now this is good for organizations on both spectrums. Less mature organizations who do not have resources or expertise and do not consume data intelligence to shift through will appreciate this correlation and investigation step, but can they continue the pursuit of what does this mean to me. Medium to high mature cybersecurity organizations with expertise will not need to do the manual work to make sense of data. The difference with mature organizations comes with the next steps to further investigate and to decide on the remediation steps. Less mature organizations will not have the expertise to accomplish this. So, the real make a difference moment is for the more mature organization who can move more quickly to a response mode on the potential threat or threat in progress.
Your XDR Journey
If you are a medium to high mature cybersecurity organization, the question comes how and when. Most organizations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace the XDR capabilities since their efforts are already investigating and resolving endpoint threats. It’s time to expand this effort gaining better understanding of the adversary’s movement across the entire infrastructure. If you are using MVISION EDR you are already using a solution with XDR capabilities since it digests SIEM data from McAfee Enterprise ESM or Splunk (which means it goes beyond the endpoint, a key XDR requirement.) Check out the latest award MVISION XDR received amongst the many recognitions.
Hope this blog removed the jargon and fog around XDR and offers actionable considerations for your organization to boost their SOC efforts. Start your XDR journey here.