What is xdr? is the security impact real or hyped?

Blog

What is XDR? Is the security impact real or hyped?

Dave Frampton
Table of contents

What is XDR?

With so many overlapping and self-serving definitions of XDR (Extended Detection and Response), embracing the innovations in technology first require that we parse the alphabet soup. We agree with several industry analysts covering the space that XDR is a vendor push with no real customer demand, but the problem spaces within XDR are of significant customer interest.

Consensus has emerged on a few XDR elements such as: cloud-native/SaaS, improved detection, and improved response. From there, the definitions vary. To help you wrap your head around which definition makes the most sense, let’s first unpack the alphabet soup of all these acronyms.

XDR vs EDR vs SIEM vs SOAR vs UEBA vs NDA vs NTA

We define XDR as a cybersecurity tool promoted by endpoint detection and response (EDR) vendors to aggregate and analyze disparate data and security sources, with the goal of improving threat detection and remediation operations. EDR monitors, detects, and responds to attacks on endpoint devices and is largely known for being able to respond to sophisticated threats like file-less malware.

Security information event management (SIEM) combines two other acronyms because why not turn this into a nested doll of letters? Security information management (SIM) and security event management (SEM) combine to create SIEM, which centralizes log data to analyze, collect, and monitor security-related information and events to improve the incident response process. SIEM analyzes security threats and alerts generated by network hardware, applications, and endpoints in real time.

Security orchestration, automation and response (SOAR) leverages machine learning and automation to accelerate incident response time and improve SecOps efficiency. In news that shouldn’t surprise anyone at this point of the acronym jargon puzzle, SOAR combines three other markets: security orchestration and automation (SOA), threat intelligence platforms (TIP) and security incident response platforms (SIRP). 

User and entity behavior and analytics (UEBA) tracks users (and entities because it’s in the name) to detect insider threats, targeted attacks and fraud. By looking at patterns in human or entity behavior, UEBA can detect anomalies that could indicate potential threats. 

Network detection and response (NDR) and network traffic analysis (NTA) aren’t just confusing because of their contribution to this endless list of acronyms, but also because people will often use them interchangeably. NTA is the process of collecting and analyzing the network traffic for potential threats, whereas NDR goes a step further by adding historical metadata for investigations and automated response using SOAR technology.

Why don’t other XDR definitions work?

You’ve probably seen a range of XDR definitions from various sources and vendors. Here’s what we’ve seen, and why we don’t think they work.

  • Is it a single-vendor EDR, SIEM, SOAR, UEBA, and NDR solution with tighter integration than SIEM (for just that single vendor) with out-of-the-box detection and response? This definition is too narrow and promotes self-serving vendor lock-in. It also ignores obvious, inevitable component swap-out options.

  • Is it an open ecosystem that connects EDR, SIEM, SOAR, UEBA, and NTA that does better out-of-the-box detection and response? Who knows? Although integrations across these categories already exist with SIEM as a central hub, how can an organization know that their XDR truly has “deeper integrations” and how would they even measure what “better detection” is?

  • Does it combine single product/solution next-gen SIEM/SOAR and next-gen EDR to do better out-of-the-box detection and response? Not yet! Both spaces are immensely complex and fundamentally centered on different data sets (endpoint telemetry vs. logs/events), even though they address the same aggregate value proposition.

  • Is it next-gen EDR extended into the edges of the SIEM/SOAR space by addressing a subset of SIEM/SOAR use cases that may meet the initial needs of SecOps teams early in their maturity development (e.g. adds incident response to EDR, direct integration to email and cloud workload protection context, etc.)? Yes! This is probably the closest definition we’ve seen that we can agree with.

It’s easy to see why so many disagree, given the obvious self-interest of all parties. Also, in smaller shops, the definitions and overlap get muddier, especially when customers are just at the decision point on adding SIEM or Managed Detection and Response (MDR) and/or Managed Security Service Provider (MSSP) equivalent.

XDR and next-gen SIEM better together? We think so

In most current defenses, EDR serves as a feeder network of “mini-SIEMs” which develop alerts based on endpoint telemetry, prioritize them, and send them to SIEMs which then add additional context, apply analytics and rule logic, and then further enrich the highest priority alerts for investigation. The net of this workflow is a two-stage distillation process that improves signal-to-noise compared to having an EDR alone.

XDR expands the role of the endpoint from a use case standpoint with additional detection context and automated remediation/response, creating overlap around some use cases of SIEM/SOAR; however, customers need the best of both systems to cover the entire use case landscape:

  • SIEM/SOAR strengths – security data lake for logs/compliance/search, 360 view, sophisticated configurable detection logic, increasingly rich set of orchestration and automation, central hub in SOC “nervous system”

  • XDR strengths – endpoint raw data for detection and investigation, sophisticated threat analytics, native automated response, deep integrations within a portfolio or preferred partner systems

If you don’t have a SIEM and think XDR can expand to cover your next phase of security maturity, you should check use case coverage, compliance, and log management capabilities compared to either MDR/MSSP or entry-level security analytics/SIEM. Consider use cases around application security and DevOps where EDR/XDR solutions lack visibility. Sumo Logic’s cloud security analytics solution can help!

Modern Cloud SIEMs and SOARs have already evolved to cover many of the typical use cases associated with XDR, here is a small subset:

  • Enriched alerts with cross-product context that streamline operations

  • Faster outbreak control with improved coverage and automation of MITRE ATT&CK mitigations

  • Detect and remediate ransomware activity

  • Detect compromised credentials and act on it

  • Detect risky data exfiltration

  • Monitor abnormal authentication and access and determine solution

  • Cross-reference IOCs from multiple data sources to quickly identify, pinpoint and neutralize a threats

Where do you go from here?

EDR vendors may say XDR eats the SIEM market, but many SIEM players will wildly re-position to co-opt XDR market energy. As a leader in the Cloud SIEM space, here is some practical advice for you and your security team to consider as your expand your security operations and consider an ideal XDR solution:

  • Embrace XDR as a welcome product evolution of EDR with improved detection, threat hunting, investigation, and response capabilities, but be skeptical of self-interested marketing hype on all sides (EDR, SIEM, NTA, UEBA, etc.).

  • Get deeper than labels into use cases – many use cases being discussed are already done in SIEM, EDR, or both. Push XDR vendors/solutions for the net new.

  • Push hard for an “Open XDR” approach and your flexibility to make the best choices for your environment across and within changing product categories. Avoid the dark side of closed vendor lock-in systems, preferred ecosystems that exclude any competitive elements, and the hoarding of data to capture monopoly rents or erode customer choice.

  • Position to take advantage of the “best of both” SIEM and XDR, but also think through new or expanding requirements from digital transformation and cloud migration. Yes, endpoint telemetry becomes more important for cloud workloads, but so does application layer defense and integration with ITSM/AIOPs, which often require much greater log and metric fluency. 

Aside from your XDR, you’ll want to ensure your SIEM can cover its end of the bargain to complement XDR. If it can’t, consider these advantages of Sumo Logic’s modern Cloud SIEM as an alternative:

  • Integrate event data (as well as normal alert data) from EDR. Many SIEMs struggle with the volume of the data and cannot make it effective at scale.

  • Integrate and correlate inventory and context data

  • Response capabilities – Manual, expert system-guided, and automated actions can be taken to both deepen investigation and remediation. Expect your SIEM automation and orchestration capabilities to be a strong superset of your XDR

  • If you have existing SIEM and EDR systems, as most enterprises do, push your technology providers to work with each other for your interest in sorting the right way to evolve use case coverage.

  • Prepare ahead for the hype cycle – these are early days in a very complex space with technology provider consolidation/insecurity creating temptations for over-promise cycles.

Learn more about Sumo Logic’s cloud-native security solutions.

Dave Frampton
Vice President and General Manager, Cloud SIEM & Security Analytics, Sumo Logic

People who read this also enjoyed

The truth you can’t afford to miss: Listen as your logs spill the tea

Meta RapidMTTRMonitor Blog 1200x628 1

Solve your MTTR mysteries faster with Sumo Logic

Top five metrics to monitor in IIS Logs