With so many overlapping and self-serving definitions of XDR (Extended Detection and Response), we thought we would provide a perspective from some of us on the front lines of trying to embrace technology innovation while filtering vendor marketing noise. We agree with several industry analysts covering the space that XDR is a vendor push with no real customer demand, but the problem spaces within XDR are of significant customer interest.
Everyone seems to agree on a few XDR elements: for example cloud-native/SaaS, improved detection (wider context!), and improved response (more automated workflow/remediation!), but from there the definitions fragment. Here is Sumo Logic’s parse of some current XDR definitions and our take:
A single vendor Endpoint Detection Response (EDR), Security Information Event Management (SIEM), Security Orchestration and Automation Response (SOAR), User and Entity Behavior and Analytics (UEBA), and/or Network Detection and Response (NDR) solution with tighter integration than SIEM (for just that single vendor) with out-of-the-box detection and response - too narrow and promotes self-serving vendor lock-in and ignores obvious, inevitable component swap out options.
Open ecosystem which connects EDR, SIEM, SOAR, UEBA, Network Traffic Analysis (NTA) that does better out-of-the-box detection and response - no, integrations across these categories already exist with SIEM as a central hub and the assertion that somehow XDR has “deeper integration” across the breadth of the ecosystem lacks evidence.
Combined single product/solution Next-Gen SIEM/SOAR + Next-Gen EDR that does better out-of-the-box detection and response - not for a long time, both spaces are immensely complex and fundamentally centered on different data sets (endpoint telemetry vs. logs/events) even though they address the same aggregate value proposition.
Next-Gen EDR extended into the edges of the SIEM/SOAR space by addressing a subset of SIEM/SOAR use cases that may meet the initial needs of SecOps teams early in their maturity development (e.g. adds incident response to EDR, direct integration to email and cloud workload protection context, etc.) - yes, closest to the pin parse of the noisy claim clutter.
It’s easy to see why so many disagree given the obvious self-interest of all of the parties. Also, in smaller shops the definitions and overlap get muddier, especially when customers are just at the decision point on adding SIEM or Managed Detection and Response (MDR) and/or Managed Security Service Provider (MSSP) equivalent.
XDR + Next-Gen SIEM Better Together? We think so ...
In most current defenses EDR serves as a feeder network of “mini-SIEMs” which develop alerts based on endpoint telemetry, prioritize them, and send them to SIEMs which then add additional context, apply analytics and rule logic, and then further enrich the highest priority alerts for investigation. The net of this workflow is a two-stage distillation process which improves signal to noise compared to having an EDR alone.
XDR expands the role of the endpoint from a use case standpoint with additional detection context and automated remediation/response, creating overlap around some use cases of SIEM/SOAR; however, customers need the best of both systems to cover the entire use case landscape:
SIEM/SOAR strengths - security data lake for logs/compliance/search, 360 view, sophisticated configurable detection logic, increasingly rich set of orchestration and automation, central hub in SOC “nervous system”
XDR strengths - endpoint raw data for detection and investigation, sophisticated threat analytics, native automated response, deep integrations within portfolio or preferred partner systems
If you don’t have a SIEM and think XDR can expand to cover your next phase of security maturity, you should check use case coverage, compliance, and log management capabilities compared to either MDR/MSSP or entry-level security analytics/SIEM. Consider use cases around application security and DevOps where EDR/XDR solutions lack visibility. Sumo Logic’s cloud security analytics solution can help!
Modern Cloud SIEMs/SOARs have already evolved to cover many of the typical use cases associated with XDR, here is a small subset:
Enriched alerts with cross-product context that streamline operations
Faster outbreak control with improved coverage of, and automated, MITRE ATT&CK mitigations
Detect and remediate ransomware activity
Detect compromised credentials and act on it
Detect risky data exfiltration
Monitor abnormal authentication and access and determine solution
Cross-reference IOCs from multiple data sources to quickly identify, pinpoint and neutralize a threats
NetNet: What to Do?
EDR vendors may say XDR eats the SIEM market, many SIEM players will wildly re-position to co-opt XDR market energy. As a leader in the Cloud SIEM space, here is some practical advice from Sumo Logic based on our customer dialogues and experience in the space:
Embrace XDR as a welcome product evolution of EDR with improved detection, hunting, investigation, and response capabilities, but be skeptical of self-interested marketing hype on all sides (EDR, SIEM, NTA, UEBA, etc.).
Get deeper than labels into use cases - many use cases being discussed are already done in SIEM, EDR, or both. Push XDR vendors/solutions for the net new.
Push hard for an “Open XDR” approach and your flexibility to make the best choices for your environment across and within changing product categories. Avoid the dark side of closed vendor lock-in systems, preferred ecosystems that exclude any competitive elements, and the hoarding of data to capture monopoly rents or erode customer choice.
As noted above position to take advantage of the “best of both” SIEM and XDR, but in addition think through new/expanding requirements from digital transformation and cloud migration - yes endpoint telemetry becomes more important for cloud workloads, but so too does application layer defense and synergy with ITSM/AIOPs which often require much greater log and metric fluency - you’ll likely need both Next-Gen EDR = XDR and Next-Gen SIEM to keep pace.
Make sure your SIEM can cover its end of the bargain to complement XDR, and if it can’t consider these and all the other advantages of a modern Cloud SIEM as an alternative:
Integrate Event data (as well as normal alert data) from EDR. Many SIEMs struggle with the volume of the data and cannot make it effective at scale.
Integrate and correlate inventory and context data
Response Capabilities - Manual, expert system guided, and automated actions can be taken to both deepen investigation and remediation - expect your SIEM automation and orchestration capabilities to be a strong superset of your XDR
If you have existing SIEM and EDR systems as most enterprises do, push your technology providers to work with each other for your interest in sorting the right way to evolve use case coverage.
Prepare ahead for the hype cycle - these are early days in a very complex space with technology provider consolidation/insecurity creating temptations for over promise cycles.
Learn more about Sumo Logic’s cloud-native security solutions including SIEM, SOAR and compliance.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.