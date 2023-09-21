Extended Detection and Response (XDR) is an approach to integrating a constantly evolving range of detective technologies with similar evolution in analytics and response. Threat detection, investigation and response (TDIR), of which XDR is an aspect, is also one of the most active areas of investment in integrating AI generally – and generative AI in particular – with security technology and practice.

XDR provides threat detection and response capabilities that extend beyond the approach of single threat vector solutions such as EDR and NDR. It also expands what is possible through traditional approaches such as logging alone. XDR aggregates telemetry across the security stack, adding analytics and intelligence to interpret and correlate data and detect threats potentially across the entire IT ecosystem.

With the usual caveats that categorization is seldom a clean-cut exercise and that some overlap is bound to occur, there’s still a benefit to offering a segmentation of XDR offerings.

Vendors offering XDR are classified in two distinct categories: product-centric vendors and services-centric vendors. The product-centric vendors are further segmented as ‘telemetry-focused’ or ‘analytics-focused.’

Types of XDR Vendors

Product-Centric, Telemetry-Focused

Favored by established security vendors, a product-centric, telemetry-focused approach seeks to unify different products and services from the same vendor into a single XDR ‘platform,’ sometimes complementing this with external data pulled via APIs.

The typical offering in this space will use the vendor’s existing telemetry sources (endpoint, network, etc.), which are then complemented by a ‘central analytics’ capability of some sort to provide the user interface, integrations and more. This often means bringing in external data via APIs, with user identity data gathered from an identity provider being a common use case.

Sometimes, the central analytic capability of telemetry-focused plays is provided by third parties. In other cases, telemetry-centric vendors may build it organically – but acquisition has been a popular route to bringing this functionality in-house for many.

Product-Centric, Analytics-Focused

The other product-centric approach is to focus on the ‘analytics’ side of the equation. Here, what the vendor is bringing to the table is its core ‘central analytics’ capability, which can then integrate with the existing security architecture and tools an organization has in place. This approach is more popular with established security analytics vendors that don’t own a significant stake in telemetry sources. Newer entrants in security analytics that don’t yet have a widely deployed customer base may also choose instead to count on integration with multiple data sources. As the market evolves, this is the approach that is more likely to be favored by existing security information and event management (SIEM) vendors that choose to align themselves closer to XDR.

Analytics-focused XDR vendors tend to offer a broad catalog of pre-built, bi-directional integrations, providing security teams with visibility across a diverse set of security technologies and data sources and enabling automation that spans across tools from different vendors and platforms, often including cloud, identity, endpoint and network as key areas to support. In many cases, vendors are highlighting how their analytics capabilities include large amounts of machine learning (ML), scoring, threat intelligence and so on. As recent buzz surrounding generative AI might suggest, the incorporation of AI in streamlining processes for security operations teams continually overwhelmed by data volume and variety is an area of active investigation in this space.

Services-Centric

A services-focused XDR approach can seem a bit like an oxymoron. There may often limited to no experience with new or emerging approaches to threat detection telemetry within a given security organization, so XDR requires teams to make significant investments in advanced security talent to cover 24/7 threat detection, investigation and response. A few vendors are promoting managed XDR as a new approach; however, Managed Detection and Response (MDR) providers have offered XDR capabilities for several years, wrapped with managed services to help organizations scale and fill expertise gaps. Like XDR, MDR providers often take a product-centric or a telemetry-focused approach to their platform offerings.

A notable trend among MDR providers is the offering of their own core MDR platform without managed services, competing directly with emerging XDR technology providers. This may prove to be a competitive advantage for MDR providers in the XDR space. Offering an array of optional managed service levels to fit the unique needs of each organization, this strategy enables security teams to take an adaptive approach to threat detection and response. To counter this move by MDR providers, XDR vendors are increasingly partnering with MSSPs to deliver XDR as a managed service.

What are the benefits of Extended Detection and Response (XDR)?

Expertise and Skills Shortages

Two of the most significant barriers to any security initiative are the lack of specialized expertise and the lack of available skilled resources. XDR aims to help organizations address both challenges.

By delivering data aggregation, automation, visibility, analytics and intelligence, XDR can be a force multiplier for security teams. Event triage, typically handled by tier one SOC analysts, tends to be one of the first areas to realize the benefits of implementing XDR benefiting from alert consolidation, contextualization and data enrichment. Streamlining and upscaling these activities can empower tier one analysts to achieve greater scale in the face of a growing volume of data while at the same time taking on more investigative activities typically handled by tier two and three analysts.

Automation and Orchestration

Although many XDR solutions only offer limited automation and orchestration capabilities or require security teams to integrate with third-party security automation and orchestration platforms, automation is a key benefit for XDR that is expanding and becoming increasingly native to XDR platforms. Automation enables security teams to perform at high velocity and with maximum efficiency amid an ever-expanding and complex IT ecosystem and an evolving threat landscape.

The automation and orchestration capabilities of XDR platforms hold the potential to optimize a large portion of security operations, including monitoring, management, detection, analysis, data enrichment, correlation and response. Providing end-to-end automation capabilities that span tools, processes and workflows, security platforms help alleviate the time needed to conduct mundane, repeatable tasks so more time can be focused on strategic and value-add initiatives. However, product-centric XDR providers may provide limited automation capabilities outside of their own technology stack. The benefits of automation may be further dependent on a number of factors for success, such as the maturity of security operations and the amenability of content and processes to repeatable automation. Automation may, however, also serve as a driver toward greater maturity, by implementing the discipline necessary for process repeatability and reliability.

Integrations

XDR can also alleviate the need for security teams to build and maintain integrations and connectors with security tools and data sources. Although most XDR providers offer an extensive set of APIs, most organizations lack the bandwidth and expertise to develop their own connectors, preferring vendors that offer out-of-the-box, bi-directional integrations. However, since no XDR platform natively integrates with every security tool available in the market, some custom integration will likely be required. Organizations will find that analytics- and services-focused XDR providers tend to integrate with a broad set of third-party security technologies while telemetry-centric XDR providers tightly integrate with their own proprietary security technologies, only offering limited integrations (typically only data ingestion) to third-party tools and data sources.

Today’s Evolution: The impact of machine learning and AI

The sheer volume and variety of security-relevant data in any enterprise suggests the potential that machine learning (ML) and artificial intelligence (AI) hold for XDR to enable security teams to scale operations and discover threats that would otherwise go undetected. Contextualized, telemetry-based ML analytics can help reduce false positives, prioritize alerts based on risk, and enable security teams to respond to threats faster and more efficiently. Many participants in XDR-related segments have leveraged ML in their platforms and operations to greater or lesser degrees – but the messaging surrounding the value of ML/AI in this area has increased substantially over the last year following the high-profile appearance of generative AI on the scene. Indeed, one of the most visible manifestations of generative AI in security technology has been in its integration with security operations technology. Technology leaders with a strong stake in AI as well as security have debuted their integrations of generative AI with threat detection, investigation and response in recent months. If the concerns and risks of generative AI – risks of which security professionals are increasingly aware – can be overcome, generative AI could be poised to have a dramatic impact on only on the trajectory of XDR, but on the security technology and services markets more generally.

Guidance and Recommendations

In addition to notifying security analysts of threats and indicators of compromise, many XDR platforms deliver prescriptive analysis, including guidance and recommendations for further investigation and response. While this analysis and guidance can help security teams contextualize threats and prioritize response efforts, it can be particularly valuable for lean security teams that may lack the in-depth expertise to determine the corrective actions needed to respond to events quickly and decisively.

What are the drawbacks of Extended Detection and Response (XDR)?

As with any security approach or technology, XDR has several risks, limitations and shortcomings that organizations should consider before committing to this strategy.

Today, most XDR providers tend to focus only on two or three domains and are often limited to detecting threats in certain environments (e.g., on-premises) and primarily from their own proprietary technologies (e.g., endpoint agents). In addition, XDR often requires organizations to make investments in other capabilities such as automation and orchestration, threat intelligence, SIEM, reporting, and developing integrations with workflow systems and security technologies not natively supported by the solution. This variability between XDR providers can make comparing and selecting the right platform difficult, forcing security teams to compromise and choose a specialized solution that may deliver the specific outcomes they are seeking.

When organizations have limited to no relevant expertise, XDR requires organizations to make significant investments in advanced security talent to cover 24/7 threat detection, investigation and response. Although XDR can be a force multiplier for organizations without a SOC or only staffing a lean security team, effective detection and response requires human insight and specialized expertise that many organizations lack.

XDR platforms often provide out-of-the-box use cases delivering pre-configured playbooks for response, preconfigured reports, and facilities to conduct threat hunting. However, many organizations may find that, due to available expertise, they are unable to effectively expand beyond the limited predefined capabilities of the XDR platform, reducing their ability to achieve the full capabilities the organization envisions for its security program. Considering the prevalence of product-centric XDR approaches, vendor lock-in is a strong possibility.

In its early days, one of the distinguishing features of XDR was its emphasis on new approaches to telemetry. Today, that influence is being eclipsed by the potential impact of AI – and generative AI in particular – in security operations. This is reflected in a tendency, among vendors and practitioners alike, to emphasize the broad scope of threat detection, investigation and response, rather than what may seem to be a more telemetry-centric focus on XDR. Regardless, the security operations teams that must implement threat detection and response will be forced to keep up with both telemetry evolution and AI at the center of XDR regardless, given that they will find them increasingly shaping the technologies as well as the practices on which they depend.

For more insights, subscribe to our Next in Tech podcast or read more about our 451 Research solution.

FAQs