A Brief History of XDR
Coined in 2018 by Nir Zuk, Palo Alto Network’s CTO, “extended detection and response” (XDR) is a term that often incites great debate on the specifics of its definition. This debate has only led to confusion for potential clients who don’t have the time to fuss over the definition of a security solution that they are not sure they completely understand. Although there are many definitions for XDR, one thing the majority of the cybersecurity community can agree on is its origin.
Born from “endpoint detection and response” (EDR), XDR expanded on the core concept of EDR, from which detection and response capabilities could allow security analysts to detect threats and respond to them in real-time. While EDR provides effective endpoint detection, it requires more telemetry than just endpoints. As a result, many security teams have used security data from other parts of their environment to match with endpoint telemetry. The issue is that it raises the number of false positives and creates enormous data volumes.
A Better Definition of XDR
According to Forrester, XDR is defined as “the evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real-time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity, and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.” To create this definition, Forrester brought together interviews and survey results from over 40 security vendors, various XDR end-users, and the Forrester team, to form an unbiased definition of the solution.
Open XDR vs. Native XDR
Most XDR solutions can be broken down into two categories– open and native XDR. The main difference being open XDR focuses on third-party integrations to collect telemetry and execute a response, while native XDR is an all-in-one platform integrating security tools from one single vendor to collect telemetry and execute responses.
For a Native XDR solution, the vendor offerings collect all telemetry in an all-in-one streamlined solution. This option is best suited for organizations that don’t have other existing security tools, as native XDR would force security teams to stop using existing tools to use this complete platform. The benefit of native XDR is that these solutions handle the collection of telemetry and threat detection so that security teams won’t need to worry about integrations. On the flip side, this can also be perceived as a downfall, as there are no capabilities of integrating with third-parties if the solution’s telemetry collection has gaps.
Open XDR solutions are designed to integrate with existing security tools within an organization. Open XDR solutions are more flexible and best suited for those who don’t wish to replace security tools already in place. The benefit here is that open XDR solutions allow organizations to keep current tools or pick “cream of the crop” tools to collect their telemetry data. One downside to Open XDR solutions is that organizations must select a provider who can integrate all their current tools, as some niche tools may not be usable.
XDR vs. SIEM
As you learn more about XDR, you may think its capabilities sound similar to those of SIEM solutions, but there is a crucial difference between them. Although both XDR and SIEM collect, correlate, and analyze data for better threat awareness, SIEM solutions can’t automatically orchestrate real-time responses to network and endpoint threats. Simply put– XDR’s level of visibility across a whole network makes it the more effective approach.
AgileBlue’s SOC|XDR Platform
The AgileBlue SOC and XDR platform correlates, stitches, and integrates every layer of a technology stack to detect indicators of cyber-attack.
Our unique and innovative Silencer Technology reduces false positives by 95%. We do this by automating response (EDR) with advanced threat detection using our anomalous machine learning, user behavior analytics, and vulnerability detection to maintain a complete view of an IT infrastructure. Alerts are then analyzed and reviewed by AgileBlue’s 24/7 SOC team, helping to mitigate a cyber-attack.