XDR Have You Confused? We’re Here to Help.

woman explaining hands

A Brief History of XDR

Coined in 2018 by Nir Zuk, Palo Alto Network’s CTO, “extended detection and response” (XDR) is a term that often incites great debate on the specifics of its definition. This debate has only led to confusion for potential clients who don’t have the time to fuss over the definition of a security solution that they are not sure they completely understand. Although there are many definitions for XDR, one thing the majority of the cybersecurity community can agree on is its origin. 

Born from “endpoint detection and response” (EDR), XDR expanded on the core concept of EDR, from which detection and response capabilities could allow security analysts to detect threats and respond to them in real-time. While EDR provides effective endpoint detection, it requires more telemetry than just endpoints. As a result, many security teams have used security data from other parts of their environment to match with endpoint telemetry. The issue is that it raises the number of false positives and creates enormous data volumes. 

 

 

A Better Definition of XDR 

According to Forrester, XDR is defined as “the evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real-time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity, and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.” To create this definition, Forrester brought together interviews and survey results from over 40 security vendors, various XDR end-users, and the Forrester team, to form an unbiased definition of the solution.

 

 

Open XDR vs. Native XDR

Most XDR solutions can be broken down into two categories– open and native XDR. The main difference being open XDR focuses on third-party integrations to collect telemetry and execute a response, while native XDR is an all-in-one platform integrating security tools from one single vendor to collect telemetry and execute responses. 

For a Native XDR solution, the vendor offerings collect all telemetry in an all-in-one streamlined solution. This option is best suited for organizations that don’t have other existing security tools, as native XDR would force security teams to stop using existing tools to use this complete platform. The benefit of native XDR is that these solutions handle the collection of telemetry and threat detection so that security teams won’t need to worry about integrations. On the flip side, this can also be perceived as a downfall, as there are no capabilities of integrating with third-parties if the solution’s telemetry collection has gaps.

Open XDR solutions are designed to integrate with existing security tools within an organization. Open XDR solutions are more flexible and best suited for those who don’t wish to replace security tools already in place. The benefit here is that open XDR solutions allow organizations to keep current tools or pick “cream of the crop” tools to collect their telemetry data. One downside to Open XDR solutions is that organizations must select a provider who can integrate all their current tools, as some niche tools may not be usable. 

 

 

XDR vs. SIEM

As you learn more about XDR, you may think its capabilities sound similar to those of SIEM solutions, but there is a crucial difference between them. Although both XDR and SIEM collect, correlate, and analyze data for better threat awareness, SIEM solutions can’t automatically orchestrate real-time responses to network and endpoint threats. Simply put– XDR’s level of visibility across a whole network makes it the more effective approach. 

 

 

AgileBlue’s SOC|XDR Platform

The AgileBlue SOC and XDR platform correlates, stitches, and integrates every layer of a technology stack to detect indicators of cyber-attack.

Our unique and innovative Silencer Technology reduces false positives by 95%. We do this by automating response (EDR) with advanced threat detection using our anomalous machine learning, user behavior analytics, and vulnerability detection to maintain a complete view of an IT infrastructure. Alerts are then analyzed and reviewed by AgileBlue’s 24/7 SOC team, helping to mitigate a cyber-attack. 

Written by Peter Burg

Peter Burg is Director of Business Development at AgileBlue, partnering with organizations who are looking for ways to make IT and cybersecurity work. Peter currently resides in Minnesota and is a big baseball fan.

October 21, 2022

You May Also Like…

What is SOAR?

What is SOAR?

Already stretched thin, security teams often need help with the overwhelming volume of alerts and incidents they must manage daily. This level of data can lead to slower response times, missed...

read more

Request a Demo

AgileBlue is a software company with an innovative SOC-as-a-Service for 24X7 network monitoring, cloud security, data privacy and compliance.

Our modern SOC-as-a-Service is built on innovative machine learning and autonomous execution. If you would like to discuss our SOC-as-a-Service, Partner Program or schedule a brief demo please give us a little info and we will contact you immediately.