What is XDR?

Extended detection and response (XDR) is a cybersecurity technology that ingests data from multiple security layers, including servers, endpoints, cloud workloads, networks, email, and users.

Its main advantage is breaking down silos created by individual security solutions, which can lead to gaps in visibility. By pooling, correlating, and analyzing data from separate security tools, XDR enhances visibility, reduces attack response time, and supports security activities like threat hunting and forensic investigation of incidents.

XDR platforms are frequently supplied as SaaS applications. They are also available as on-premises and cloud-based solutions. This technology can be combined with services for delivery as managed XDR (MXDR).

A short history

XDR is the latest iteration of endpoint security, which began in the 1980s with antivirus software.

• Antivirus vendors added features like host firewall and disk encryption, and these solutions evolved into endpoint protection platforms (EPPs).
• Meanwhile, a new category of tools emerged to detect and stop endpoint attacks: endpoint detection and response (EDR).
• The rise of cloud, IoT, and unmanaged devices presented new security challenges that EDR could not solve.
• Point products like cloud detection and response (CDR), network detection and response (NDR), and user behavior analytics (UEBA) emerged to target these new, individual threats.
• The resulting siloed solutions produced a flood of alerts that overwhelmed security teams and underscored the need for an integrated solution.

The name “extended detection and response” was coined by Nir Zuk, CTO of Palo Alto Networks, in 2018. XDR is called “extended” because it expands the scope of EDR beyond just endpoints to include multiple attack vectors. XDR is also referred to as “cross-layered” detection and response.

XDR has become a recognized market, which Gartner describes in these terms: “delivers security incident detection and automated response capabilities for security infrastructure.”

The XDR market is forecast to grow by double digits from about $1.7 billion last year to $8.8 billion in 2028. This robust growth is being fueled by the transition to XDR from EDR. That shift, in turn, is affected by increases in the number and complexity of cyberattacks and the trend towards integration of security solutions.

XDR uses artificial intelligence, machine learning, automation, and analytics to collect and analyze data from otherwise siloed attack surfaces across the IT environment. An XDR solution continuously performs these functions:

• Collection: Ingest, clean, organize, and standardize data from multiple streams.
• Analysis and correlation: Automatically analyze and correlate data to identify unusual patterns and behaviors, detect incidents, and optimize alerting. The goal is to connect related incidents and provide context for security analysts.
• Response: Prioritize the threat or incident by severity or potential impact to help security staff quickly perform triage and respond manually. Alternatively, the XDR system can respond automatically, such as by quarantining devices or blocking IP addresses.

Some XDR systems also provide detailed threat information pertaining to the organization’s environment, including TTPs and recommended actions for addressing them.

The signature advantage of XDR is its ability to consolidate data from multiple standalone security tools to provide a complete, unified view of the security environment. This cross-layer capability contrasts with detection and response point products such as EDR, which focuses on endpoints.

In addition to 360-degree visibility, XDR provides crucial context about threats to help security teams accelerate evaluation and response. An XDR solution can supply details such as how an incident occurred, the attackers’ entry point, what TTPs were used, any related attacks and incidents, and more.

XDR also provides operational benefits:

• Faster incident detection and response: Automation removes manual steps from threat detection and response, helping to speed up these processes. Plus, AI and machine learning enable XDR solutions to learn and improve over time so they can identify and handle new, emerging threats.
• Higher efficiency: XDR helps security teams reduce fatigue from dealing with thousands of alerts generated by individual security tools. Data analysis and correlation capabilities enable XDR to group related alerts across the MITRE ATT&CK framework, prioritize them by severity, and flag the most important ones.

  Similarly, XDR supplies a holistic picture of threats across the entire environment, which helps security teams avoid the time-consuming task of evaluating separate data streams using multiple tools.

• Lower costs: Adopting a single detection and response solution vs. multiple point products can reduce capital costs and administration. Taking things one step further, a managed XDR solution can save money on staffing, training, and infrastructure.

A number of detection and response solutions are available. The most obvious difference between them and XDR is specialization. XDR consolidates data from all security layers, while other tools focus on specific areas of the environment.

• Endpoint detection and response: EDR, the original detection and response solution, monitors and responds to malware and other threats on endpoints and workloads.
• Managed detection and response: This service combines technology and human skills to detect, investigate, and mitigate security incidents.
• Network detection and response: NDR solutions scan network traffic across on-premises, cloud, and hybrid environments, and deploy a response when a threat is detected.
• Cloud detection and response: Tailored to the unique requirements of cloud security, CDR solutions use AI, threat intelligence, and automation for monitoring and visualization of cloud assets and automated remediation.
• Identity threat detection and response: As identity has become a leading attack vector, ITDR solutions have emerged. They focus on monitoring attack surfaces to protect user identities and identity-based systems against cyberthreats.