Every three to five years a new cybersecurity technology term gets hyped. In 2021 it’s eXtended Detection and Response (XDR). I’m old enough to remember way back in 2017 when endpoint detection and response (EDR) was considered the ‘Holy Grail’ of cyber defense.
All of our cybersecurity challenges were supposed to be addressed by EDR. Early adopters could see the potential, but also experienced the shortcomings common to a new solution category. EDR suffered especially from accuracy and other performance issues resulting (in many cases) a deluge of incident alerts for unprepared and understaffed security operations teams to deal with.
As time passed, so did much of the hype, EDR matured and indeed has now proven its value. EDR, today, is a key component of a solid security architecture and is critical -- especially when fighting targeted and complex attacks. Though the experience of EDR demonstrated that it has not made prevention efforts obsolete as initially claimed. In fact, it has highlighted the need for a greater focus on prevention to reduce the number security incidents detected by EDR. The first generation of EDR solutions also has shown a limit in applying security event correlations beyond the boundaries of a single endpoint. This limitation leaves the weight of reconstructing the puzzle of complex attacks on the shoulders of the same understaffed IT and security operations teams.
EXtended Detection and Response holds the promise of making things better through two key additions on top of what we currently have with EDR:
- Event correlation at the organizational level to reduce the fragmented view of complex security incidents
- Adding more telemetry sources besides endpoints like network or identity to create a larger picture of attacks
While in theory this looks great and sounds simple, in practice, these enhancements are not easy to execute, especially at the same time. Early XDR adopters and industry analysts alike, are acknowledging the significant promise of eXtended Detection and Response but are also raising warnings about it. Most concerns are related to solution immaturity, lack of industry standards in terms of features, fears of getting stuck with a security vendor for a long time (lock-in). All of these are risks to be expected for a category of solutions that is still emerging.
Also, what hasn’t really been part of the debate so far is the extent to which XDR solutions can be effectively used by organizations that do not have significant security operations teams (which is especially true for mid-sized and smaller businesses). With extended detection and response vendors having various core capabilities (network security, endpoint security, SIEM) and serving organizations of different sizes, it is still unclear how much and what type of staff is required to effectively operate the new solutions.
So, there is pragmatic question worth asking: Is there a way to leverage the concepts of XDR in a more digestible manner? How can one grow from EDR to XDR while not adding more dedicated security staff or burdening the staff already in place? XEDR represents a great option to start with.
What is XEDR (eXtended Detection and Response)?
eXtended Endpoint Detection and Response (XEDR) incorporates XDR capabilities, such as security analytics and security event correlation at the organizational level, into EDR natively. XEDR expands the boundaries of security analytics beyond the endpoint itself and correlates events from all endpoints in the organization’s infrastructure. It doesn’t look at the enterprise infrastructure as a sum of endpoints as EDR would do, instead, it takes a wholistic perspective and considers the infrastructure as a single entity, composed by multiple elements (endpoints).
The eXtended EDR route offers three important advantages:
- Delivers XDR benefits focused on where they matter the most: on the endpoints. Why do endpoints matter the most? Because here is where data sits (servers/containers) and here is where the user interaction takes place (workstations). Endpoints are exposed to a far higher risk compared to other infrastructure elements.
- It enables a stepwise integration of other (non-endpoint) telemetry sources over time to enhance threat detection and visibility capabilities. This reduces the technological risk common in a new solution category and supports the integration of new sources (broader perspective) without losing what EDR does very well: depth of perspective.
- It maintains (and might even lower) the requirements in terms of skills and staff number, allowing most organization to enhance their cyber-resilience with no additional operating costs.
Looking back on the experience with EDR, XDR will reach full maturity over time, and it likely will not do everything that it is hoped it will do. But if the current risks of adopting XDR can be mitigated for most organization with XEDR in the first phase, then this is the more pragmatic approach that can solve the problem of detecting and managing complex cyber incidents better and faster.
We will be analyzing the capabilities and benefits of XEDR in much more detail during a discussion with one of XEDR’s key champions: Razvan Cobzaru, Sr. Product Manager at Bitdefender. If you’re interested in learning more, be sure to watch the on-demand webinar.