Extended Detection and Response (XDR) has become a widely used term in security, but the technology itself is still not well understood.
In this blog, we explain what XDR is, how it differs to EDR, NDR and MDR, and outline some key factors to consider when deciding where to invest your organisation’s security budget.
What is XDR?
XDR is a security technology designed to help organisations achieve the level of visibility required to detect and respond to the latest cyber threats. XDR security platforms collect and correlate data across multiple security layers, such as networks, endpoints, email and cloud environments, to enable threats to be detected more swiftly and empower security professionals to improve incident investigation and automation.
In summary, XDR is designed to help security teams:
- Unify threat visibility across networks, endpoints and cloud environments
- Achieve greater insight into the kill chain of attacks
- Investigate and triage threats more effectively and efficiently
- Improve speed of detection and response
How does XDR work?
XDR security tools help detection teams obtain unified visibility of cyber threats across endpoints, networks and cloud workloads. They achieve this by ingesting security telemetry and intelligence from a broad range of sources and leveraging artificial intelligence, machine learning and automation to identify and disrupt threats.
Hybrid XDR vs Native XDR
Forrester Research has defined two types of XDR: Hybrid XDR and Native XDR.
Hybrid (or open) XDR platforms are designed to integrate with a range of detection tools from multiple vendors and centralise the telemetry that these technologies collect into a single solution.
Native XDR platforms, on the other hand, are typically standalone and do not integrate with other detection tools. This means that all data ingested into a Native XDR platform is collected by the solution itself.
What’s behind the rise of XDR?
A cyber security strategy based around prevention alone is no longer considered effective to minimise cyber risks – even organisations with robust defences are still in danger of being breached by skilled and persistent attackers.
Comprehensive visibility across networks, endpoints and cloud environments is now required to identify threats that bypass the security perimeter and traditional controls. XDR supports the need for organisations to proactively identify threats and minimise blind spots by unifying visibility and better identifying attacks that move between silos.
By enabling security analysts to view and investigate security events in a single pane of glass, XDR helps security analysts to focus on the most important incidents, reduces alert fatigue and avoids the need to pivot between multiple disparate detection technologies.
XDR vs EDR – what’s the difference?
XDR is sometimes referred to as the next step on from EDR (Endpoint Detection and Response). EDR platforms are specifically focused on helping organisations to achieve threat visibility across endpoint devices such as servers and workstations.
XDR platforms ingest the same type of telemetry used by EDR tools, but also integrate and analyse data from other areas of an organisation’s environment.
XDR vs NDR
NDR (Network Detection & Response) platforms leverage behavioural analytics to identify threats within internal networks and are often used to complement the log aggregation capabilities of Security Information and Event Management tools (SIEM).
While XDR platforms include much of the functionality of NDR tools, they analyse a broader range of data. The AI, machine learning and response capabilities of XDR and NDR platforms can also vary significantly between vendors.
XDR vs MDR
While XDR, EDR and NDR describe technologies, MDR (Managed Detection and response) is a type of turnkey security service that helps organisations to quickly scale up their security monitoring capabilities
The latest MDR services include and leverage XDR, EDR and NDR technologies to obtain broad visibility across client environments. Crucially, MDR services also include the supplementary threat intelligence as well as the people required to analyse, investigate and respond to alerts 24/7/365.
Key things to consider before deciding if XDR is right for you
XDR is not a silver bullet. Like many security technologies, knowing how to get the most out of it is key.
Without the right expertise behind them, XDR security solutions can take time to install. Organisations can also find it challenging to collect and correlate detections and other activity across many different security layers.
Long-term management requirements
XDR platforms are not plug-and-play solutions and need to be managed long-term. To continually detect the latest threats, platforms must be ‘fed’ the right telemetry and intelligence. Efforts must also be taken to ensure that the detection policies and processes are constantly reviewed and optimised.
While XDR provides a technical solution, it does not provide the people required to monitor, analyse and investigate alerts 24/7. This means that organisations need to ensure that they have the right level of resources and expertise in place to support the technology.
Even when fully configured, an XDR platform may identify the security problem, but it won’t necessarily tell you how to respond or which alerts to prioritise. Too much information being generated creates a monitoring burden, which can lead to alert fatigue. A robust incident response plan should be in place, with experts on hand to analyse, isolate and eliminate threats as quickly as possible.
When organisations choose a native XDR solution, they must accept being locked into a single platform that covers all their IT infrastructure. This could create issues if the technology fails to keep up with the capabilities of standalone EDR and NDR tools, and becomes less effective over time.
Investment in a Hybrid XDR solution is a better option for organisations with existing solutions in place, but could require additional investment to plug gaps in detection if they are not included as standard.
EDR, XDR or MDR – which is better for you?
Identifying the best solution for your organisation requires careful consideration of a number of key aspects, including:
- Risk appetite – Making the most effective choice depends on your risk tolerance and understanding of which of your assets need to be protected.
- Visibility – Consider how much visibility you need across your estate. For organisations seeking a more comprehensive view, XDR could be the better solution.
- Cost – The cost of EDR, NDR and XDR solutions can vary significantly, but they are all likely to follow a similar pricing model which scales with the size of your environment.
- In-house expertise – If you have an in-house team, they may not be familiar with particular technologies or be able to monitor them, 24/7.
How we leverage XDR at Redscan
Kroll Responder MDR is our managed detection and response service with built-in XDR, enables organisations to achieve broad visibility across their cloud and on-premises environments in order to quickly detect and respond to the latest threats.
The Redscan Platform, the threat management interface included as part of Kroll Responder, enables us to take a hybrid approach to XDR by supporting a range of detection technologies, including the latest EDR and NDR tools.
Being able to select the best detection technologies and unify them via a single pane of glass, with the security specialists required to monitor them 24/7/365, enables us to deliver the most effective security outcomes for our clients.