XDR: A better mousetrap or just more hype?

XDR stands for eXtended Detection and Response. What it is depends on who is explaining it. XDR evolved very quickly from Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) because everyone realized that neither alone could solve the enterprise security problem. In loose terms, XDR is similar to the old concept of a layered security strategy.

With XDR, the goal is to bring many different, best-of-breed security solutions together using open APIs and integrations so that events that are detected in one solution can be easily enriched and correlated with events or data points from other solutions. If you were to replace APIs and integrations with syslog messages, XDR would look remarkably like what SIEM solutions have been trying to accomplish over the past 5+ years.

Best-of-breed or tightly integrated?

Currently there are two schools of thought when it comes to XDR: “open” XDR where the enterprise builds it themselves versus a single-vendor XDR platform using only their security product portfolios. 

Building an “open” XDR system yourself is difficult. While obtaining the best-of-breed solutions only requires sufficient budget, it is up to you to manage the different vendors and make sure their open APIs are available in a timely manner. Then you need an XDR platform that can take advantage of the various vendors’ open APIs to collect the events and perform enrichment, correlation, alerting, and reporting. The XDR platform needs an investigation module for incident response tracking and collaboration. It also needs to provide containment/remediation workflows and automation. Doesn’t this sort of sound like a Security Orchestration, Automation and Response (SOAR) platform?

To large security vendors, however, XDR means using their XDR platform that integrates with all their other security solutions. They claim that this is a superior solution because they can control the roadmap and ensure tight integrations. But isn’t this just a ploy to get vendor lock-in? Most large security vendors have entirely separate product management and development teams producing releases, so coordinating a unified roadmap for XDR integrations while managing existing customer feature commitments will prove to be a very challenging and lengthy process. And what if you, the customer, already have an EDR solution that you are happy with? Does that mean you have to throw it away and start over to enjoy the full benefits of this large vendor’s XDR solution? Furthermore, since it is well known that large vendors will acquire startups to fill gaps in their portfolios, this isn’t necessarily “best-of-breed,” but more of a worst practice to follow this type of behavior.

Layered security for maximum protection

One thing hasn’t changed: the layered security strategy concept. In the old days, this strategy was about putting layers of protection on the enterprise perimeter. By layering security and overlapping capabilities—what is often referred to as the Swiss cheese approach—you reduce the reliance on any single security device, making it more difficult for your network to be compromised. Extending this strategy into the XDR vision means adding some additional layers, like EDR and NDR, as the endpoints and the network provide valuable detection capabilities in stopping attackers from infiltrating the network. 

Plixer has a deep history of using the network metadata to solve problems and we continue to do so with our NDR platform. Either way, the XDR vision is the evolution of SIEM/SOAR, but will it really be the better mousetrap? Or will it be the next failure in the ever-evolving security market? Personally, I think the concept is sound, but the hype is overrated. The reality is that as a security engineer, you must look at your threat landscape, capabilities, needs, and budget to determine if XDR is right for you and if you will settle on the single-vendor XDR approach or the build-it-yourself approach. Or maybe just keep your current workflows, layered security model, and playbooks and augment them with any missing pieces that make sense for your situation.