The term XDR, for extended detection and response, has been bandied about for almost half a decade. I believe I was the first analyst to use it when I authored this post in 2018. When I wrote the post, I had a very specific definition in mind, but like most things in tech, once a term starts to gain traction, more and more vendors bend the definition to meet their needs.
Palo Alto Networks Inc. recently published a paper discussing the myths and misconceptions about this increasingly confusing topic. Although this paper includes a balanced mix of opinions from a host of industry analysts, customers and Palo Alto executives, I thought I would weigh in with my thoughts on some of the more common questions about XDR I get as an analyst.
1. Isn’t XDR just the evolution of EDR? This is, by far, the question I am asked the most about XDR. My original definition was to have “X = everything,” so although EDR or endpoint detection and response used endpoint data for detection and response, XDR would use all security data, including endpoint, cloud, network and other factors. XDR is a fundamental rethink of detection and response as it moves it away from being a technology that uses one source of data to one that uses a much broader set of data.
2. Can a single vendor deliver XDR? This question is a bit like Schrödinger’s Cat as it’s simultaneously true and false, depending on how you look at it. If you look at the question through the lens of data ingestion, a vendor would need to consume all types of security data. In addition to the sources named above, one could also add email, user info, application and more. From that perspective, no vendor could deliver on XDR as there is no single security provider.
However, the more important perspective is looking at XDR through the analytics engine used to find the insights in the data. In this case, an XDR vendor should offer the core components of XDR – cloud, network endpoint and the like – and then also ingest information from partners to broaden the scope of analytics. So, though no vendor can offer an end-to-end XDR platform alone, a vendor that leverages the right partnerships can.
3. Do I still need a SIEM with XDR? There is much debate about whether with XDR, security information and event management is needed as well. In the Palo Alto Networks report, Eric Parizo, managing principal analyst from Omdia, states, “XDR is not a direct replacement for SIEM, but it can be deployed in lieu of SIEM or alongside SIEM.” He does go on to say, “Omdia sees XDR being deployed increasingly as a SIEM alternative.”
My thoughts are more cut-and-dried. SIEM does not work and likely never will because it gives far too many false positives. Add in the cost and long deployment times and, I believe, security pros are ready for an alternative. SIEM takes a massive amount of data and blindly applies analytics to infer a breach. XDR starts with the breach and then uses data to find where it emanated from. If XDR is done right, businesses can ditch their SIEM.
4. Are XDR and Zero-Trust Network Access or ZTNA the same thing? These are both buzzwords that one could argue are overused, and because of this, they will overlap at some point causing confusion. In reality, they are vastly different. ZTNA is an access technology that changes the way users and devices connect to the network. XDR is more about using the data generated by ZTNA and other systems to spot a breach, understand the source and then provide guidance on how to respond.
5. Does XDR only work with cloud security? I understand why this question is asked, since much of the recent innovation in security has been in the cloud. XDR certainly uses cloud-resident security, but it also draws from the massive number of firewalls, IPS systems and other infrastructure on premises. In fact, the amount of on-premises security still dwarfs what’s in the cloud, so limiting the analytics to cloud would limit the effectiveness of the XDR solution.
In data science, there’s an expression that good data leads to good insights and that’s true. What’s also true is that partial data leads to fragmented insights. XDR requires data from across the attack surface, cloud, endpoint and on premises.