Why extended detection and response (XDR) is seeing enterprise growth

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Tighter budgets, shorter timeframes to launch new initiatives and pressure to get more work done with limited staff is putting CISOs under pressure to be more efficient and still excel at preventing cyberattacks. 

Eliminating overlapping applications helps free up extra budget and can help improve real-time visibility and control beyond endpoints. These are a few of the many problems extended detection and response (XDR) platforms are looking to help solve. 

Defining XDR

Extended detection and response (XDR) platforms are designed to integrate across an organization’s many data sources, relying on APIs and an open architecture to aggregate and analyze telemetry data in real time. Vendors are also architecting their XDR platforms to reduce application sprawl while removing the roadblocks that get in the way of preventing, detecting and responding to cyberattacks. 

Cybersecurity vendors new to the XDR market go through a learning curve of relying on their platforms’ integration features to help reduce app sprawl by consolidating features. 

However, more established vendors with a solid endpoint detection and response (EDR) platform are already proving adept at aggregating and analyzing telemetry data to extend security beyond endpoints. XDR platforms’ real-time availability of access, endpoint, email, network and Web-based app telemetry data is also improving attack detection. 

XDR platforms also rely on a single, unified data lake, have an analytics engine and support APIs to provide a baseline level of orchestration. 

What makes an XDR platform unique?

Look for XDR vendors to differentiate themselves in selective threat-data aggregation, threat modeling and cross-platform query technologies. The most common use cases include alert vetting, incident investigations, incident response, threat hunting and security monitoring. Getting XDR right depends on how well a given vendor can scale analytics, machine learning and data storage across their global customer base with no degradation in performance, as most XDR platforms are cloud-based. 

Look for market leaders to pursue the product strategy of providing threat hunting that capitalizes on artificial intelligence (AI) and machine learning (ML) to identify potential indicators of attack (IOA) using third-party data, then automating alerts to security analysts in the security operations center (SOC). 

Leading vendors providing XDR platforms include CrowdStrike, Microsoft, Palo Alto Networks, TEHTRIS, Trend Micro and others. XDR is seeing such strong interest that most EDR vendors have planned it on their roadmaps or have already launched a solution. 

In addition, look for the M&A market to heat up as larger vendors with gaps in XDR platforms look to buy their way into the market. IBM acquiring Randori last month, as well as CrowdStrike acquiring Humio, Elastic acquiring Endgame and SentinelOne acquiring Scalyr reflect how active M&A is going to be in XDR.

An XDR platform aims to unify detection and response across an enterprise security stack and deliver a single command console for unified detection and response. Architecting an XDR enables security analysts to investigate, threat hunt and respond intuitively. Source: CrowdStrike.

XDR is becoming a platform for managed detection and response services 

Managed Detection and Response (MDR) service providers often differentiate themselves by providing services that combine the strengths of expert threat hunters, supported by advanced analytics, AI, ML, and endpoint security apps and platforms. 

The state of managed security services reflects a growing reliance by MDR and MSS providers to provide their teams with the telemetry data, detection and response technologies they need to protect their clients’ infrastructure on a 24/7 basis. 

VentureBeat’s recent interview with Pondurance’s Ron Pelletier, founder and chief customer officer, and Lyndon Brown, chief strategy officer, provides insights into how XDR’s strengths can be an enabling technology for MDR and MSS service providers.

MDRs who deliver the most value to their clients using an XDR platform already have a strong endpoint security practice and expertise with EDR apps and platforms. They rely on an XDR platform to protect their clients beyond their endpoints. 

In addition, MDR service providers rely on XDR platforms’ detection and response technologies to create, launch and grow additional services. An example is how Pondurance combines human expertise and AI to stop cyberattacks on its clients. 

Like enterprises, MDRs are also looking to streamline their tech stacks while relying on real-time telemetry data to increase their visibility and control across every client’s infrastructure, network and endpoints. 

Also, like an enterprise, MDRs want to view every client’s network using a common interface. Therefore, MDRs must provide 24/7 coverage at scale for multiple clients simultaneously while delivering contextually intelligent alerts that every client expects today. 

All MDRs offer service level agreements (SLAs) that guarantee the prioritization of security incidents and response times. XDR supports event prioritization and can be customized to reflect the unique requirements of a given business, which is ideal for MDRs looking to provide customized security for every client. 

Choosing an MDR instead of implementing an XDR platform needs to be based on a solid business case. MDRs have the advantage of a trained staff of security specialists and threat hunters who have, in some cases, decades of experience and are well down the learning curve on an XDR platform. 

An MDR’s strategy for combining the strengths of experienced security analysts with the technologies available in an XDR platform should be considered versus developing the expertise in-house. More MDRs are looking at how they can capitalize on the latest XDR advances to build new services while investing in the expertise of their employees. 

Benchmarking leading XDR vendors 

Enterprises’ interest in XDR is swaying the direction of dozens of product and service roadmaps across the industry today. Knowing which XDR vendors have the most proven, reliable and scalable platforms can be challenging. The following are the leading XDR providers’ strengths and weaknesses, based on crowdsourced ratings from TrustRadius: 

  • CrowdStrike Falcon – Consistently ranked as one of the best XDR platforms by its users, CrowdStrike Falcon is entirely cloud-based and known for its ease of use. Users say its greatest strengths include EDR, centralized management, infection remediation, integrated threat intelligence with threat severity assessment, visibility of USB device usage, malware mitigation, threat intelligence, threat hunting, vulnerability management, extensive API support and sandbox detonation. The weaknesses users most often cited are that device control could be more comprehensive, more legacy operating system support and more options for customizing alerts.  
  • Microsoft Defender XDR – What differentiates Microsoft’s XDR solution is how well the platform performs behavioral analysis using ML techniques and its intuitive interface. Users also say Defender XDR is solid regarding endpoint security and integrates well with other Microsoft applications. Weaknesses include the time it takes to get support from Microsoft, a common complaint among XDR users. Additional weaknesses include the need for better log file support and more advanced configuration options.  
  • Palo Alto Networks Cortex XDR – According to users actively using Cortex XDR, Palo Alto Networks has successfully built on its EDR core strengths with Cortex XDR. Users say its best features are malware prevention, exploit prevention, ransomware protection, disk encryption (with BitLocker and FileVault), analytics, incident management, forensics, network traffic analysis and user entity behavior analysis. Its greatest weaknesses, according to users, are inventory management, and web controls could be improved.
  • TEHTRIS XDR – Users say TEHTRIS XDR is easy to deploy and customize across global operations. Users also say it’s a full-functioning XDR that provides visibility across every endpoint, network and server and has been successfully used to stop attacks. In addition, users say the platform is efficient at detecting and blocking malware and other threats. Integration and, service and support are excellent according to users as well. Weaknesses include the need for a more streamlined user interface, improved query and alert options, and more options for configuring XDR advanced features. 
  • Trend Micro XDR – Trend Micro users say the XDR is a great platform for managing all the alerts and data generated from multiple Trend Micro apps in their tech stack. It’s well-integrated across the entire Trend Micro suite of products, according to users actively using XDR today. Users also say Trend Micro XDR is useful in investigations because it provides a single panel to view the threats from across their companies, including endpoints, networks and servers. It’s also useful for identifying the linkage and source of the threats and quickly identifying the systems affected by any breach attempt. However, users would like to see broader API support and greater log file integration with more SIEM platforms at the log-file level. Users also say setup and configuration of reporting could be more intuitive, and the more advanced XDR features must be streamlined.

Where XDR is going 

XDR is finding traction with IT and security departments that don’t have the time or resources to integrate diverse applications that can extend beyond endpoints while gaining real-time visibility and control using telemetry data. 

Existing security stacks aren’t purpose-built to store log files long term, one of CISOs’ most common complaints during interviews with VentureBeat. CrowdStrike’s acquisition of Humio is a step in the right direction and is prescient regarding the future direction of XDR. 

Closing the prevention, detection and response gaps in security stacks for high-growth smaller organizations and the divisions of larger enterprises is where XDR is gaining adoption today. Expect to see more XDR sales in the future in industries with internal and external compliance requirements requiring that event and security logs be stored long term. 

Gartner’s search analytics show that clients from the banking, finance, insurance, government and services industries dominate search queries for the term “XDR.” One of XDR’s most valuable latent attributes is its effectiveness in streamlining regulatory audits while reducing app sprawl, which would be considered a win by any CISO in those five industries.

Originally appeared on: TheSpuzz