Extended Detection and Response (XDR) has received a great deal of attention in 2020. In fact, in September Gartner awarded XDR the number one spot in their Top 9 Security and Risk Trends for 2020, to go along with third place on their Top 10 Security Projects for 2020-2021 (behind only “Securing
your remote workforce” and “Risk-based vulnerability management”).
Going back a little further, in March of this year Gartner published an Innovation Insight for Extended Detection and Response. And Gartner isn’t alone in giving attention to XDR: for instance, in June CSO Online published 10 things you should know about XDR.
All of these articles and examinations do a pretty good job of describing what XDR is—but they fall short when it comes to relating XDR to other security options like Managed Detection and Response (MDR). And that isn’t just speculation on our part: in recent months we’ve had many customers and prospects ask us what XDR is and how it fits into the broader world of cybersecurity.
What is XDR?
The Gartner Top 10 list cited above describes XDR as, “a unified security and incident response platform that collects and correlates data from multiple proprietary components.” The description goes on to specify that, “The platform-level integration occurs at the point of deployment rather than being added in later. This consolidates multiple security products into one and may help provide better overall security outcomes.”
Gartner’s Top 9 list explains further that XDR solutions, “improve threat detection and provide an incident response capability.”
Now we know what an XDR solution does, and we can decompose the description into some required components:
- Centralization/aggregation of normalized data from multiple security products (likely proprietary components) spanning different parts of the threat surface (e.g., cloud environments, endpoints, logs, networks)
- Correlation of security data and alerts to provide cross-signal threat detection
- A centralized response capability that can implement actions and change security policies
Critically, XDR is intended as a platform that you as a customer would purchase and manage yourself. So, a necessary part of the “how” security outcomes are delivered falls on your team’s ability to effectively configure, manage, maintain and—ultimately—use the platform.
A familiar pattern: the latest super-platform
Based upon the accepted understanding of what an XDR does and how it does it, an XDR platform sounds a lot like a SIEM that also includes response capabilities. Indeed, there are already several examples in the market of SIEM and Security Orchestration, Automation and Response (SOAR) vendors experimenting with the XDR label to cash in on the hype.
But the history of cybersecurity is full of “the next big thing” that will finally consolidate security signals, apply automatic intelligent analysis, and trigger or enable effective responses. What makes XDR different? When you peel back the covers, the answer is “not much.” The underlying technologies have evolved since the heady days of SIEM, for instance, but many of the same potential shortcomings remain.
In fact, this pattern is familiar, because the same thing played out with SIEM:
- Each SIEM generation strengthens these core functions
- The same problems refuse to disappear
- SIEM vendors promise that the next generation will finally deliver what’s needed
- And all the while, digital transformation means that the threat surface expands and highly motivated threat actors relentlessly innovate.
The same problems that have plagued SIEM will also impact XDR. These include:
- It’s very challenging and time-consuming to install, configure and (where applicable) customize a security platform—even when the jobs are being performed by experts; like many security technologies, only the largest enterprises have the resources (financial and skillset) to succeed
- It’s very hard to show quantitative—or even qualitative—results
- It’s tremendously difficult to tune the platform to catch real security events while simultaneously limiting false positives and avoiding completely overwhelming the analysts who must examine the alerts; in fact, incident analysis of many high-profile breaches reveals that alerts were generated, but these important signals were missed in a sea of noise
- Even if a platform is perfectly configured and is generating actionable alerts, it doesn’t tell you how to respond to the threat; that is, you still need domain knowledge, security runbooks and other resources
And of course, all of these localized problems exist against the backdrop that simply recruiting, retaining and sufficiently resourcing cybersecurity professionals is extraordinarily challenging due to a worldwide shortage of such specialists. Even a perfect XDR platform can’t solve that problem for you.
The major difference between MDR and XDR: who does the work?
The primary difference between MDR and XDR is who is responsible for managing the security platform and delivering the detection and response.
With XDR, these functions are left to you, the customer. With MDR, the operational heavy lifting is taken care of for you by the managed security provider.
The “manage-it-myself” approach may work for Fortune 100 enterprises and other very large, very well-resourced organizations. But for everyone else—the vast majority of organizations, in fact—this strategy just won’t work. And that’s not an indictment of effort or ability, it’s simply an honest appreciation of the resourcing reality.
In contrast, with eSentire's MDR service our team—sales engineers, SOC analysts, threat hunters and others—takes on the responsibilities of installing, configuring, and managing the security solutions, as well as detecting and responding to threats.
Moreover, our experts do what technology and the vast majority of security teams (even within Fortune 100s) can't do, including hunting and investigating threats, proactively researching to develop detectors and authoring reliable runbooks to enable fast and effective response.
This managed approach is one reason why the time-to-value with MDR is so fast—often on the order of days or weeks—versus the months which is the best-case scenario for solution as complex as XDR.
eSentire Atlas: an innovative twist on XDR
At eSentire, we agree with much of what Gartner and others have to say about XDR from a functional and outcome-oriented perspective. In fact, Gartner’s description of XDR is remarkably consistent with our own Atlas platform: a "cohesive security incident and response platform," that includes "alert and incident correlation, as well as built-in automation," within "a unified whole that offers multiple streams of telemetry, presenting options for multiple forms of detection and concurrently enabling multiple methods of response."
We think of Atlas as a cloud-native XDR that applies across all our deployments, rather than being applied to only a single organization. One extremely important advantage of this approach is that Atlas has visibility into eSentire's entire customer base, for a rising tide-effect that enables proactive prevention measures to better protect each and every client before a particular threat appears in their environment. That is, we have expansive visibility into threats around the globe, whereas even the largest XDR client only has direct exposure to threats that they have encountered directly.
Plus, while Gartner and others envision XDR platforms only working with a single vendor’s proprietary security components (e.g., their endpoint agent, their log aggregator, their network probe, etc.), Atlas allows eSentire customers to choose from a growing list of security partners. This choice is just another way Atlas provides the benefits of XDR without the limitations.
XDR or MDR: which is right for you?
Done right, and in the right organization, XDR could be an important development in cybersecurity. But “done right” and “in the right organization” are two deceptively strict qualifications.
“Done right” means that the platform actually delivers what it promises; needless to say, that will be a challenge. But even if this technical and functional challenge is met, it’s still unlikely to be enough for the vast majority of organizations because of resource limitations—and these same resource limitations are why MDR is likely a much better choice for the vast majority of organizations.
Where XDR describes technology—a collection of functionality and capabilities which Gartner believes is required to create positive security outcomes—MDR represents the synthesis of people and technology through efficient and effective processes.
In other words, where XDR provides a platform, MDR offers a solution.