Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
eSentire is a sponsor for 451 Nexus.
Join experts from eSentire and VMware Carbon Black as they debunk…
Join Tiff Cook, eSentire's Sr. Director of Incident Response and Bill…
Extended Detection and Response (XDR) has received a great deal of attention in 2020. In fact, in September Gartner awarded XDR the number one spot in their Top 9 Security and Risk Trends for 2020, to go along with third place on their Top 10 Security Projects for 2020-2021 (behind only “Securing
your remote workforce” and “Risk-based vulnerability management”).
Going back a little further, in March of this year Gartner published an Innovation Insight for Extended Detection and Response. And Gartner isn’t alone in giving attention to XDR: for instance, in June CSO Online published 10 things you should know about XDR.
All of these articles and examinations do a pretty good job of describing what XDR is—but they fall short when it comes to relating XDR to other security options like Managed Detection and Response (MDR). And that isn’t just speculation on our part: in recent months we’ve had many customers and prospects ask us what XDR is and how it fits into the broader world of cybersecurity.
The Gartner Top 10 list cited above describes XDR as, “a unified security and incident response platform that collects and correlates data from multiple proprietary components.” The description goes on to specify that, “The platform-level integration occurs at the point of deployment rather than being added in later. This consolidates multiple security products into one and may help provide better overall security outcomes.”
Gartner’s Top 9 list explains further that XDR solutions, “improve threat detection and provide an incident response capability.”
Now we know what an XDR solution does, and we can decompose the description into some required components:
Critically, XDR is intended as a platform that you as a customer would purchase and manage yourself. So, a necessary part of the “how” security outcomes are delivered falls on your team’s ability to effectively configure, manage, maintain and—ultimately—use the platform.
Based upon the accepted understanding of what an XDR does and how it does it, an XDR platform sounds a lot like a SIEM that also includes response capabilities. Indeed, there are already several examples in the market of SIEM and Security Orchestration, Automation and Response (SOAR) vendors experimenting with the XDR label to cash in on the hype.
But the history of cybersecurity is full of “the next big thing” that will finally consolidate security signals, apply automatic intelligent analysis, and trigger or enable effective responses. What makes XDR different? When you peel back the covers, the answer is “not much.” The underlying technologies have evolved since the heady days of SIEM, for instance, but many of the same potential shortcomings remain.
In fact, this pattern is familiar, because the same thing played out with SIEM:
The same problems that have plagued SIEM will also impact XDR. These include:
And of course, all of these localized problems exist against the backdrop that simply recruiting, retaining and sufficiently resourcing cybersecurity professionals is extraordinarily challenging due to a worldwide shortage of such specialists. Even a perfect XDR platform can’t solve that problem for you.
The primary difference between MDR and XDR is who is responsible for managing the security platform and delivering the detection and response.
With XDR, these functions are left to you, the customer. With MDR, the operational heavy lifting is taken care of for you by the managed security provider.
The “manage-it-myself” approach may work for Fortune 100 enterprises and other very large, very well-resourced organizations. But for everyone else—the vast majority of organizations, in fact—this strategy just won’t work. And that’s not an indictment of effort or ability, it’s simply an honest appreciation of the resourcing reality.
In contrast, with eSentire's MDR service our team—sales engineers, SOC analysts, threat hunters and others—takes on the responsibilities of installing, configuring, and managing the security solutions, as well as detecting and responding to threats.
Moreover, our experts do what technology and the vast majority of security teams (even within Fortune 100s) can't do, including hunting and investigating threats, proactively researching to develop detectors and authoring reliable runbooks to enable fast and effective response.
This managed approach is one reason why the time-to-value with MDR is so fast—often on the order of days or weeks—versus the months which is the best-case scenario for solution as complex as XDR.
At eSentire, we agree with much of what Gartner and others have to say about XDR from a functional and outcome-oriented perspective. In fact, Gartner’s description of XDR is remarkably consistent with our own Atlas platform: a "cohesive security incident and response platform," that includes "alert and incident correlation, as well as built-in automation," within "a unified whole that offers multiple streams of telemetry, presenting options for multiple forms of detection and concurrently enabling multiple methods of response."
We think of Atlas as a cloud-native XDR that applies across all our deployments, rather than being applied to only a single organization. One extremely important advantage of this approach is that Atlas has visibility into eSentire's entire customer base, for a rising tide-effect that enables proactive prevention measures to better protect each and every client before a particular threat appears in their environment. That is, we have expansive visibility into threats around the globe, whereas even the largest XDR client only has direct exposure to threats that they have encountered directly.
Plus, while Gartner and others envision XDR platforms only working with a single vendor’s proprietary security components (e.g., their endpoint agent, their log aggregator, their network probe, etc.), Atlas allows eSentire customers to choose from a growing list of security partners. This choice is just another way Atlas provides the benefits of XDR without the limitations.
Done right, and in the right organization, XDR could be an important development in cybersecurity. But “done right” and “in the right organization” are two deceptively strict qualifications.
“Done right” means that the platform actually delivers what it promises; needless to say, that will be a challenge. But even if this technical and functional challenge is met, it’s still unlikely to be enough for the vast majority of organizations because of resource limitations—and these same resource limitations are why MDR is likely a much better choice for the vast majority of organizations.
Where XDR describes technology—a collection of functionality and capabilities which Gartner believes is required to create positive security outcomes—MDR represents the synthesis of people and technology through efficient and effective processes.
In other words, where XDR provides a platform, MDR offers a solution.
As eSentire's Director of Product Marketing, Wes oversees market intelligence, competitive research and go-to-market strategies. His mult-faceted, technology experience spans over a decade with market leaders such as Hewlett-Packard and Dell SecureWorks.