XDR
Extended Detection and Response

Anne Aarness - September 30, 2021

What is XDR?

Extended Detection and Response (XDR) is the next frontier in threat-centric security prevention. XDR is a holistic approach that streamlines security data ingestion, analysis and workflows across an organization’s entire security stack to enhance visibility around hidden and advanced threats, and to unify the response. XDR collects and correlates data from endpoints, cloud workloads, networks and email, analyzes and prioritizes them, and delivers them to security teams in a normalized format through a single console.

XDR coordinates and extends the value of siloed security tools, unifying and streamlining security analysis, investigation and remediation into one consolidated console. As a result, XDR dramatically improves threat visibility, accelerates security operations, reduces TCO and eases the ever present security staffing burden.

XDR vs EDR vs MDR

Endpoint detection and response (EDR) solutions monitor end-user devices — desktops, laptops, tablets and phones — for threats that antivirus software can’t detect. These advanced persistent threats (APTs) often use malware-free techniques to gain access to a network. An EDR solution uses software agents installed on endpoints to capture information, which it sends to a centralized repository for analysis. The events that are stored include queries, behaviors and events, which are used by the security team to detect and investigate anomalous events. EDR is also helpful in finding the root cause of an event.

But that still takes a lot of man-hours and there aren’t enough cybersecurity professionals available to hire, even if an organization has the budget for headcount. Managed detection and response (MDR) emerged to fill the gap.

MDR is essentially EDR purchased as a service. But the difference is important: MDR providers usually assist in mitigating, eliminating and remediating threats, and the MDR’s security team will be highly experienced in these activities. MDRs also provide continuous monitoring to aid rapid detection.

Different MDR providers use different arrays of tools, and their array will determine the scope of the attacks they can detect and how well they can execute a response. A typical MDR’s array will consist of a SIEM, a network traffic analysis (NTA) solution, an endpoint protection platform (EPP) and an intrusion detection system (IDS).

XDR protects more than just endpoints. It “extends” across the infrastructure so it can protect networks, cloud workloads, servers, email, etc., as well as endpoints. XDR relies on automation and artificial intelligence to ingest and understand vast amounts of data, and then normalizes the data and makes it available through a single console. When purchased as a managed solution, XDR should provide access to experienced experts in threat hunting, threat intelligence and analytics.

Core Tenets of XDR

In order for XDR to deliver on its promise of better, optimized detection, investigation, hunting and response, the platform must offer:

1. Native endpoint visibility and protection

XDR gives security teams an easier way to stop breaches by extending visibility, detection and response beyond the endpoint. XDR is an extension of EDR; in order to achieve true XDR, the endpoint must remain as the foundation and be built upon.

2. Threat-focused event analysis and management

The x-factor in XDR is its threat-centric orientation. This is what unifies the data and streamlines the response.

3. Diverse, multi-domain telemetry

The value of XDR comes from the contextualized insights that additional IT and security telemetry can provide. Inclusion or exclusion of specific technologies doesn’t determine whether the tool is providing true XDR. More important is that a broad, diverse set of systems and applications are incorporated for more comprehensive contextualization and correlation. These may include network analysis and visibility (NAV), NGFW, email security, identity and access management (IAM), cloud workload protection platform (CWPP), CASB/SW, DLP and more.

4. Purpose-built ontologies for efficient data ingestion, correlation and searching

Well-defined schemas for data exchanges with additional IT security systems are critical to ensure enrichment and correlation take place in a consistent and comprehensive fashion with key objectives and outcomes in mind.

5. Detection model prioritizing data fidelity

Security teams are already overloaded with data, and XDR has the potential to bring in orders of magnitude more. With an emphasis on fidelity and detection quality, security teams avoid a deluge of false-positives and ensure XDR events and investigations are meaningful and efficient.

6. Multi-tool orchestration, mitigation and response

Once threats are detected, XDR provides security teams with integrated workflows to take swift and. often automated action to mitigate and remediate the threat.

7. AI and machine learning that continuously searches for new unknowns

Advanced analytics in forms such as AI and ML are applied to search for previously hidden threats, often through aggregation and understanding of multiple, disparate weaker signals from different domains.

Benefits of XDR Security

Previous incarnations of threat detection solutions focus on one layer at a time. For instance, EDR solutions only operate on endpoints and network traffic analysis solutions only operate on network traffic. Organizations end up buying numerous security products to build their own multilayered security, which results in a complex security stack that delivers too many alerts and not enough context.

Organizations can invest heavily only to find their very defenses have worked against them. The more complicated the security silos, the greater the likelihood that a security gap will be created and go unnoticed until there’s a breach. And as more tools become involved, conducting investigations becomes more difficult, which is why the length of time required to identify a breach has increased in step with the adoption of the multilayered security model.

All these tools must be managed, so the security team is not only burdened with handling a greater volume of alerts from their siloed solutions, but also with tracking and implementing regular patches and upgrades on each of the specialized products.

The ramifications of a multilayered defense built on disparate products ripples beyond the security operations center. Buying products to address specific security gaps puts technology first and the business and users last. It is tactical rather than strategic, and therefore ends up costing more money, requiring more specialized expertise, and inhibiting scalability and innovation.

XDR addresses the problems created by traditional detection and response technologies. It is designed to work with today’s hybrid infrastructures and cloud workloads, as well as with on-premises environments and large remote workforces.

XDR improves an organization’s cybersecurity posture by offering:

Faster, high-fidelity detection

Siloed security tools focus on a narrow scope of data. Security analysts are forced to manually compare the data from multiple tools in order to gain an understanding of activities on their infrastructure. This introduces the possibility of human error and doesn’t provide any way to detect attackers using stolen credentials. It also takes a lot of time. Organizations try to integrate their siloed solutions, which is not a trivial effort and doesn’t always work as expected.

XDR delivers granular visibility by working across multiple layers, collecting and correlating data from email, endpoints, servers, cloud workloads and networks. Detection is faster and responses are better informed. Attack paths can be reconstructed, making it possible to discover where in the infrastructure attackers are currently dwelling and which assets they may have compromised. This information can be used for mitigation and remediation, and also to make better decisions about security improvements.

Streamlined response

Turn insight into orchestrated action. Empower security teams to design and automate multistage, multiplatform response workflows for surgical, full-stack remediation.

Best-of-breed ecosystem

All-in-one models of XDR simply can’t deliver on its full promise. To achieve true and comprehensive XDR, security teams need insight from a diverse array of IT systems and networks.

More efficient SecOps

XDR combines artificial intelligence with comprehensive analytics to prioritize threats. That means anomalies determined to be insignificant are weeded out of the alert stream before a human analyst ever sees them. The analyst is free to focus on threats that matter, and these prioritized threats are accompanied by context to make human analysis faster and more accurate.

Lower total cost of ownership

In addition to the fact that XDR can replace multiple tools (and therefore, multiple invoices), the more efficient use of SOC resources significantly lowers TCO as management requires less time and investigations can be completed more quickly. And because XDR is an integrated platform, it doesn’t need to be integrated with multiple point solutions.

XDR Use Cases

Use caseHow XDR Helps
TriageXDR aggregates data, monitors systems, detects events and alerts security teams.
Investigation and incident response (IR)XDR can store the results of analyses and information on events, which can then be used to investigate the events, determine responses and train security teams.
Threat huntingData collected by the XDR solution can be used as a baseline for threat hunters. It can also be used to create new intelligence that can be employed to strengthen security policies and systems.

How XDR Works

Attackers know where to look for gaps in security siloes. Once they find a way to slip into a network between its siloed products, they can dwell for lengthy stretches, moving laterally, collecting payloads and learning more about how to evade the network’s defenses in a future attack.

XDR collects data from cross-layer sweeping, feeds the results into a data lake, sterilizes them, and correlates them to the attack surface they penetrated. The data is centralized, normalized and made accessible through a single pane of glass.

Endpoint are at the Core

XDR is meaningless without the endpoint. Without it, there’s nothing to “extend” from. All XDR processes — including data ingestion, correlation, investigation and remediation — are anchored by their corresponding endpoint events and their relation to them.

How XDR Protects Endpoints

XDR finds out what happened at an endpoint, where a threat originated and how it traveled. The threat can then be isolated, the processes it launched can be stopped and the files it interfered with can be restored or deleted.

XDR Protects the Entire Security Ecosystem

Extending beyond the endpoint. Core domains to integrate for full-spectrum XDR:

  • Email security
  • Network analysis and visibility (NAV)
  • Identity and access management (IAM)
  • Threat and vulnerability management
  • Cloud security
  • OT and IoT security

How XDR Protects Email

XDR detects email threats and identifies compromised accounts. It can also detect patterns of attack, such as which users are frequently attacked, who made the mistake that gave the attacker access, and who else received the phishing email. XDR can quarantine mail, reset accounts and block senders.

How XDR Protects Networks

XDR can detect troubling behavior anywhere on the network and expose details, such as how the threat communicates and travels. Events can be filtered to make it easier to identify points of vulnerability, while the security team receives intelligence on the source and scope of the attack so they can respond more quickly.

How XDR Protects Cloud Servers and Workloads

XDR can isolate threats designed to compromise servers, containers and cloud workloads, determine a threat’s point of access, investigate how the threat is affecting the workload, and learn how it is propagating through the network. XDR can also stop processes that aid the threat’s propagation, which is important to prevent large data losses or the stoppage of critical operations in a hybrid or cloud environment consisting of multitudes of connection points.

Features of an XDR Platform

When evaluating an XDR solution, look for the following features to get the most value from your investment:

FeatureDescription
Autonomous analysisImmediate threat detections across IT environments, including cloud workloads, network, and endpoint, to reduce triage time and expedite response
Autonomous responseEnhanced investigation and forensics capabilities
Autonomous threat hunting
Automated detection of weak threat signals that bypass existing siloed organizational defenses
Cloud-based ingestion
Ingestion of logs and events from multiple data sources, including cloud services providers, SaaS applications and firewalls
Extraction engineExtraction of threat signals and alerts in near real time from the volume of security data generated by the existing stack of security products
Automatic investigation and scoring
Automatic extraction of features and entities that were involved in a specific suspicious activity and autonomous ML-based scoring
Cross-surface correlation

Visualizations of entities and relationships that can be automatically correlated across disparate areas of dense suspicious activity, all across the enterprise
Actionable attack summaries

Full attack summaries and outlines with details such as context, path, target and potential impact in easily consumed formats
Advanced detection, incident response and threat hunting
Advanced forensic investigation and threat hunting capabilities to reduce triage time

Get to Know the Author

Anne Aarness is a Senior Manager, Product Marketing at CrowdStrike based in Sunnyvale, California.