XDR, SIEM, SOAR, EDR...pretty much every security decision maker finds themselves in an alphabet soup that promises next-gen security, without much clarity on exactly how that's achieved. Back in 2018, Palo Alto Networks cooked up a storm by introducing extended detection and response (XDR), a new security technology touted to rectify the areas sorely lacking in a traditional SIEM.
Here's what XDR promised: enriched threat intelligence by using data collected from disparate sources across the network (a major data source being endpoints) and centralizing it for security analytics and forensic investigations.
SOC analysts everywhere were thrilled with this approach. After all, they felt they were dealing with data in siloes that weren't being correlated well enough, leading to too many alerts and false positives. XDR's strategy of centralizing and integrating enhanced threat intel with all aspects of security analytics brought a welcome revolution to telemetry management.
But did XDR actually deliver, or was it just another political promise that failed in the execution? Can adopting XDR help your organization?
To answer these questions, let's look at the XDR delivery models available to organizations and how they address security issues.
The single vendor XDR model: A single vendor will provide all security capabilities to handle threat detection, analytics, and response by incorporating all data siloes into its analysis for better context building and correlations. While having all security capabilities from the same vendor can spell easier integrations between data sources, you can't always expect that a single vendor will be capable of providing all the best security capabilities for each aspect of a network. Try to choose a vendor with great credentials so you're not settling for subpar options that won't deliver.
Sometimes XDR technologies are bundled together to form a security portfolio that is built on a foundation of acquisitions from several vendors. This acquisition model pushes the multiple security solutions under the banner of the single mega vendor that acquired them. Under the hood, however, these security capabilities may not be as well integrated as you'd hope.
Hybrid XDR: Hybrid XDR delivers XDR capabilities through third-party integrations that collect specific forms of telemetry and execute response actions related to those forms. This is the coming together of multiple security point solutions to form an XDR that brings siloed data (from multiple vendors) together for analytics.
There can be good XDR vendors who have actually managed to form connections between the data siloes. But if you do opt for an XDR solution, you're going to have to dig deeper to see what's happening under the hood. Be wary of XDR vendors who have rushed to capitalize on the boom, lest you find yourself with a repackaged SIEM or SOAR offering with a few more threat intel sources thrown in, and no essential integrations between the data sources. While these offerings may not deliver the contextualization that was promised, they can still offer value to companies wanting more telemetry in the mix.
Some security experts like William Mendez, managing director of operations for CyZen, remain skeptical about what XDR has to offer. “I think [XDR is] a marketing term to describe something that was already being done," he told Informa Tech. "If you look at companies with mature security programs, especially those that have implemented a robust monitoring strategy through a security operations center, the key elements of XDR have always been there." XDR tools, according to Mendez and others, have just gone viral due to excessive marketing, but offer nothing new.
Moreover, these tools still don't simplify security data management, especially if you lack experienced technicians to run them. Investing in an XDR solution could eventually necessitate a managed detection and response (MDR) service so you'll have the technical personnel to centralize and integrate the data and run the XDR platform for you. If investing in MDR services seems to stretch your budget thin, you'll want to find an alternative solution. Next-gen SIEM solutions have vastly expanded their ability to digest more telemetry and are also focused on helping you achieve threat detection and incident response outcomes without having to involve managed service providers.
Data centralization has always been the challenge when it comes to security management. And while there are many issues related to XDR solutions, its still too early to give up on the technology altogether. In fact, we'd say to keep an open mind. While a lot of vendors haven't yet achieved the optimum level of cohesiveness between data siloes, they still provide the added advantage of greater threat intelligence and overall more advanced analytics. This has always been the challenge with traditional SIEM systems, and an XDR solution, while perhaps not solving the problem entirely, could improve your security outcomes.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.