The global Extended Detection and Response (XDR) market is expected to grow considerably over the next decade. World Wide Technology reported that it will grow at a compound annual growth rate of nearly 20 percent between 2021 to 2028, reaching a value of $2.06 billion by that time.
Over this projected period of growth, security vendors that already have an XDR offering will no doubt refine their solutions, and new players will also likely throw their hat into the ring. But all this variety isn’t necessarily a good thing for organisations.
With so many XDR solutions available on the market today, organisations need to be careful about which one they choose. That’s because not all XDR platforms are created equal or deliver the same type of value. Here’s how to sort it all out.
Data filtering: the lowest of the low
It’s important to note that some companies do not have the ability to ingest all available telemetry for their Endpoint Detection and Response (EDR) offerings. As a result, they resort to a technique known as “data filtering.” This is where they eliminate telemetry even though it might be useful for detection. They have no choice; their model involves sending all data to the cloud for analysis before they can return a detection.
Even so, it calls into question whether these companies’ platforms can keep organisations safe. Indeed, if their platforms cannot currently handle all available endpoint telemetry to make detections via EDR, how will they ever be able to effectively ingest even more telemetry from non-endpoint sources?
An effective XDR solution needs to be able to handle infestation of telemetry from not just endpoints, but also cloud workloads/containers, user identities, an array of business application suites, etc. So can they deliver effective XDR? No, they can’t, and that’s just reality based on platform capabilities.
Native XDR vs. Open XDR
After data filtering, it’s important to distinguish “native” XDR from “open” XDR. The former performs XDR functionality by integrating with “native” solutions that belong to the same vendor portfolio. This type of offering spares security teams from needing to spend lots of time on configuring their XDR platforms and from needing to go through a complicated buying process for all their different solutions. But the advantages end there.
With native XDR, organisations might find themselves in a state of “vendor lock-in” where they’re stuck with a single company’s solutions that don’t fulfill all their security requirements. Organisations might also need to replace some of their existing technologies to make full use of a native XDR product, thus cutting down on the ROI of their current investments.
These drawbacks don’t apply to open (also known as “hybrid”) XDR. This approach enables organisations to integrate their XDR platforms with whichever best-of-breed solutions work for them. Yes, they’ll need to go through separate buying processes for these tools, and the integrations might not be as tight as they would be under a native XDR platform.
Even so, organisations can use open XDR to work with tools that fulfill their security requirements as they continue to evolve. They also won’t need to replace any of their existing investments (if they’re still working for them) under an open XDR platform.
Traditional XDR vs. Advanced XDR
A step up from native XDR vs. open XDR is the difference between traditional XDR and Advanced XDR. This distinction has to do with how an XDR platform gathers data and what types of security incidents it can help to illuminate as a result.
Traditional XDR is straightforward. It integrates with threat intelligence to spot Indicators of Compromise (IOCs) from already-known attacks. The XDR platform then helps security teams to respond to those incidents, but the analysts must manually triage all relevant alerts and then begin the task of trying to correlate them to determine which are related to an actual security event and try to answer the question “are we under attack?” This can take time, giving digital attackers an opportunity to further infiltrate organisations’ systems.
Advanced XDR takes this approach one step further by automating the time consuming triage and correlation tasks. Not only does it integrate with threat intelligence, but it also uses artificial intelligence (AI) and machine learning (ML) to deliver context-rich correlations based on telemetry from disparate sources across organisations’ assets.
Advanced XDR thereby not only provides visibility across the kill chain, but it also provides automated predictive response, elevating Tier 1-2 analyst capabilities to be on par with Tier 3 skill sets, as a result increasing both efficiency as well as efficacy.
AI-powered XDR
Fortunately, organisations don’t need to settle for incomplete XDR solutions. There is the option to go with an AI-driven XDR solution that delivers the complete attack story in real-time and extends continuous threat detection and monitoring, along with automated response beyond endpoints to protect applications, identity and access tools, containerised cloud workloads and more.
AI-driven XDR also ingests threat intelligence streams to allow organisations to defend against known attacks and uses AI and machine learning (ML) to automatically correlate telemetry from across these different assets to deliver the complete attack story in real-time. This functionality frees security analysts from needing to triage every generated alert, enabling them to address actual threats faster.
AI-driven XDR also leverages behavioural analytics and Indicators of Behaviour (IOBs) to provide a more in-depth perspective on how attackers conduct their campaigns. This operation-centric approach is far superior at detecting attacks earlier–especially highly targeted attacks that employ never before seen tools and tactics that evade traditional endpoint security software.
Finding one component of an attack via chains of potentially malicious behaviour allows defenders to see the entire operation from the root cause across every impacted user, device, and application. This is where AI-driven XDR is essential to automatically correlate data at a rate of millions of events per second versus analysts manually querying data to validate individual alerts over several hours or even days.
Such visibility enables security teams to respond to an event before it becomes a major security issue and introduce measures designed to increase the burden on attackers going forward.
