Extended Detection and Response (XDR) to Overtake the SIEM or Completement Each Other

The Endpoint Detection and Response (EDR) technology has been there for some time now — even though, only a few organizations have transitioned from the traditional endpoint protection Platform (EPP) and implemented the XDR platform. Over the last few months, I’m assisting a few of our clients who reached out to Accenture to help put a point of view(POV) on EDR and how they can plan and deploy the solution to the endpoints to help address the endpoint security challenges caused by the covid-19 to be able to detect the threats and the ability to perform remote incident response activity regardless of the endpoint being on-prem or remote.

EDR provides the organization the ability to monitor endpoints for suspicious behavior and record every single activity & events and then transmits the data to the cloud platform for further processing, correlation and runs automated threat response activity such as isolating an infected endpoint from the network in near real-time should an activity determined deemed risky to the business.

The innovation in EDR technology is underway and Extended Detection and Response (XDR) is gaining traction lately as this is going to be the future version of EDR. EDR provides SaaS-based detection and incident response capability that cuts complexity and cost by mixing security data from multiple security products into a unified platform. Many vendors have already launched the XDR offerings while others are looking to fill the gaps by the acquisition to quickly build the portfolio offerings. Interestingly, the traditional EPP vendors who missed the EDR opportunity are now leapfrogging into XDR and offerings XDR to stay in the market competition or have XDR offerings included in the roadmap.

The Capabilities That XDR Provides:

Extended Detection and Response is a new approach designed to deliver new capabilities, not around the endpoints only but across application, identities, network, and cloud — consolidating security events from multiple security products into a cohesive security incident detection and response platform. The primary objective is to improve protection, detection, and response capabilities by improving overall operational productivity and lowering the total cost of ownership.

XDR helps reduce the number of low-quality and false-positive alerts drastically by processing & analyzing the security events from multiple sources of streams and combining them with external threat intel feeds and adding contextual data, and known and zero-day attacks can be detected in real-time. In addition, it provides customizable dashboards and reporting to help organizations extract the maximum value from security data and provide context into the state of the security operations.

XDR Usecase:

The primary use case of an XDR is to provide the visibility, context, and searchability to improve threat detection and response and running analytics to reduce the human intervention by automating the actions and providing operations productivity. For example, a phishing email that caused an email alert, the related events from the endpoint and network can be combined into a single incident with contextual details such as user identity, endpoint details, network activity, etc., for a security analyst to take a quick decision for faster incident response.

Is XDR Going to Replace SIEM or SOAR in Days to Come?

Even though, XDR provides a similar function to Security Information and Event Management (SIEM) and Security orchestration, Automation and Response (SOAR) platform. However, it is differentiated by the type of integrations and deployments and primely focused on threat detection and automated incident response use cases. The XDR platform aims to solve the challenges of the SIEM tool for effective detection and response to targeted attacks and includes behavior analysis, threat intelligence, behavior profiling, and analytics as opposed to SIEM which requires a lot of effort to implement the rules targeting the specific use case and targeted scope. Another key capability the XDR brings in as compare to SIEM is cloud-native architecture and services making it an emerging alternative or complement to existing SEIM tools. However, XDR does not provide log storage and archiving or compliance use cases as the SIEM tool has been around for the purpose. In addition, XDR vendor offerings include services such as vulnerability assessment, IT Hygiene, Sandbox technology to detonate the malware or infected files on a real-time basis, advanced threat hunting, and remote incident response services.

Evaluating XDR Platform:

The key capability that should be evaluated is the ability to integrate the XDR platform with the discrete data sources, the use of machine learning, and AI-powered dynamic analysis techniques to provide the combined capabilities of SIEM, UEBA NTA, and EDR. It needs to ensure both incident responders and hunters have the information they need with context at their fingertips to effectively and efficiently pinpoint and address attacker activity using advanced analytics and integrated threat intelligence as opposed to SIEM tools or SOAR platform — the primary aim is to perform the incident de-duplication, incident enrichment and then take the automated response based on pre-defined workflow or playbook actions.

XDR products are in the early stage of development phases and there will be numerous risks that can derail the security leader’s strategy and approach to address cybersecurity challenges. There could be many blind spots that need to be carefully identified and most of the vendors providing easy integration within their own security products while supporting few third-party products or are in the roadmap.

Accenture is helping many of our clients evaluate the EDR & XDR products, accelerate the transformation from traditional EPP point products, and harness the value of the massive amount of security event data — our SMEs have developed the strategy, execution plan, and deployment methodology over time.