It started with antivirus, continued with endpoint protection platforms (EPP) and, most recently, endpoint detection and response (EDR). These technologies dramatically improved protection for endpoints, protecting against known threats, unknown threats, and providing tools to identify and immediately respond to breaches happening on endpoint devices.

However, most organizations have switched to a decentralized, cloud-based infrastructure. Employees are working remotely and conducting video calls at an unprecedented scale. The network perimeter as we knew it no longer exists. Most importantly, there are more cyberattacks, more sophisticated attackers, and a huge variety of advanced attack tool sets.

Security technologies of the past cannot address today’s complex and rapidly changing threats. Despite the presence of traditional security tools, ransomware attacks are on the rise, data breaches are growing every year, SOC teams are suffering from alert fatigue and staff shortages.

Organizations need a new and more comprehensive approach to detection and response, which takes into account the growing attack surface, and goes beyond endpoints to secure networks and the cloud. eXtended Detection and Response (XDR) is such an approach, and is considered by many analysts and CISOs as the next generation of endpoint security.

What is XDR?

Historically, endpoints have been an easy entry point for attackers. Antivirus was not enough to stop threats, due to the rise of zero-day and fileless malware, and additional attack vectors like browser and operating system vulnerabilities. EDR offered a robust solution—by installing agents on endpoints to monitor breaches as they happen, send data to the cloud for analysis, enable rapid threat detection, and manual or automated remediation.

However, EDR becomes difficult to manage when there are thousands of endpoints and a growing number of security incidents to manage. Attackers can evade EDR by operating in the border between endpoints and other parts of the IT infrastructure, like cloud systems. CISOs realized they need to think beyond EDR and antivirus solutions, and take a proactive approach, by extending the security perimeter to include more than just endpoints.

The X in XDR stands for multiple data sources for better detection and response—not just endpoints but also networks, cloud systems, IoT devices, and more. XDR allows a broader view of your network by providing visibility into multiple layers of the IT infrastructure. It provides clear, consolidated data about attacks, collecting data points from multiple systems, allowing for faster and more effective security investigations.

How XDR Changes the Game

XDR aims to simplify the security visibility of the entire IT ecosystem. This can change the security game by providing:

• True centralized management—one dashboard covering events and security incidents across the entire IT environment. Consistent security policies can be applied across different types of infrastructure.
• Extended visibility—XDR unifies security visibility across silos, allowing security analysts to gain context about security incidents without the need to learn and use other platforms.
• AI-based analysis—XDR offers off-the-shelf integrated and pre-tuned detection mechanisms, based on AI/ML algorithms. This allows security teams to piece together the complex puzzle of an attack without manual work.
• Empowering security analysts—with XDR, junior security analysts can investigate complex threats without learning complex tools and without escalating to higher-level analyst tiers. XDR also reduces the need for training and certification on security tools.
• Increased productivity—XDR does not require security teams to use multiple tools to triage and investigate security incidents. It combines data and presents it as an easy-to-read attack story, which analysts can immediately act on.
• Lower cost of ownership—XDR is a fully integrated security platform, which reduces the cost of integrating and configuring multiple security tools.

What to Look For in a Good XDR Solution?

Integration is the first key to an effective XDR solution. In order to work seamlessly across the entire security stack, it needs to leverage native integrations and powerful APIs. It should also provide state of the art, off-the-shelf cross-stack correlation, prevention and mitigation capabilities, while allowing users to define their own custom rules.

Automation supported by advanced AI and mature machine learning algorithms is critical. An XDR solution should be able to detect complex attacks with very few false positives, and also integrate with security tools to respond using automated playbooks.

Lastly, because much of the value of XDR is in improving analyst productivity, solutions should be easy to configure, learn, maintain, and update.

Conclusion

XDR is the future, but organizations should adopt it carefully. Because XDR solutions are in the critical path of an organization’s defenses, CISOs must make sure that teams know how to work with this new type of solution, not only in terms of usability, but in terms of coordination of security activities. Many security teams previously operated in isolation. XDR will do to security what DevOps did to development—it will require a new operational culture that breaks down silos and encourages close cooperation.