We’ve been discussing extended detection and response (XDR) for years now, but a fundamental question remains: Just what the heck are we talking about, anyway?
Alarmingly, this continues to be a pertinent question. According to ESG research, 62 per cent of security professionals claim to be “very familiar” with the term XDR, up from just 24 per cent in 2020. An improvement, but still 29 per cent are only somewhat familiar, not very familiar, or not at all familiar with XDR.
So, despite industry hyperbole, arm waving at the RSA Conference, and cacophony of XDR talking heads, nearly one in five security professionals haven’t received the message.
No common definition of XDR
Now what do infosec pros think XDR is? Here’s where it gets interesting. A majority (62 per cent) of those claiming to be “very familiar” with XDR say that XDR is an extension of endpoint detection and response (EDR) technology, 21 per cent think XDR is a product suite from a single technology vendor, and 16 per cent claim that XDR is an integrated and heterogeneous security technology architecture.
It is humorous that one per cent of those “very familiar” with XDR responded, "don’t know". This means that “very familiar” is relative; security pros are “very familiar” with the XDR definition they adhere to.
When we examine potential deployment models, the waters get muddier. Of those claiming to be “very familiar” with XDR, 61 per cent believe that XDR will supplement existing security technologies while 37 per cent say that XDR will help consolidate security technologies into a common platform.
When we looked at security professionals who are only “somewhat familiar” with XDR, you see a different picture: 58 per cent of this group think that XDR will supplement existing security technologies while 37 per cent say that XDR will help consolidate security technologies into a common platform.
One could then conclude that XDR will supplement and consolidate current technologies, but questions remain about which will be supplemented, which will be consolidated, and in what timeframe.
As if XDR wasn’t confusing enough, ESG also found that XDR definitions and opinions also varied as a function of company/organisational size.
When security professionals working at organisations with over 10,000 employees were asked to define XDR, 34 per cent say that XDR is an extension on EDR technology, 24 per cent think XDR is a product suite from a single technology vendor, and 41 per cent claim that XDR is an integrated and heterogeneous security technology architecture.
Perhaps larger firms think of XDR as an architecture because they already have a plethora of tools and technologies and aren’t looking to “rip and replace” existing investments. They want glue, not dissolvent.
Focus on the security process, not XDR definition
As an industry analyst, allow me to elaborate on this data. In my humble opinion:
There is no rigid definition of XDR: As they said in the 1970s, “different strokes for different folks.” Some XDR offerings collect data from email security technologies, some contain cyber-risk telemetry from tools like attack surface management (ASM), some are built around EDR technologies, some are an outgrowth of SIEM.
Despite industry debates and dogma (of which I’ve played a part), it is starting to feel like XDR is anything you say it is or want it to be. Yes, this is confusing and will remain so. As always, security pros must approach XDR by defining their requirements, doing their homework, and following the age-old advice, caveat emptor.
The definition doesn’t really matter: As Bruce Schneier wrote years ago, “Security is a process, not a product.” If you believe this (and I do), arguments around the definition of XDR are counterproductive. Instead of figuring out which box XDR belongs in, let’s talk about the outcomes organisations seek to achieve.
ESG research indicates that 36 per cent want XDR to extend and enhance threat detection across hybrid IT, 33 per cent of organisations want XDR to improve the fidelity and prioritisation of security alerts, 29 per cent want XDR to act as a central security operations hub, and 25 per cent want XDR to help detect unknown threats. XDR conversations should begin and end with how to address these requirements.
XDR exposes a deeper issue: A whopping 85 per cent of organisations plan to increase their spending on threat detection and response technology over the next 12 to 18 months. To me, this means that the tools and technologies we are using today are inadequate.
Maybe they are too difficult to use, maybe they can’t scale, maybe they are too noisy – whatever. XDR will either add to this morass or it will help address the problems. Again, vendors and users should base XDR discussions on this reality.
While the industry remains gaga over XDR, CISOs sing a different tune. When I talk to CISOs about threat detection and response, they steer the conversation to security operations centre (SOC) modernisation. Can XDR play a role here? Yes, if we drop the academic XDR doctrine and figure out how it can add scale, intelligence, analytics, and automation to the SOC.