Understanding XDR, the latest evolution in threat detection and response

A few weeks ago, we published a brief overview of XDR. To summarize, XDR—short for extended detection and response (or sometimes x-product detection and response)—can be defined as:

An approach that unifies information from multiple security products to automate and accelerate threat detection, investigation, and response in ways that isolated point solutions cannot.

With the recent release of our early access program for Sophos XDR, we thought it a good time to take a closer look at how we got here, what exactly XDR is and does, and what we at Sophos are doing to deliver XDR to our customers.

The role of threat detection and response in security

There’s a classic saying in infosec: Prevention is ideal, but detection is a must.

Most in the field are familiar with the saying, but it’s often later in an organization’s security maturation that something gets done about it. Eventually, a CISO or security director or IT leader realizes that preventive controls like endpoint protection and next-gen firewall, while essential, just aren’t enough. The question turns from “What can we block?” to “What are we missing?”

Threat detection and response, to quote my colleagues, is “a methodology that enables security operators to detect attacks and neutralize them before they cause disruption or become a breach.” In other words: What are we missing, and what do we do about it?

Like any technology solution, this methodology has to be underpinned by tools and by people who know how to use them.

Endpoint detection and response

In the past five years, endpoint detection and response (EDR) has emerged as a tool of choice for security teams.

Unlike a SIEM, which collects and attempts to correlate event logs from disparate products, EDR is a purpose-built tool. Its endpoint agent collects exactly the kinds of data that are most helpful in detecting and investigating threats. The console understands the data, enriching it, connecting activities together, enabling response actions (which are executed by the agent), and simplifying investigations.

As powerful as EDR tools are, though, they are limited to detection and response on endpoints. This isn’t entirely a bad thing; if you had to choose one place to focus your detection and response efforts, endpoints would be a good choice. They’re a rich source of data, they’re the primary point of interaction for your users, and they’re an effective control point for stopping threats. Focusing on only endpoints also constrains the data and the user interface, making for a more streamlined tool.

Still, there are things you just can’t do by working with endpoints in isolation. After all, your IT environment is an interconnected web of networks, communication tools, mobile devices, cloud applications, and more. To defend your IT infrastructure more comprehensively, it would help to have an integrated detection and response system. Enter XDR.

Extended detection and response

XDR takes the idea of EDR and, well, extends it. Instead of focusing only on the endpoint, it incorporates data from other security tools, such as firewalls, email gateways, public cloud tools, and mobile threat management products.

Since XDR is still an emerging technology, the exact technology varies from vendor to vendor, but some typical components include:

  • Sensors that provide telemetry from different aspects of the IT infrastructure. These can be existing products, such as endpoint protection or a firewall, or supplemental components, like a virtual appliance you deploy in your datacenter.
  • Enforcement points that allow you to take action, such as quarantining a compromised endpoint, blocking network traffic, or removing malware. Often, the sensors also function as enforcement points.
  • An analytics and management platform, usually cloud-based. Ideally, the platform is powered by automation and data enrichment that streamline detection, investigation, and response.
  • APIs that allow integration into existing systems and workflows.

While all these components could be stitched together manually, a proper XDR solution is designed to work together as a system. The components are aware of each other and interoperate to streamline threat detection and response workflows.

Ultimately, these workflows will be driven by people. The best XDR systems enhance the effectiveness of any IT or security professional, providing intuitive tools to the novice and granular control to the expert security analyst.

Organizations with the necessary resources—which often include round-the-clock staffing by highly-trained analysts—may choose to do all the operational work themselves. Others will enlist a managed detection and response (MDR) service to supplement or fully outsource their security operations.

Either way, an XDR platform serves as a foundational next-generation tool for enabling organization-wide threat detection and response.

Sophos and XDR

XDR is a new term for an emerging product category, but Sophos has been thinking about this concept for a long time. You can see this reflected in the products we’ve brought to market and the thought leadership we’ve demonstrated over the past several years.

First, there’s Sophos Central, our unified cloud-native management and reporting platform for all our next-gen products. We were one of the first security vendors to recognize the importance of bringing security management together in the cloud, and to this day we offer the broadest portfolio of security products within a single pane of glass.

Then there’s Synchronized Security, which we introduced back in 2015. Anticipating the need for an interconnected system, Sophos enabled two-way communication between products, such as our endpoint protection and our next-gen firewall. The added visibility and automated response enabled by Synchronized Security are steps toward the cross-product analytics and coordinated response required of an XDR solution.

EDR, of course, is also a stepping stone to XDR. Sophos offers a powerful EDR solution built atop the world’s best endpoint protection, Intercept X. Core elements of our EDR, like flexible SQL-based queries and auditable Live Response consoles, are foundational to delivering XDR.

For customers that can use a little (or a lot) of help with security operations, Sophos Managed Threat Response (MTR) delivers XDR as a managed service. MTR offers machine-accelerated human response that leverages our EDR and other Sophos Central products, like XG Firewall and Cloud Optix.

All of this has been building toward our vision of a fully interconnected XDR system. This incorporates all the above elements, but it goes further with a central data repository, cross-product search, adaptive analytics, programmable sensors, coordinated response, and APIs for extensibility.

Our recently-announced early access program for Sophos XDR is a sneak peek into our first manifestation of this. Give it a try to see how we’re preparing to empower our customers, our MTR service, and our managed service provider partners to deliver more effective, accessible, and comprehensive threat detection and response.

XDR and you

If your organization is ready to move beyond basic IT security hygiene, then implementing an XDR-powered detection and response operation—in-house, managed, or hybrid—may be a logical next step to protect you from hidden threats.

If you already have a threat detection and response operation, then you may want to consider an XDR solution to consolidate vendors, improve your efficiency, and increase your organization’s security posture.

To learn more about how Sophos can help you provide comprehensive threat detection and response, please enroll in the Sophos XDR early access program or contact your Sophos partner.

Latest Posts