What is Extended Detection and Response (XDR)? Common questions answered

As ransomware, file-less attacks, and phishing continue to grow, IT and security leaders are turning to a new approach to counter advanced threats: Extended Detection and Response (XDR).

Though there is plenty of buzz from industry leaders, the analyst community, and the vendor ecosystem, XDR is still an evolving concept and, as such, many valid questions arise that can sound surprisingly rudimentary:

  • “What does XDR stand for?”
  • “How is XDR different from technologies and concepts that came before it?”
  • “What are the benefits of XDR?”

Simple but important questions to help understand the concept.

As one of the progenitors of XDR, at Sophos we’re often asked for clarity on the topic. Read on for our breakdown of some of the most common questions about XDR.

And, for the Gartner description of XDR, be sure to download a courtesy copy of their “Innovation Insight for Extended Detection and Response” report.

What does XDR stand for?

There are actually three common interpretations of XDR currently in use.

Analyst firms like Gartner and Forrester describe it as  “Extended Detection and Response.” “Extended” meaning that its scope goes beyond the endpoint to combine security data from multiple sources.

Another interpretation is that the “X” stands for “cross-layered” or “cross-product” detection and response; the point here being that data is combined from multiple products or security layers.

The third interpretation involves looking at “X” as a kind of mathematical variable standing in for whatever data sources you can plug into the equation (e.g., endpoint, network, cloud, messaging, etc.).

What is XDR?

Is XDR a product? A platform? A service? The answer is yes.

XDR can be packaged and delivered as a tool or suite of tools that you and your team deploy, administer, and operate, or as a managed service provided by a team of experts using a proprietary or curated tech stack.

It can even be implemented in a hybrid model in which some functions are managed by an internal security operations center (SOC) while others are supported by an external team of specialists. So, for the sake of simplicity, it’s easiest to think of XDR as an approach that can take many forms.

With that in mind, a simple definition of XDR would be:

An approach that unifies information from multiple security products to automate and accelerate threat detection, investigation, and response in ways that isolated point solutions cannot.

If you’ve followed Sophos for a while, this definition might sound familiar, and for good reason. One of the defining strengths of Sophos products for the past several years has been Synchronized Security: a set of features that enable endpoint, network, mobile, Wi-Fi, email, and encryption products to share information in real time and respond automatically to incidents.

One such example of Synchronized Security is the Security Heartbeat ™, a feature acknowledged in the Gartner 2020 Magic Quadrant for Network Firewalls which allows XG Firewall and endpoints secured by Intercept X to talk with each other to prevent threats from spreading within or beyond a network.​

XDR represents the evolution of Synchronized Security features into the fast-growing market category it is today.

How is XDR different than SIEM or SOAR?

XDR is yet another acronym to add to the veritable alphabet soup of security terminology. The good news is that if you’re already familiar with these terms, it’s not a stretch to see where XDR improves on the formula.

XDR shares many functional similarities with SIEM (security information and event management) and SOAR (security orchestration, automation, and response) tools. Some even refer to XDR as a kind of spiritual successor to SIEM and SOAR.

The core differences, however, come down to the primary intent of SIEM and SOAR tools, and the focus of XDR on threat detection and response. The fundamental property that makes SIEM tools valuable is their ability to collect and analyze staggering volumes of log events and other data across disparate sources.

Again, this is functionally similar to what is achieved through XDR. But whereas SIEM is primarily a search tool – requiring users to ask multiple questions (often in different ways), and assembling the resultant answers to arrive at a conclusion – XDR is capable of automatically responding to threats or, in cases where automated response cannot be performed, accelerating analyst-led threat hunts and investigations to improve response times.

Similarly, while SOAR platforms can add machine assistance to human security operators through the creation of playbooks (i.e., logic flows that can trigger scripted actions when certain conditions are met), they will not create those process or workflows for you.

So, while SOAR can help with alert management, it requires significant up-front investments in implementation as well as ongoing maintenance (tuning) performed by experienced security analysts to build effective case management and incident response playbooks.

Can an XDR approach be achieved through the use of a SIEM or SOAR or some combination of the two? Certainly. But it would require significant investments in tools, people, and process to fill the gaps in functionality.

What is the business impact of XDR?

For security, IT, and risk management leaders, XDR capabilities reduce the complexity of security configuration, threat detection, and response, enabling organizations to prevent successful attacks from advanced adversaries.

Read the free report!

“The primary value propositions of an XDR product are to improve security operations productivity and enhance detection and response capabilities by including more security components into a unified whole that offers multiple streams of telemetry, presenting options for multiple forms of detection and concurrently enabling multiple methods of response.” 

Gartner, “Innovation Insight for Extended Detection and Response” (2020)

Likewise, XDR has quickly earned favor among the C-suite for providing more accurate detection and prevention capabilities at a lower total cost of ownership (TCO).

Without the XDR-like capabilities enabled through Synchronized Security, customers say they would need to double their security headcount to maintain the same level of protection. They also tell us that they experience fewer security incidents and can identify and respond more quickly to issues that do occur.

XDR, delivered either as a product or a managed service, will appeal to security and IT leaders with limited resources who seek to reduce the total cost and complexity of their security program and improve their threat detection and response capabilities.

What’s next for Sophos XDR?

In the coming weeks, we’ll be sharing news on the next stages of Sophos XDR. In the meantime, try out one of the key components of XDR, endpoint detection and response (EDR), with a free trial of Intercept X.

Gartner Innovation Insight for Extended Detection and Response, Peter Firstbrook, Craig Lawson, 19 March 2020.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Latest Posts