It seems like everyone is talking about Extended Detection and Response (XDR), but what exactly is it? In last month’s webcast, XDR Explained: How Extended Detection and Response Can Help Your Organization, Forrester Research guest presenter, Allie Mellen joined me to discuss how organizations can improve their security operations by unifying threat detection and response. Below are her responses to some of the questions that surfaced during the presentation.
Webinar Participant: Why XDR? Isn’t EDR enough?
Allie Mellen: EDR has been a market-validated tool for effective endpoint detection and response, but security teams require more telemetry than just the endpoint can provide. IT infrastructure is much more complicated than solely the managed endpoints on the network, thus, incident responders need additional telemetry in order to investigate and respond to attacks faster and more completely.
In an effort to address this, security teams have used security analytics platforms to match endpoint telemetry with telemetry from other parts of the environment to varying success. However, some solutions have suffered from high resource consumption, high rates of false positives, and large data volumes.
Through our research, we have seen that end users continue to invest more into security, while at the same time continuing to struggle with breaches. 59% of global security decision-makers responding to the Forrester Analytics Business Technographics® Security Survey, 2020 say that their firm’s sensitive data was breached at least once in the past year. XDR looks to address this by taking a different approach to detection and response, which continues to be anchored to the endpoint, but correlates endpoint detections with telemetry from other sources to simplify investigation and response.
(EDITORS NOTE: Sophos has recently announced the integration of Sophos EDR and XDR into a single offering)
Webinar Participant: What are the advantages of a native XDR approach?
Allie Mellen: Security vendors bring XDR to market one of two ways: Native XDR or Hybrid XDR. Native XDR focuses on tight alignment with other tools in the vendor’s own portfolio. In contrast, Hybrid XDR focuses on building strong integrations with 3rd parties for additional security telemetry.
Native XDR is often sold as a package deal with other security tools from that same vendor; for example, Native XDR is the core product, which integrates with that same vendor’s NAV offering. Native XDR may be easier to purchase and faster to deploy, which can improve time to value. End users may also benefit from the ease of integration between products in the vendors portfolio, and potential cost savings from the bundled nature of the offering.
Webinar Participant: If you could only add one data type beyond endpoint and server what would it be?
Allie Mellen: This is an interesting, complex question. It’s hard to say what one data type would be the best fit for every single environment; generalizations are hard to make in security. However, I must say that one thing that is universal is email; the vast majority of organizations, with very few outliers, use email.
As we know, phishing continues to dominate as the entry point for the delivery of malware. As such, having a combination of email telemetry correlated with endpoint detections can provide powerful, high efficacy detections with insightful automated root cause analysis. An analyst can look at the full scope of the attack from phishing campaign to delivery and execution of malware on the endpoint to identify not only how to respond, but also how to prevent the attack in the future across security tools.
Webinar Participant: Can you have XDR without first having EDR?
Allie Mellen: Simply put, EDR serves as the basis for XDR. It is an evolution of existing endpoint detection and response technology. What differentiates XDR from security analytics platforms is its focus on detections in high efficacy telemetry sources; ultimately, XDR defends where the data is.
This is an important distinction, because ultimately, XDR aims to solve three core issues security teams face today: high false positive rates and too many alerts, time-consuming investigation, and time-consuming or incomplete response.
In order to address the high false positive rates and massive number of alerts security teams continue to deal with, XDR promises a different approach to solving the problem. Instead of relying on a security analytics layer to piece together aspects of the attack, XDR continues the vision of EDR providers by focusing detections in particular telemetry sources like endpoint and cloud.
Interested in learning more? Head over to Sophos.com/XDR or download our latest whitepaper, Extended Detection and Response (XDR) – A Beginner’s Guide.