XDR 101:

What is Extended Detection & Response

Extended Detection and Response (XDR) is by far one of the hottest topics and trends in cybersecurity today. Conduct a Google search on XDR, and you will receive over 40,000,000 results. According to an Enterprise Strategy Group (ESG) survey, 38% of cybersecurity professionals believe XDR can provide a centralized management hub for security operations while 42% of cybersecurity professionals want an XDR solution that can simplify the visualization of complex attacks across the cyber kill chain. Either way, momentum towards XDR is building, and leading security tool manufacturers and managed security services providers alike recognize that this emerging technology is real and brings valuable outcomes to security teams.

Security leaders also undoubtedly recognize the value extended detection and response tools provide as they seek some consolidation in their ecosystem to manage their risk and improve security team productivity. In the November 2021 Gartner Market Guide for Extended Detection and Response, analysts noted that “XDR will be an increasingly critical capability for buyers to evaluate when seeking strategic architectural decisions for their security operations program.” 1

The market guide further stated that:

  • “By year-end 2027, XDR will be used by up to 40% of end-user organizations to reduce the number of security vendors they have in place, up from less than 5% today.1

  • By 2023, at least 30% of EDR and SIEM providers will claim to provide XDR, despite them lacking core XDR functionality.”1

Why is Extended Detection and Response (XDR) important?

The reality is that today’s modern enterprise is under siege. It faces the radical challenge of detecting, investigating and responding to the ever-growing number and sophistication of multi-vector cyber-attacks, including compromised credentials and email, phishing, and cloud misconfiguration. This is compounded by a shortage of security experts, disparate security tools that don’t communicate with each other, and a fragmented IT and security infrastructure. The result is that security teams are missing the attacks sliding through these openings and organizations are experiencing high-impact hits to their brand reputation and devastating financial consequences. The simple truth is that, from the small business to the large enterprise, many lack the security maturity to respond effectively to these attacks. 

Coined by Nir Zuk of Palo Alto Networks in 2018, in a recent blog, Forrester Analyst Allie Mellen stated the definition of Extended Detection and Response as:

“The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real-time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.

Enter the Extended Detection and Response platform. XDR is the new standard that security analysts can use to unify data, including identity, email, cloud platforms, and other networks to tell a story that more clearly identifies threats. XDR, however, is still rooted in endpoint security detections. And while XDR platforms are powerful detection and response tools, they are still highly complex and need the right human expertise to continuously optimize them and read the story they have to tell.

XDR needs Managed Detection and Response (MDR) to read that story and bring together the disparate security tools for unified visibility to help better correlate and identify threats, which leads to accurate decision-making. Managed detection and response service providers have traditionally been the single pane of glass to unify telemetry across SIEM and EDR/EPP tools. Now, they’re going even further by supporting bi-directional integrations with XDR platforms and enhancing their value with the additional human security expertise required. To take advanced cyber threats coming from multiple vectors, you need to be able to look at every alert and the contextual information behind it—exactly the place MDR providers such as CRITICALSTART prefer to live.

Will Extended Detection and Response (XDR) tools replace EDR, SOAR, or SIEM?

Time will tell whether XDR technology is mature enough to replace other security solutions. XDR companies are starting to compete head-to-head with security orchestration, automation, and response (SOAR) tools as they build these specific capabilities into their platform.

XDR companies are also competing with security information event management (SIEM) platforms for threat detection, investigation, response and threat hunting. SIEM vendors have a long history of providing data aggregation to help solve security problems but still lack response capabilities that can help enterprise organizations scale their security operations programs to improve security maturity. Additionally, deployments of SIEM platforms are generally compliance-focused, whereas XDR is threat focused.

According to Allie Mellen, Analyst at Gartner, XDR is on a collision course with security analytics and SOAR and because these platforms have yet to provide incident response capabilities. XDR is filling the void through a different approach. In her report, “Adapt or Die:  XDR is On a Collusion Course With SIEM And SOAR,” she says, “The core difference between XDR and the SIEM is that XDR detections remain anchored in endpoint detections, as opposed to taking the nebulous approach of applying security analytics to a large set of data.”  She also notes that as this category of XDR evolves, definitions of endpoint security will also evolve based on where the attacker’s target is located.

Yonni Shelmerdine, AVP of Product and Head of XDR for SentinelOne, explains that there’s a reason it’s called XDR and not “X-IEM or X-OAR.“ He stated recently that “XDR does seem to be an evolution of Endpoint Detection and Response, obviously with more data sources and with more response actions, and there are some key parts of Endpoint Detection and Response that we recognize are going to be the crux of our approach to XDR. This includes using metrics such as mean-time-to-respond, mean-time-to-investigate and mean-time-to-detect as our beacons to answer: ‘Are we going in the right way?’”

But he expanded on the key differences with the security solutions of the past, as he continued: “We determined that this was going to be about ingesting data, but not necessarily ingesting all of it. We’re not ingesting for the sake of ingesting. We’re ingesting for the sake of reducing mean-time-to-detect. We now facilitate much more automation than we did last year, and we’re going to be facilitating even more in the months to come. We ask ourselves, ‘Does it help reduce the number of screens you need? Does it help reduce the number of analysts you need? Does it help reduce the years of experience they need in order to solve this really complex problem?’ And then we set about deciding what we were going to build (for XDR).”

How to select an XDR partner

An MDR partner brings a certain skillset to XDR to help those using the technology realize its full potential. Some of the expertise in specific areas include:

  • The operating system being used
  • The dependencies of the libraries that will interact with the XDR and how they will all work together
  • How to interpret alerts coming from XDR to understand what is normal versus concerning behavior across the network and all applications used by the organization
  • How to efficiently perform a proper investigation based upon an incident that can contain upwards of 50-60 related alerts and know how to mount the proper response

These are the types of skills that are not going to be hired right out of college. Two full-time employees with skills in the above areas may cost an organization over $120,000 per year plus benefits and yet still would not be able to provide 24×7 security coverage in most cases. Working with an MDR provider makes more financial sense, but more importantly, it enables an XDR platform to tell the story it has been waiting to tell.

How the right MDR team can read the XDR story

If a company is trying to use XDR with their internal team, they may see one of these alerts that’s high or critical and investigate immediately. But the other alerts, which may rank as medium, low, or even just informational, are put off for several hours as the internal team may not have the experience to read the full story that points to an attacker that’s already active and deploying an attack throughout the environment. To use XDR effectively, every alert must be treated equally with the expertise to understand how each can contribute to the picture of an entire security event.

Critical Start uses our Cyber Operations Risk and Response™ platform and the Trusted Behavioral Registry® (TBR) to ensure that actionable visibility is what comes out of XDR, and the process looks like this:

  1. Our platform ingests, normalizes, and aggregates all alerts
  2. It removes alert prioritization
  3. It automatically resolves all known good alerts using the TBR
  4. It escalates any unknown threats to the Risk and Security Operations Center (RSOC) for human-led forensic analysis

That last step is why human knowledge and expertise are critical to ensuring that XDR is performing at its best.

Human Beings will Always be the Cornerstone of Effective Security

Ann Johnson, CVP of Security Compliance and Identity for Microsoft believes human input will be even more important in the years ahead. “People always ask me, ‘let’s see how technology can replace humans,’ she shared. “My response to that is never. Human intel and understanding of the behavior of the attackers and where they’re going to go next, and what they’re going to try to do all need to be part of predictive analytics. That’s why I want to make it easier for customers by just automatically being predictive and blocking stuff that potentially comes into their environment. I think you’ll see a natural convergence of XDR and SIEM into one thing—we just have to make sure that we get it right. We want simplicity of tooling and automation of tooling. The goal is that we want customers running their businesses and not be worried about their security tooling. The point when cybersecurity becomes a mature industry will be when there are no longer cybersecurity departments and when everybody’s problem is cybersecurity. Whether you’re a developer or an operator, you’ll still have a SOC. Cybersecurity needs to be everybody’s job from the first line of code.”

How to find the right MDR team

When it comes to XDR, it’s the human element that can bring the protection factor of this technology up to its full potential. 

Critical Start Managed Detection and Response (MDR) service integration with XDR delivers a comprehensive combination of highly experienced analysts and operational processes that helps your security team quickly detect, investigate and respond to every alert and stop the most advanced attacks while reducing risk, alert fatigue, and analyst burnout.

From tedious IOC Management to optimized rules

A key feature of the MDR service for XDR is IOC management. IOCs are constantly published and updated. The process of publication and application of additional detections can be hard to manage, and a full-time job, so we added this feature to the service for no added cost. The Critical Start Threat Detection and Engineering team enhances out-of-the-box detection capabilities by developing and adding proprietary IOCs and behavioral detections from curated threat intelligence, previous RSOC investigations, and external threat intelligence feeds.

Critical Start can simplify the complexity of these alerts to turn noise into clarity through its own platform and TBR. Working with a customer, good and trusted alerts can be identified and added to the TBR for automatic resolution. By resolving false positives quickly and at scale, an MDR team can focus on unknown alerts for triage and quick resolution.

Through our platform, all alerts, tickets, reports, and full investigation details can be consolidated into one location for complete visibility. With 99 percent of security alerts analyzed and resolved, the remaining average of 0.1 percent (the right alerts) can be escalated for human investigation and response.

Speaking of human intervention, our human-led investigation and response includes 24x7x365 end-to-end managed detection and response services delivered by highly trained and experienced security analysts. Our analysts complete 200 hours of training during onboarding and another 40-80 hours annually—they would be considered L2 and L3 at competitors. Analysts work in a U.S.-based SOC 2 Type 2 certified Risk and Security Operations Centers (RSOCs) to investigate, escalate, contain, and respond to threats.

See farther…with simplicity

We take the complex and make it simple through powerful bi-directional integration between our platform and your tools to centralize your data, providing visibility to you through a “single pane of glass” to fit right into your existing workflows (set up in weeks, not months). Our approach is transparent by design. Unlike other MDR services, we’ve crafted our platform dashboards to enable you to see what our security analysts see. This means you will have complete visibility and access to every alert with full investigative details, including every action taken. The information provided will be detailed enough for auditing and reporting. Beyond visibility into the service, we can help extend your view to include your entire security ecosystem. You can better understand how your security tools are performing and confirm the return on these investments, plus the value of your MDR service.

Now here’s the best part:

Critical Start’s industry-leading MOBILESOC® can put all of this visibility into the palm of your hand. This iOS/Android application enables you to communicate directly with analysts right from your mobile device. Utilize in-app responses and full details around investigations, including data points collected, incidents resolved or escalated, and access to the playbook. You can triage and contain alerts from any time and from anywhere.

Right on the bottom line

Finally, while MDR can definitively bring topline performance out a security tool such as XDR, your choice of vendors matters. Many MDR providers will not commit the value of their approach to hard metrics in writing. That’s why we prove the value of our platform with contractual, 60-minute or less Time to Detect (TTD) and Median Time to Resolution (MTTR) SLAs. With something as important as the security of your business, you should expect nothing less than a partner that’s willing to commit to their performance in writing.

1Gartner®, “Market Guide for Extended Detection and Response”, Craig Lawson, Peter Firstbrook, Paul Webber, 8 November 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.