Whether you are an MDR, Indiana Jones or Monty Python, you have been driven to find that Holy Grail that will bring your practice miraculous powers. Recently, two big EDR players jumped behind the XDR movement. Is XDR this elusive SecOps solution to all MDR woes? Let’s dig into the realities.
First, what is XDR?
Author: Jared Hufferd, director of security service providers, Sumo Logic
While some of the early vendors in the market explained the ‘X’ variable in ‘XDR’ stands for “anything” (as in source) Detection and Response, Gartner defines eXtended Detection and Response as “unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.”
We think that XDR is way more than eXtended EDR. The EDR players that have market presence are making it about that. They were missing the data lake to bring together all the data, so they purchased them. The NDR/NTA players are trying to make themselves relevant by expanding into this category and bolting on data lakes. And, SOAR players, that haven’t been gobbled up yet, are looking to be the glue to bring together all these technologies.
Irrespective of the definition of the term, The goals of XDR are to:
Create a holistic view of threats within all resources (Apps, Servers, Endpoints, Networks, Cloud, SaaS)
Reduce noise by correlating alerts across sources and threat stages to determine what is real
Increase productivity of SecOps by automatically prioritizing and categorizing real events
Lower Total Cost of Ownership though intuitive workflows requiring less resources
What is the REALITY of XDR today?
XDR is a new and emerging category which is in a nascent stage. Gartner Research’s guidance is that XDR is 5-10 years away from mainstream adoption.
As of today most vendors are trying to create XDR by taking their core technologies, acquiring and then cobbling together technologies across the SecOps tool stack:
Log Management/Data Lake
SecOps Analytics Engines
What are the downfalls of XDR Today?
Most vendors are acquiring these different technologies because they are a bargain versus the best of breed technology. Or, they are taking open source and bolting it on best they can. Early stage or generic Data Lakes lack the ability to bring in any source of human readable data, ability to parse all of that data and ability to correlate all that data. These Data Lakes’ Achilles heal is their ability to scale. Throwing more hardware, EC2s, S3s and licensing every time your customers need to expand or burst is a vicious cycle that will always have you trying to keep up.
The biggest downfall of vendor specific XDR is VENDOR LOCK-IN. The top vendors are creating their own closed ecosystem that will only play nice with their own technologies. Do all of your customers have only one vendor? Are they willing to forklift out their existing tool stack for the single vendor you require? Are you willing to lock your practice into only one vendor and hope they deliver on all the promises they have to complete their XDR solution?
XDR is not the future of SecOps. The current approach to XDR is driven by vendors attempting to be relevant in the broad SecOps landscape by bolting on additional tools to lock-in customers. Meanwhile, leading MDRs have found their Holy Grail by using modern, born in the cloud, uber-scalable SIEMs that can integrate the most disparate sources of data (endpoint, network, TI, logs, metrics, traces) from ANY VENDOR and automatically apply the best analytics mapping to standardize TTP frameworks (MITRE ATT&CK) and automation to get the most efficient SOC experience. When this modern tool stack is melded with MDR services you have XDRaaS.