Navigating the XDR Market: 5 Things to Consider in Finding the Right Partner

Credit: Getty Images

It's no surprise that MSPs are taking on more managed cybersecurity responsibilities including threat detection and incident response. To serve multiple clients with a wide range of size and scope of requirements, the one-size-fits all approach of building a SecOps program around an enterprise SIEM is cost-prohibitive and requires complex configuration and integration.

XDR (eXtended detection and response) platforms offer the promise of wider attack surface coverage, deeper threat detection and faster incident response — all with the ability to consolidate telemetry and simplify deployment.

But, let’s be honest, choosing the right XDR solution has become a hot mess. It’s par for the course in cybersecurity that once a new market category has caught fire, nearly every cybersecurity vendor finds a way to shoehorn their solution into the box. So, how do you separate the real XDR professionals from the pretenders? Here are some tips to get you started in the right direction.

Types of XDR Solutions

Aaron Branson, senior vice president of Marketing, Netsurion
Aaron Branson, senior vice president, Marketing, Netsurion

XDR is an evolution of threat detection and incident response (TDIR) that successfully breaks down the traditional data and environment silos of legacy SecOps platforms to deliver wider attack surface visibility, deeper threat detection — and ultimately, faster incident response. XDR does not necessarily mean other security controls are rendered obsolete. Rather, XDR platforms must ingest, normalize, and correlate telemetry from all sources such as SIEM, EDR, and UEBA to reduce noise, identify true Indicators of Compromise (IoCs), trigger appropriate automated response, and deliver actionable alerts.

Open XDR is a class of XDR that is vendor-agnostic in terms of its protection scope. Open XDR, sometimes called Hybrid XDR, is designed to integrate with other security technologies to avoid ripping and replacing them — thus they are “open” to ingest anything and everything the platform can. The key, however, is to inspect the quantity and quality of data source integrations the Open XDR platform provides.

Native XDR, on the contrary, is typically developed by a large technology vendor aimed at ingesting only telemetry across their portfolio of products — think Palo Alto, Microsoft and Cisco.

Whether open/hybrid or native, also consider whether it is delivered as a SaaS or a managed service. Managed XDR providers are going to bring both a 24x7 SOC to work shoulder-to-shoulder with you along with the XDR technology to get the job done. Unless an MSP has invested in a robust security operations center with all the specialized roles required working around the clock, a Managed XDR is suggested.

Breadth of Attack Surface Coverage

Once you know what type of XDR solution is best for your SecOps program, next is to evaluate which vendors have the wherewithal to protect your clients’ environments. This is a great way to quickly pare down the field of contenders. Look for an online library of data source integrations. Disqualify any platform that doesn’t cover your IT estate, especially vulnerable legacy systems that might not always be fully patched.

Depth of Threat Detection

So, you’ve shortlisted the type of provider and shortlisted those that cover your clients’ assets. Now, it's time to inspect that coverage as not all data source integrations are created equal. Watch out for really weak integrations that may collect data but not really mine intelligence and serve up actionable alerts.

Ask your vendor to explain their Common Indexing Model (CIM) which is what makes it possible for their system to identify Indicators of Compromise (IoCs) across multiple assets. A vendor’s integration is much more than ingesting data. Ask to understand these five (5) elements — parsing rules, correlation rules, alerts, dashboards and reports. A common requirement is in-depth Microsoft 365 integration.

Speed of Incident Response

This is where the rubber meets the road, as they say. Because of the multiple stages and hands-on activity involved, Incident Response requires particular attention. Reality is you and the vendor should accept a shared responsibility (or “shared fate”) mentality to truly have a successful outcome. Ask your XDR partner about how much involvement you have in shaping the SecOps Runbook and IR Playbook. Ask about Automated Response as well as Guided Remediation support.

Both machine and human involvement should be expected. Speaking of humans, throughout the tuning, monitoring, detection and response stages, insist on a full understanding of their SOC’s dedication to your environment and specialized roles in malware analysis, threat intelligence, threat hunting, incident response and customer success management.


Ultimately, can you count on this XDR provider to empower you, the MSP, to quickly and effectively remediate real threats to your clients without bogging you down with false positives. Your partner should optimize your team’s effectiveness. Aside from delivering on their XDR promise, such vendors must be MSP-ready and account for basic operational issues such as multi-tenant management, flexible pricing models for continuous scaling up and down, and simple deployment.

Managed Open XDR for MSPs

Netsurion’s Managed XDR solution combines its 24x7 SOC and our Open XDR platform in a co-managed service that gives partners the ultimate flexibility to adapt and grow while maintaining a secure environment.

Netsurion is a SOC 2 Type 2 Compliant managed security service provider. It meets all five of the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria for internal controls relevant to security, availability, processing integrity, confidentiality and privacy.

Author Aaron Branson is senior vice president of Marketing for Netsurion. Read more Netsurion guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.