What is Extended Detection and Response (XDR)?

Extended detection and response (XDR) is a technology approach that aims to provide holistic protection of endpoints. XDR technology is able to:

• Validate and improve the accuracy of endpoint detections.
• Detect threats beyond the endpoint.
• Coordinate multiple response actions.

In this in-depth article, let’s look at how XDR solutions work and what they help with. We’ll also look at limitations inherent in XDR and how they compare to other security tools, like SIEM and SOAR.

EDR overview

Let’s get our historic bearings. Endpoint Detection and Response (EDR) originated from antivirus technology and endpoint protection platforms (EPPs). These legacy solutions could not handle endpoints threats, those that bypassed traditional file- and heuristic-based malware detection. EDR improved upon these by offering high-fidelity threat detection capabilities and additional threat-hunting and forensic investigation tools.

As cybersecurity attitudes moved from “you’ll be fine” to “you will be breached”, the demand for EDR skyrocketed. EDR allowed security analysts to…

• Have better endpoint visibility and detections.
• Conduct real-time forensic investigations.
• Respond to endpoint threats more quickly and effectively.

This was well and good for endpoints threats for some time. Eventually, however, two factors showed the limitations of EDR: New and emerging types of endpoints — IoT devices, operational technology (OT) and serverless applications — were not supported by EDR. More importantly: the need to extend the scope of security data coverage to include telemetry from other points, like network, cloud and email.

As threats have increased in sophistication, EDR’s narrow focus on the endpoint is a limitation. Contextual data from network detection, threat intelligence and other security tools are needed to improve detection and increase the speed of response.

Enter, Extended Detection and Response (XDR).

How extended detection & response works

XDR products aim to streamline threat detection, investigation and response (TDIR) by providing a single platform for a security analyst to perform these functions, across several security control points. With XDR, we are focusing not solely on endpoints: we can say we’re looking at endpoint-focused and endpoint-adjacent areas, now. To that end, an XDR platform can:

• Ingest data from security tools that successfully integrate.
  
• Apply pre-built detection techniques.
• Execute threat analysis.
• Facilitate threat response actions back through the security tools.

Using data from a variety of sources — endpoint, network, cloud, email, threat intelligence and identity sources — an XDR product can identify corroborating evidence and funnel it into a single incident to create high-accuracy alerts. This approach gets analysts working quicker. Otherwise, they’re using multiple consoles and solutions to triage an alert before deciding what action to take.

XDR tools rely on integrations to provide threat response capabilities as well. Pre-configured responses based on credible threats correlate data and initiate coordinated responses across the solutions falling under the XDR umbrella, allowing analysts to conduct a complete end-to-end triage, verification and response.

Types of XDR

XDR solutions initially integrated EDR and other security offerings within a single-vendor portfolio, known as closed or native XDR. Later, open or hybrid XDR products emerged. These were built on data architecture that leveraged third-party different vendor solutions as data sources. Both types of XDR solutions aim to provide deeper visibility and greater context.

(Read our complete explainer about EDR, XDR & MDR.)

Key functions of XDRs

Both XDR and EDR have several similar functions, including:

• Advanced threat detection capabilities. Both EDR and XDR use proprietary detection techniques and threat intelligence to help security teams detect and respond to sophisticated threats.
• Real-time monitoring. EDR and XDR both continuously collect and analyze data in a single data lake so security analysts can more efficiently monitor, detect and triage security events.
• Fewer alerts. Because of their proactive and advanced detection capabilities, both EDR and XDR solutions generate fewer false-positive alerts, reducing the occurrence of alert fatigue within security teams and enabling a faster response to threats.
• Threat hunting. Both EDR and XDR solutions empower security analysts to proactively search for evidence of suspicious or malicious activities that weren’t triggering security alerts.

Indeed, it is these similarities that have certain vendors to simply rename their EDR solution as XDR — even with little change to the original product. XDR, however, aims to unify detection and response capabilities across multiple telemetry sources, not just endpoints.

XDR benefits, use cases

XDR is used to support specific use cases in the security operations center (SOC), including:

Accurate threat detection

XDR delves deeply into endpoint, network and other telemetry to pinpoint threats and get to their root cause, allowing security analysts to identify the complex patterns and techniques used in advanced attacks.

The endpoint may be the first place where threats are detected, but an attack will leave clues that can be identified by other control points. By correlating endpoint data with network, cloud and other telemetry, XDR can more effectively find and shut down attacks.

Effective threat response

XDR’s deep data collection and analysis allows security teams to trace attack vectors and understand how a threat unfolds, making it easier to locate the attacker in the environment. XDR solutions with automated response capabilities can block a threat as soon as it is detected.

SIEM support: High-accuracy telemetry and alerts into a SIEM

XDR can perform some of the heavy lifting around threat detection and provide high-fidelity alerts to a SIEM. This can help analysts speed up investigations or find additional threats by correlating XDR telemetry and alerts with data from sources not covered by XDR.

Integration with tools beyond the endpoint enables more accurate detections and a more comprehensive and coordinated response, with little effort from security professionals.

Supporting smaller security operations teams

XDR solutions can perform some of the evidence gathering and automated response steps that analysts often perform manually today. By freeing up analysts from these manual tasks, XDR solutions can help security operations teams be more effective in finding and stopping high-priority threats.

Challenges with XDR solutions

XDR solutions have two severe limitations when it comes to overall cyber hygiene:

• The smaller range of integrated solutions they work with.
• The data set they can analyze.

These drawbacks can restrict security teams’ ability to use existing or new security solutions of their choice with an XDR platform. Security teams may also encounter blind spots due to XDR solutions’ limited security data coverage, especially when using XDR as the primary security operations platform.

Comparing XDR with other cybersecurity solutions

XDR is great for enhanced detection and response across a limited set of use cases using a limited set of data sources. What happens, though, when threats evolve beyond the scope of that set of use cases and data sources?

Below, I’ll look at a couple common comparisons. However, at Splunk, we believe that comparing XDR to SIEM and SOAR is misaligned. We see XDR as a data source and control point that integrates with security tools, just like EDR. In fact, many of our customers have already integrated XDR solutions with Splunk. XDR helps to eliminate some noise — and Splunk gives teams the ability to solve for use cases beyond the endpoint. It’s a win win.

(Learn about what Splunk does.)

XDR vs. SIEM

At first glance, an XDR tool may look similar to a security information and event management (SIEM) solution. Both take in telemetry data to better detect existing and emerging threats. However, there are several notable differences.

Data sources. XDR platforms limit the data they can ingest and analyze. A SIEM solution takes in data from any and all sources.

Advanced threat capabilities. XDR tools are not well suited for investigating emerging and advanced threats, forensics and fraud use cases.

As attackers become more creative in hiding their tracks, investigations tend to span across multiple systems and environments, with clues often lying in unlikely places. Not having access to all sources and forms of data can stymie threat hunters as they follow the trail of an attacker and piece together the story of the attack.

Long-term storage. Unlike SIEM, XDR solutions lack long-term storage capabilities. Whether due to functionality or performance compromises, XDR tools can’t retain data long-term. To fulfill compliance and auditing requirements, you’ll need to store this data elsewhere. That’s yet another tool in your tech stack, and that’s more complexity to see into.

Compliance. Certain regulations require organizations to reduce the risk of data breaches by:

• Implementing various security controls.
• Defining a security threat response plan.
• Tracking critical business events.
• Keeping detailed records of all security events and how they were handled.

SIEM provides continuous monitoring, real-time threat detection and alerting, data analysis and visualization and log management and storage capabilities that help organizations more easily meet these requirements.

(Explore our SIEM, Splunk Enterprise Security, and take a free tour.)

XDR vs. SOAR

XDR tools also share some capabilities similar to that of security orchestration, automation and response (SOAR) solutions, yet with some very notable differences.

SOAR and XDR both aim to integrate a multitude of security tools for coordinated and automated response. Automating manual processes also frees up time for analysts to perform other duties that require critical thinking and problem solving, while also virtually eliminating mistakes and oversights in manual threat response.

Despite these common goals, SOAR and XDR differ in a few important ways:

• Automation. SOAR focuses more on automation, using a playbook-based system to orchestrate and automate incident response procedures. By contrast, XDR usually only automates single actions based on the analysis of incoming data.
• Integration. SOAR is designed to integrate with as many tools and point solutions as possible. XDR solutions, on the other hand, are typically an assemblage of a single vendor’s tools implemented together.
• Broader use cases. SOAR can also be used in applications outside of security, e.g., IT operations and software development.

(Learn all about Splunk SOAR and try it for free.)

Reducing cyber risk: don’t stop at XDR

Ultimately, you’re not looking to purchase a tool. You are looking to reduce cyber risk. XDR capabilities help defend against a decent range of attacks.

Still, integrating XDR telemetry and high-fidelity alerts into a SIEM-based SOC platform — where you can correlate all relevant data — can improve your ability to accurately detect and rapidly investigate and respond to threats. A proper cybersecurity program covers the entire attack surface to help reduce cyber risk.

Get the best visibility possible

Splunk delivers the same benefits as XDR technology: our solutions do not limit use cases or data sources. In addition to TDIR, you can index and search across all your data, security and otherwise. This level of visibility is critical to discovering the root cause for today’s most complex attacks.

Splunk provides enterprises with the flexibility they need to solve the challenges of today, while remaining agile to adapt to the threats and challenges of tomorrow. Splunk Security is the security operations platform for the agile enterprise. Centralizing all data, with the intent to deliver advanced analytics, streamlined operations through automation and orchestration, with tight collaboration from a thriving and diverse set of ecosystem partners is the formula for modern security operations.