XDR will converge from different directions: XDR, Open XDR, Native XDR, Hybrid XDR -> XDR

2022 Predictions By Aimei Wei

Initial definitions of XDR envisioned eXtended Detection and Response – a single platform that unified detection and response across the entire security kill chain. According to Rik Turner, who coined the XDR acronym, XDR is “a single, stand-alone solution that offers integrated threat detection and response capabilities.” To meet Omdia’s criteria to be classified as a “comprehensive” XDR solution, a product must offer threat detection and response functionality across endpoints, networks and cloud computing environments.

Gartner’s definition is similar in that it points to features such as alert and incident correlation, built-in automation, multiple streams of telemetry, multiple forms of detections (built in detections), and multiple methods of response. However, Gartner requires XDR to be achieved through consolidating multiple proprietary vendor specific security products.

Open XDR was initially created by Stellar Cyber as with the same features with Gartner except that not all the security products/components have to be from the same vendor, the platform has to be open and integrate with 3rd party security tools. Some components are built in and others are through deep 3rd party integrations.

Open XDR was later on picked up by vendors who purely rely on a wide ecosystem of 3rd party tools for telemetry sources and response without any built-in components.

Forrest’s definition of XDR requires the platform to be anchored around an EDR. It defines Native XDR as EDR integrating with vendor’s own security tools; Hybrid XDR as EDR integrating with 3rd party security tools; SAP (Security Analytics Platform) as a platform without built in EDR, but with built-in NAV and SOAR with 3rd party integrations; and SSA (Standalone Security Analytics) as those purely rely on 3rd party tools for telemetry sources and responses.

We predict that in 2022, XDR will converge from different directions.

  • XDR will trend to be open and integrate with 3rd party security tools, to allow best of breed tools being used and existing investment preserved. Even those that have historically been closed because they realize they can’t deliver the outcomes enterprises need while attempting to own the entire stack.

  • XDR doesn’t have to anchor from EDR as long as high efficacy detections are achieved through integration with EDR products

  • XDR platforms will have some built-in components and others through 3rd party integration. The more built-in components, the more value to get up-front without needing to acquire 3rd party tools. The more out of the box integrations, the more existing investment can be preserved and choices of best of the breed products.

Our definition of XDR is that it’s a unified security incident detection and response platform that:

  • Provides high-efficacy detections across ALL the data sources: endpoint, network, cloud, application, user, assets, email etc. through either built-in EDR, NDR, CDR, TIP or out-of-the-box third-party integration.

  • Includes automatic alert correlation across all the data sources and security tools to speed up the validation and investigation, automation of more advanced workflows with sophisticated attack correlation.

  • Enables automatic responses across different security tools through built-in or out-of-the-box integration with SOAR.

  • Incorporates threat hunting across all the data sources by allowing analysts to visualize and store large volumes of data for long periods of time through a built-in, next-gen SIEM or out-of-the-box integration with third-party SIEMs.

XDR is about automatic detection and response across the entire attack surface, and that means anything less than everything is not enough. XDR ultimately means “Everything Detection and Response.”