Extended Detection and Response (XDR) appears as one of the most prominent new branches of modern cybersecurity. Certainly it continues to grow in both prominence and attention by technology experts. But what is XDR? Why does it matter to enterprise InfoSec policies and execution?
XDR refers to a unified security incident and response platform that automatically collects and correlates data from proprietary security components. In other words, you can think of it as a platform that aggregates the security events collected by SIEM, EDR, and identity management tools; it puts them under a single pane of glass, offering a holistic cybersecurity perspective over the entire network.
Further, XDR can cross environments for its correlation capabilities, and thus it also provides normalization for consistent and reliable analysis. Therefore, XDR enriches data sources and consolidates the information for greater analysis.
The ultimate goal of XDR platforms is to speed up investigation processes and incident response times. To learn more, we spoke to Avi Chesla, Founder and CEO of empow, and David Valovcin, President of empow. They provided a clearer view of XDR technologies and what enterprises should look for in their solutions
What is XDR? Key Requirements
Among the key requirements of XDR solutions, one of the most important is the centralization of normalized data. Under normal circumstances, security event data is siloed by the individual solution. If it generates an alert, that singular alert is enough to trigger an investigation ticket.
However, a single alert from a single solution often isn’t enough to merit a full investigation; this perspective contributes to the overwhelming noise in security operations centers, which can drown out actual threats and increase burnout. XDR bridges the silos under a single pane of glass, creating alerts that stem from multiple platforms and thus have more credence.
According to Mr. Valovcin, “XDR pulls together proprietary sensors. Some might be good on endpoint, others on the network. But because they are siloed, you see them as individuals not as part of a broader event.” He compares it to looking for a disease: you can look at the symptoms individually, but only by looking at all of them can you get a clear picture of what is wrong.
Mr Chesla adds: “The main idea is to find advanced attacks hidden in silos.” He goes on to describe the importance of XDR’s centralized incident response capabilities. These can change the state of individual security products or policy setting as part of an incident response. As he says, XDR answers “who are all the entities involved as part of this attack? What is the relationship between them? What are their roles? Do they carry sensitive information? So it provides an element of contextualization.”
Finally XDR comes with automatic correlation. With so many data sources on the network all at once, it is impossible for any human to keep track of it all. Automation matters now more than ever in cybersecurity.
How to Learn More