What is extended detection and response (XDR)?

With XDR, security solutions that aren’t necessarily designed to work together can interoperate seamlessly on threat prevention, detection, investigation and response.

XDR eliminates visibility gaps between security tools and layers, enabling overburdened security teams to detect and resolve threats faster and more efficiently, and to capture more complete, contextual data for making better security decisions and preventing future cyber attacks.

XDR was first defined in 2018, but the way security professionals and industry analysts talk about XDR has been evolving rapidly ever since. For example, many security experts first describe XDR as endpoint detection and response (EDR) on steroids, extended to span all enterprise security layers. But today experts see XDR’s potential as much more than the sum of the tools and functionalities it integrates, emphasizing benefits such as end-to-end threat visibility, a unified interface, and optimized workflows for threat detection, investigation and response.

Also, analysts and vendors have categorized XDR solutions as either native XDR, which integrates security tools from the solution vendor only, or open XDR, which integrates all of the security tools in an organization’s security ecosystem regardless of vendor. But it has become increasingly clear that enterprise security teams and security operations centers (SOCs) expect even native XDR solutions to be open, providing the flexibility to integrate third-party security tools they use now or may prefer to use in the future.

Today organizations are bombarded by advanced threats (also called advanced persistent threats). These threats sneak past endpoint prevention measures and lurk in the network for weeks or months—moving around, gaining permissions, stealing data, and gathering information from the different layers of the IT infrastructure in preparation for a large-scale attack or data breach. Many of the most damaging and costly cyber attacks and data breaches—ransomware attacks, business email compromise (BEC), distributed denial of service (DDoS) attacks, cyber espionage—are examples of advanced threats.

Organizations have armed themselves with scores of cybersecurity tools and technologies to fight these threats and close off the attack vectors, or methods, that cybercriminals use to launch them. Some of these tools focus on specific infrastructure layers; others collect log data and telemetry across multiple layers.

In most cases these tools are siloed—they don't talk to each other. This leaves security teams to correlate the alerts manually to separate the actual incidents from false positives and triage the incidents according to severity—and coordinate them manually to mitigate and remediate threats. According to IBM's Cyber Resilient Organization Study 2021, 32% of organizations reported using 21 to 30 individual security tools in response to each threat; 13% reported using 31 or more tools.

As a result, advanced threats take too long to identify and contain. IBM's Cost of a Data Breach 2022 report reveals that the average data breach took 277 days to detect and resolve. Based on this average, a breach that occurred January 1 would not be contained until October 4.

By breaking down the siloes between layer-specific point solutions, XDR promises overextended security teams and SOCs the end-to-end visibility and integration they need to identify threats faster, respond to them faster and resolve them faster—and to minimize the damage they cause.

In the relatively short time since its introduction, XDR is making a difference. According Cost of a Data Breach 2022, organizations with XDR deployed shortened their data breach lifecycle by 29 and lowered breach costs 9% on average compared to organizations without XDR.

XDR is typically consumed as a cloud-based or software as a service (SaaS) solution; one industry analyst, Gartner, defines XDR as 'SaaS-based'. It may also be the core technology driving a cloud or security solution provider's managed detection and response (MDR) offering.

XDR security solutions can integrate:

• Individual security tools (or point solutions) such as antivirus, user and entity behavior analytics (UEBA), or firewalls;
  
  
• Layer-specific security solutions such as EDR, endpoint protection platforms (EPPs), network detection and response (NDR) or network traffic analysis (NTA);
  
  
• Solutions that collect data or coordinate workflows across security layers, including security information and event management (SIEM) or security orchestration, automation and response (SOAR).

XDR collects log data and telemetry from all of the integrated security tools, effectively creating a continuously updated record of everything that happens in the infrastructure - log-ins (successful and unsuccessful), network connections and traffic flows, email messages and attachments, files created and saved, application and device processes, configuration and registry changes. XDR also collects specific alerts generated by the various security products.

Open XDR solutions typically collect this data using an open application programming interface, or API. (Native XDR solutions may require a lightweight data collection tool, or agent, installed on devices and applications.) All collected data is normalized and stored in a central cloud-based database or data lake

XDR uses advanced analytics and machine learning algorithms to identify patterns indicating known threats or suspicious activity in real-time, as they unfold.

To do this, XDR correlates data and telemetry across the various infrastructure layers with data from threat intelligence services, which deliver continuously updated information new and recent cyberthreat tactics, vectors and more. Threat intelligence services can be proprietary (operated by the XDR provider), third-party, or community based. Most XDR solutions also map data to MITRE ATT&CK, a freely accessible global knowledge base of hackers' cyberthreat tactics and techniques.

XDR analytics and machine learning algorithms can also do their own sleuthing, comparing real-time data to historical data and established baselines to identify suspicious activity, aberrant end-user behaviors, and anything that might indicate a cybersecurity incident or threat. They also can separate the 'signals,' or legitimate threats, from the 'noise' of false positives, so that security analysts can focus on the incidents that matter. Perhaps most important, the machine learning algorithms continuously learn from the data, to get better at detecting threats over time.

XDR summarizes important data and analytic results in a central management console that also serves as the solution's user interface (UI). From the console, security team members can get full visibility into every security issue, enterprise-wide, and launch investigations, threat responses and remediations anywhere in the extended infrastructure.

Automation is what puts the rapid response in XDR. Based on predefined rules set by the security team—or 'learned' over time by machine learning algorithms—XDR enables automated responses that help speed threat detection and resolution while freeing security analysts to focus on more important work. XDR can automate tasks such as:

• Triaging and prioritization of alerts according to severity;
  
  
• Disconnecting or shutting down impacted devices, logging users off the network, halting system/application/device processes, and taking data sources offline;
  
  
• Launching antivirus/anti-malware software to scan other endpoints on the network for the same threat;
  
  
• Triggering relevant SOAR incident response playbooks (automated workflows that orchestrate multiple security products in response to a specific security incident).

XDR can also automate threat investigation and remediation activities (see the next section). All this automation helps security teams respond to incidents faster and prevent or minimize the damage they cause.

Once a security threat is isolated, XDR platforms provide capabilities that security analysts can use to further investigate the threat. For example, forensic analytics and 'track back' reports help security analysts pinpoint the root cause of a threat, identify the various files it impacted, and identify the vulnerability or vulnerabilities the attacker exploited enter and move around the network, gain access to authentication credentials, or perform other malicious activities.

Armed with this information, analysts can coordinate remediation tools to eliminate the threat. Remediation might involve:

• Destroying malicious files and wiping them off endpoints, servers and network devices;
  
  
• Restoring damaged device and application configurations, registry settings, data and application files;
  
  
• Applying updates or patches to eliminate vulnerabilities that led to the incident;
  
  
• Updating detection rules to prevent a recurrence.

Threat hunting (also called cyberthreat hunting) is a proactive security exercise in which a security analyst searches the network for as-yet unknown threats, or known threats yet to be detected or remediated by the organization’s automated cybersecurity tools.

Again, advanced threats can lurk for months before they're detected, preparing for a large-scale attack or breach. Effective and timely threat hunting can reduce the time it takes to find and remediate these threats, which can limit or prevent damage from the attack.

Threat hunters use a variety of tactics and techniques that rely on the same data sources, analytics and automation capabilities XDR uses for threat detection, response and remediation. For example, a threat hunter might want to search for a particular file, configuration change or other artifact based on forensic analytics, or on MITRE ATT&CK data describing a particular attacker's methods.

To support these efforts, XDR makes its analytics and automation capabilities available to security analysts via UI-driven or programmatic means, so they can perform ad-hoc searches data queries, correlations to threat intelligence, and other investigations. Some XDR solutions include tools created specifically for threat hunting such as simple scripting languages (for automating common tasks) and even natural language querying tools.