Little in the modern IT world lends itself to manual or siloed management, and this is doubly true in the security realm. The scale of modern enterprise computing and modern application stack architecture requires security tools that can bring visibility into the security posture of modern IT components and integrate tightly to bring real-time threat detection, possibly even automating aspects of threat mitigation. This need has given rise to extended detection and response (XDR) tools.
[ Download our editors’ PDF endpoint detection and response (EDR) enterprise buyer’s guide today! ]
What is XDR and what does it do?
XDR is a security tool that combines and builds on the strongest elements of security incident and event management (SIEM), endpoint detection and response (EDR), and even security orchestration and response (SOAR). In fact, some XDR platforms listed here are the fusion of existing tools the vendor has offered for some time.
The primary value in XDR systems lies in their roots in SIEM, which gives the system copious amounts of event data from systems across the enterprise. This security data is further enhanced with the EDR components running on workstations and servers, even observing workloads running in cloud runtimes like serverless functions or containers. XDR systems typically take the data collected from your enterprise and compare it to telemetry from external data sources. When analyzed with machine learning tools, this vast array of data can lead to the proactive identification of threats or active attacks within the network.
Benefits of extended detection and response (XDR)
XDR’s ability to perform real-time analysis of event data provides a foundation to efficiently identify and prioritize threats as they happen. Taken a step further, XDR offers tooling to enable the system to take automated response actions (disabling a user, quarantining an endpoint, initiating a malware scan, or restarting a service). Enabling an XDR to take these actions for you can cut off attacks at the knees, preventing more extensive damage from taking place as an attack gains momentum and impacts more systems.
In addition to early identification of attacks, XDR systems are helpful in threat hunting, root-cause analysis, and incident response. Events are automatically correlated with context such as user or system to track malicious activity as it navigates between systems, escalates privileges, or makes configuration changes. This level of visibility is available nearly instantaneously, without having to manually review and compile event logs or track configuration changes. These same insights can be leveraged to automate initial remediation steps: disabling accounts, marking email messages as SPAM, or even blacklisting IP addresses. Automation of this sort can help buy time to develop a response plan to fully remediate and re-secure your infrastructure.
Trends in the XDR space
It’s likely no surprise that the major trend with XDR systems revolves around AI and machine learning. Since the foundation of an XDR is large amount of text-based event data, AI is an easy way to enhance the technology. AI is most frequently used to add context through information gleaned from other business systems, open source or proprietary threat feeds, and current industry trends (such as emerging attack methods or even credential leaks).
What to look for in an XDR tool
Price will always be a key factor for enterprise security systems requiring scale, and XDR systems are no different. They are almost exclusively subscription-based, meaning you’ll have an annual or monthly cost to deal with. Like many security tools, this cost is a tradeoff as the financial risks of a data loss or simply the business impact of a compromise are monumental. The same is true of the manpower that would be required to acquire the same level of protection using existing systems and performing manual correlation of event data.
One of the most important XDR features to focus on is integration with existing hardware, software, and cloud investments, which can impact the effectiveness of the chosen platform as well as the cost and level of effort involved with the initial implementation of the solution. The security team should have a good understanding of what makes up the core of the IT stack (cloud services, infrastructure, business apps, etc). If the XDR can’t gather intelligence from these components or can’t initiate corrective actions in those systems that impacts the value of the solution. The same is true if the XDR can interact with these systems but it requires copious customization or consultant-level interaction to achieve a functional minimum.
The ability to manage policies and rules is also critical for your business to be able to tune the XDR’s capabilities to meet the business needs, enabling your IT security staff to respond to any threats or incidents more effectively. This functionality can take a variety of forms, from code-heavy rule sets to low-code workflows, or even actions implemented using third-party plugins available from a marketplace. Regardless of the implementation, the tools should be intuitive enough for your staff to manage internally unless you plan to outsource this role.
Finally, ease of use and training (either vendor-or community-based) are important for quickly ramping up and sustaining your investment in an XDR platform.
Popular XDR tools
Below are some contending XDR tools that meet the general requirements to be considered for enterprise use.
Bitdefender GravityZone XDR
Bitdefender’s antimalware tools have long been a favorite of IT pros, so it’s no surprise that they have endpoint detection well in hand as part of its GravityZone XDR offering. In addition to endpoints, GravityZone monitors network devices, servers, and a wide range of cloud runtimes such as container-based apps, Microsoft 365, Azure, and AWS. GravityZone’s analytics start at the sensor with early context applied, with additional levels of data refinement and normalization applied at the cloud layer using BitDefender’s security analytics platform. GravityZone offers different ways to visualize incidents, including a timeline view and an incident advisor. Finally, GravityZone has a set of investigation and response tools that allow you to remediate specific endpoints, interact within a remote shell, or collect digital forensics.
CrowdStrike Falcon Insight XDR
CrowdStrike’s XDR offering, Falcon Insight XDR, touts itself as a focal point for securing your infrastructure by eliminating siloed security tools and enabling a cohesive view across security domains. Falcon Insight XDR collects event data from disparate, disconnected systems and aggregates, normalizes, and applies context to produce an enhanced dataset. This wealth of event data is then analyzed to discover threats or active attacks, leveraging machine learning to detect evolving techniques brought to bear by malicious users. Finally, Falcon Insight XDR enables security professionals to respond appropriately by initiating response actions either manually or through automated workflows to immediately shut down active attacks.
CrowdStrike’s endpoint detection capabilities feed Falcon Insight XDR, giving the Ai-driven analytics platform a wealth of data from all corners of your IT stack. These analytics float prioritized threats to the top, enabling automated initial response or tasking your security and forensics teams.
Cybereason XDR
Cybereason chose to build its XDR on top of Google Chronicle, which is a Google Cloud-based SIEM and SOAR platform. There is a hefty upside to using Google as the foundation, and that is that Google does data, analytics, and correlation better than maybe any other entity in the world. Cybereason has built its EDR and cloud workload protection as first responders in their XDR, each of which provides early analysis of user and application activity, identifying key telemetry and passing it on to Google Chronicle. Cybereason’s MalOp Detection Engine takes threat data and correlates it into visualized timelines showing a full view of the attack path, enabling your security team to respond accordingly.
Cybereason integrates with major platforms covering the breadth of the IT stack (endpoints, office automation, identity providers, and cloud infrastructure). These integrations allow for instant visibility into malicious activity and presenting these threats for immediate actionable response.
Cynet XDR
Cynet XDR platform connects with their CLM (centralized log management) solution, touching on all key elements of XDR. Cynet’s platform integrates with endpoints and network devices, as well as IAM solutions and cloud infrastructure. These integrations allow for playbook-based response, either through automated actions or your incident response team.
Elastic Security for XDR
Elastic is best known for its web and application content-delivery systems, but like Google, it is in the business of dealing with vast amounts of data and network traffic. Elastic Security for XDR enables you to leverage existing security tools or build out a full XDR platform using components and capabilities from Elastic’s product catalog. Elastic offers both SIEM and SOAR capabilities, as well as threat detection for both endpoints and cloud workloads, live threat intelligence, and a library of existing threats and mitigations in the form of Elastic Security Labs.
Elastic’s analytics and AI capabilities are second to none, both in terms of performance and depth of analysis. The foundational data product gleaned from this process informs the rest of your security workflow, whether that results in automated remediation steps or your response team being notified.
Microsoft Defender XDR
Microsoft is one of only a handful of vendors that not only offers an XDR solution but also a full stack of services that XDR platforms tend to integrate with. An obvious benefit of using Microsoft Defender XDR is using solutions like Azure, Entra ID, and Microsoft 365, but beyond that most of the IT vendors in the world would be foolish not to leverage Microsoft’s customer base, which makes first-class integrations a given. Adding value to Microsoft Defender is the vast amount of event context available from the billions of workloads running on Microsoft’s infrastructure.
The services under the Defender brand protect customer-facing resources (endpoints, apps, and email) and cloud services (databases, storage, server VMs, containers, and more), while Sentinel provides a robust SIEM foundation from which to view and act on contextualized alerts, hunt threats, and initiate investigations.
Microsoft’s latest ace in the hole is Copilot. In briefest terms, Copilot functions as a UI for performing deep analysis, threat hunting, and incident response. Copilot empowers teams to raise the capability of every member of your incident response team.
Palo Alto Networks Cortex XDR
Palo Alto Networks Cortex XDR integrates with your network devices, endpoints, and cloud infrastructure to identify and shut down attacks. Cortex leverages behavioral analytics and machine learning to detect attacks, aggregating alerts in an efficient, organized way. Palo Alto Networks bills the Cortex XDR agent as a particular strength, leveraging malware detection, host-based firewall, disk encryption, and policy-based USB device management. The triage and investigation process is bolstered with automated root-cause analysis and attack sequence reporting. Incident reports and artifacts are also generated with a detailed breakdown of attack vectors, scope, and impact.
Palo Alto Networks’s AI capabilities dive in at the threat detection step, identifying evolving attack methods that may not match an existing attack profile. Zero-day attacks are identified by comparing key activities to known malicious behavior across a global dataset. Incident response through forensic investigation, root-cause analysis, and remediation can be streamlined or even automated through playbooks and over a thousand integrations with third party products.
SentinelOne Singularity XDR
SentinelOne Singularity XDR bridges the gaps between cloud, endpoint, and identity to provide full, unified visibility across domains and technology stacks. Singularity’s cross-domain focus begins with data collection and analysis, building context regardless of the source of the event, and continues through remediation, allowing you to take the appropriate actions to resolve threats in a timely manner. Tight integration with a host of third-party tools and services is enabled through the Singularity marketplace, which surfaces curated connectors for AWS, IBM Security, Microsoft, Okta, ServiceNow, Splunk and many others. Singularity’s Storyline technology is leveraged throughout the process to build out a rich, actionable final product that guides you through the incident response phase.
Trellix Helix Connect
Trellix views XDR as the primary tool in keeping ahead of the emerging, evolving threat landscape. With AI-based attacks continually on the rise XDR and AI-based defenses are the obvious first step in protecting enterprise resources. Trellix Helix Connect facilitates more efficient analysis, quickly distilling event data down to critical detail and those events most likely to impact the business. Once critical events are identified Trellix quickly transitions into a prioritized response in the form of either automated steps or assigning next steps to an incident response team.
Trend Micro Vision One
Trend Micro has been in the IT software game for decades, and its XDR offering, Vision One, is one of the more widely respected XDR platforms on the market. Vision One checks all the boxes an XDR should, including the ability to ingest data from a variety of inputs and the ability to secure endpoints with EDR. Vision One also supports proactive identification of vulnerabilities both within the boundaries of your corporate network and any that are visible publicly.
Vision One can seamlessly transition from detection and identification of threats into response via investigation and mitigation. Automated and enhanced remediation is implemented using customizable workflows and security playbooks. Vision One is also able to perform additional malware analysis in an isolated sandbox environment.
What to ask your team when deciding on an XDR
The most important thing each business needs to determine when shopping for an XDR is what vendors and systems your XDR is going to need to interact with. An XDR is of no value if it can’t identify risks in your existing systems and then act on them, making this the single most important decision point.
The second critical thing to evaluate within your internal team is what is the appetite for building out and customizing the XDR to make it behave in a way that meets your business needs. If this appetite is low or you simply don’t have the skills internally you either need to select an XDR with simplified rule building, or you may need to plan on including some hours for consulting services in your budget.
