Extended detection and response (XDR) has transpired into a market description that, in my not so humble opinion, proves to be as troublesome as the phrases “next gen” or “machine learning” were from 2016 to 2020.
I’ll quote myself from a popular blog post from my time at Gartner:
“The phrase does more to confuse clients and end-users than it does to describe anything useful. It takes longer to try and understand what people are looking for when they say Next-gen XDR” and more often than not it does not mean what anyone thinks it means.”
Naming aside, the one thing that all InfoSec commentators agree on is that XDR is an evolution of the endpoint-centric approach pioneered by legacy security vendors.
What Does XDR Bring that EDR Does Not? Has the Threat Landscape Changed? The main objective of adversaries remains owning the endpoint and/or acquiring credentials that grant them access to business-critical data that they can monetize in some way. Usually this is done through ransom demands, but increasingly it occurs through the threat of extortion. So, if the endpoint and the credentials are still the target, you probably wonder why XDR? Are XDR detections more accurate than EDR? Does XDR lead to faster response than EDR? The answer to both is, “Not necessarily, and definitely not easily.” As with all things in cybersecurity, there is no one-size-fits-all solution, and this is no “easy button” approach that will solve all your security woes. However, when implemented as part of a modern security operations framework, XDR can bring broader coverage, better context, and boosted confidence, meaning security analysts using the tool can make faster and more accurate decisions in security investigations. One of the primary benefits that the X in XDR hopes to bring to EDR is that security visibility and control remains constant when applications are moved to the cloud. With the endpoint becoming more akin to a terminal connecting to a mainframe (again), a managed client approach to security will eventually fail. Often, high-confidence detections can be made without any endpoint data whatsoever, for example using telemetry from a business application such as Microsoft Exchange and an identity provider like Duo or Active Directory. Another benefit, of course, is the additional data and added security context. This extra telemetry brings more fidelity and confidence to detection engineering, helps to reduce false positives or known-good behavior, and drastically increases the scope and depth of incident response guidance. While the consensus is that the greatest benefit is derived from writing detections against the correlated security event data from endpoint, CASB, identity, network, and application sources, you still need to ask yourself a question: In an EDR/XDR world, will your organization have the people with the skills and the experience to use the data sources effectively?
“In the past, adding more tools to detect the new threats has been the approach for many. If you don’t have a detect signal for the attack you are concerned about, buy a new tool. This is not sustainable, and even today many clients complain of tool overload, vendor management challenges and integration complexities.” -
“Is Security Operations Ready for XDR? “ by Eric Ahlm, Jon Amato, Gartner, 11/3/21 “XDR is not a straightforward convergence of product categories. It’s a convergence of capabilities and components that span multiple products,” says Gartner in its November 2021 XDR research. This aligns with our view that XDR capabilities can provide the basic building blocks of a modern security operations center (SOC): 1. A cloud-based platform that ingests, normalizes, correlates, and enriches security-relevant events from any data or log source. 2. The analytical capability to derive high-confidence detections across any integrated control point or infrastructure: endpoint, cloud, application, and identity. 3. The ability to perform containment and response capabilities in real time and at scale. How Does Arctic Wolf’s Security Operations Cloud Instrument XDR? Our customers already speak to the benefits of XDR because those same principals are the core of our platform. It’s been almost a decade since the Arctic Wolf Platform was developed to remove the complexity involved in integrating and operating the myriad security tools that organizations use. This vision began with a vendor-agnostic approach to security. With Arctic Wolf, customers are never locked in to one set of products or one single vendor ecosystem—and they aren’t forced to rip and replace existing products to get the full value of the Security Operations cloud. Our universal data pipeline ingests security relevant data from vendors and products spanning endpoint EDR/AV, Active Directory, authentication, first- and third-party network devices, IDS/IPS, email security, VPN, UTM, and, in fact, almost any security source that can ship to Syslog is a candidate for ingestion to our platform. We pull telemetry from AWS and Azure infrastructure, from Microsoft 365 applications, Cisco’s Umbrella DNS service, Salesforce, Box, and more. The list of telemetry sources goes on and on. The Enterprise Dream: Automated Security Analytics and Detection Engineering By centralizing additional security telemetry and visibility, as well as automating the analytics and detection pipeline, our customers’ IT and security teams are presented with intelligence, automated investigations, and easy-to-action response and recovery guidance for everything that matters. Automated analytics and analysis capabilities are how we can highlight suspicious and anomalous behaviors at unprecedented scale, while holding true to the no one-size-fits-all philosophy. Arctic Wolf threat research and detection engineering teams use crowdsourced data to build the protection and detection technologies that allow us to deliver our unique personalized protection for each of our customers. Organizations are no longer forced to continually ramp up investments in SIEM storage subscriptions. They avoid the “security by chance” approach of hoping they have enough coverage in the logs they can afford to consume, and now enjoy the luxury of security choice— and can determine which avenues of cybersecurity they wish to own for themselves. We combine platform capabilities in the cloud with human triage and SOC teams who take trillions of weekly observations before turning them into stories and investigations worth following. This is where many of the legacy endpoint-focused vendors stop and wash their hands of further responsibility for your organization's security posture. Concierge: Finally, the answer to the decade-old industry promise of “an extension of your security team” The past ten years of overinflated AI and ML claims have shown that to deliver a highly effective security program, you need experienced people with hands on keyboards to make good use of technology—essentially analyst augmentation, not analyst replacement. From the very first iteration of Arctic Wolf’s Security Operations Cloud, we knew that to scale and operate as effectively as threat actors and adversaries, we had to layer-in the best human analysts using the best technology, who could properly validate alerts, suppress noise, and remove false positives. While the EDR/XDR vendor’s ability to assist your security posture general stops once their tool is ready for you to install, Gartner analysts agree with us, XDR is only one part of security operations. Our concierge approach to orchestration, escalation, and response, make ambiguity and alert fatigue a remnant of the past. Our customers are assigned a dedicated team of analysts who are responsible for investigating and triaging all incidents and activities that look suspicious. This ensure that everything our customer’s security team works on is meaningful and comes complete with full remediation guidance and support. Tools alone aren’t the answer. There’s no escaping the need for humans in security, and the already well documented “skills gap” or “talent shortage” means that a security tool like XDR is unlikely to bring the success and security it promises unless it is paired with a dedicated, human-driven security analyst model. Unfortunately, there’s been an uptick in endpoint vendors delivering incomplete managed alerting services. For most organizations, hiring the best humans and buying, deploying, and using the best technology is a stretch too far and involves tradeoffs that lead to “security by chance.” As a result, XDR tools alone do not come close to matching the vendor-agnostic SOC model delivered by Arctic Wolf’s well-established, human-driven, concierge security methodology. Modern Security Operations are Essential Today When Arctic Wolf unveiled it platform and product vision to customers almost a decade ago, the term EDR didn’t even exist—let alone XDR. As it turns out, our focus on security outcomes then led to early design decisions that solve real-world problems today—like alert fatigue—that are the bane of every IT and security organization. The underlying unification of technology and telemetry is what we’ve believed in and built since our inception, and our vendor-agnostic approach delivers the best of all types: It can be described as an open XDR architecture. As a security leader in today’s climate, your time is best spent getting the best out of the tools and the people you have. Alas, too many organizations spend their time thinking and worrying about buzzwords, or wondering if they should move from vendor A to vendor B. Modern security operations is a human-driven overlay that uses XDR-like outcomes to unify your existing security technologies, no matter which vendor, platform, or location. Arctic Wolf has led the charge to combine the open XDR approach that underpins our security operations cloud with a human-driven triage and concierge security practice. It’s how we are able deliver the security outcomes that are right for your organization, for every step of your security journey.