Almost all enterprises have many security tools in place already, some of which are still focused on perimeters/DMZs and on hosts, such as servers and endpoints. Endpoint Detection & Response (EDR) tools are becoming more commonplace in enterprises and SMBs. EDR tools depend on agents installed on endpoints to collect and transmit telemetry to the EDR console. EDR agents can be instructed by administrators and programmatically to respond to suspicious and malicious events, taking actions like gathering forensic evidence, terminating processes, removing malware, etc. EDR tools emerged as a second line of defense on endpoints in situations where Endpoint Protection (EPP), formerly known as Next Generation Anti-Virus, may have missed detection and prevention of execution of malware. EPP and EDR vendors have been merging and acquiring one another over the last few years, so a large part of the endpoint security market has essentially become Endpoint Protection, Detection & Response (EPDR).
Many organizations today are also looking for security tools such as Network Detection & Response (NDR) that provide additional visibility and controls at the network layer. NDR tools rely on sensors on the network for gathering data about traffic in a given environment. These sensors generally plug in to taps or SPAN ports on network switches and routers. Most modern enterprises have a mix of on-premises networks and cloud-based resources to cover with NDR solutions. NDR solutions mostly focus on analysis of traffic metadata, although some can do full packet capture and a few products even do packet decryption. Like EDR, the “D” and “R” in NDR emphasize the abilities to detect malicious behavior and respond to it. Examples of NDR actions are collect forensic evidence, terminate sessions, and block traffic by IP/host/domain.
Functional overlaps exist between EPDR, NDR, and Cloud Workload Protection Platforms (CWPPs). CWPPs provide malware scanning, remediation, and configuration management for IaaS instances, containers, and serverless environments.
Security Incident and Event Management (SIEM) systems are centralized repositories that collect security telemetry and log files from many sources around an enterprise. Security Orchestration Automation and Response (SOAR) tools facilitate analysis of information in SIEMs and help orchestrate analyst responses across disparate downstream security tools.
XDR (eXtended Detection & Response) solutions are an emerging category of security tools that are designed to consolidate and replace multiple point solutions such as Endpoint Protection Detection & Response (EPDR), Network Detection & Response (NDR), Cloud Workload Protection Platform (CWPP), Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS).
Our view of XDR
In our definition and view, XDR must encompass endpoint, network, and cloud aspects. This means that XDR solutions must have agents for endpoints, sensors for networks, and agents for cloud instances and containers. As opposed to SIEMs, telemetry is pushed into XDR systems in real-time, not pulled from logs, which allows for real-time correlation and analysis, and therefore a reduction in time-to-detect and time-to-respond metrics. Companies conducting RFPs for XDR expect implementations of advanced Machine Learning (ML) and Deep Learning (DL) detection models and functions to reduce the labor needed for analysis, time-wasting false positives, as well as add value by improving anomaly detection and categorization, leading to an improved overall security posture.
As with SOAR solutions, XDR systems are tools that enhance security operations, and as such have consoles that are designed for deployment within Security Operations Centers (SOCs) at customer sites or Managed Security Service Provider (MSSP) sites. SOAR tools prominently feature “threat hunting” interfaces. With XDR, the emphasis is on automation and continuous threat hunting, making threat hunting less of a manual activity.
XDR and SOAR: evolution or competition?
XDR and SOAR solutions are on a path toward either convergent evolution or competition, depending on the vendor. However, SOARs depend on SIEMs, and XDR solutions should be able to function somewhat independently of SIEMs. XDR systems can export relevant event data to SIEMs.
Though real-time detection is advantageous, we emphasize the response capabilities, because such leading-edge technologies should expand on the automation of mitigation actions. Therefore, the types of response actions available in EPDR and NDR must also be present in XDR.
Advanced XDR use cases and solution capabilities may include active defensive measures, such as the deployment and maintenance of Distributed Deception Platforms (DDPs). DDPs are systems that are designed to simulate a variety of computing assets and environments for the purposes of drawing in would-be attackers to clearly alert IT security teams to the presence of attackers, drawing attackers away from real assets, and allowing IT security teams to study the TTPs of attackers in order to better defend against current and future attacks. DDPs therefore aid IT security teams in discovering anomalous and malicious behavior at various layers across the infrastructure.
Other capabilities that need to contribute to XDR include Vulnerability Management Systems (VMS), Unified Endpoint Management (UEM), User Behavioral Analytics (UBA), and Identity Governance and Administration (IGA). These are distinct products and markets already and will not be subsumed by XDR. However, thorough analysis that facilitates both the detection and response features in XDR must include integration with these categories of tools.
KuppingerCole has research covering many of the constituent product types:
Leadership Brief - Do I Need NDR?