Analyst Chat

Analyst Chat #88: What (and why) is XDR?

XDR (eXtended Detection & Response) solutions are an emerging category of security tools that are designed to consolidate and replace multiple point solutions. John Tolbert and Alexei Balaganski join Matthias and share their views on this market, the existing offerings, and how it might evolve.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Mathias Reinwarth. I'm lead advisor and senior analyst at KuppingerCole analysts today. I'm joined by two guests and I'm happy to talk to both of them about an interesting development in the area of cybersecurity. Hi Alexei. Hi, John. So first hi Alex.
Hello Matthias. Thanks for hearing me again. Hello, John, of course will be a really interesting collaboration next time, right. Hi John.
Hello. Nice to be on here with you both.
Great to have you both. And I think you've both had also some kind of discussion about that topic recently. So we want to convey and transfer this discussion over to this podcast episode. So it's really a, a current topic. We want to talk about a lot of acronyms today. Four letter acronyms, three letter acronyms, but the main topic is XDR. So to start out with a definition, maybe you, John, what is XDR? What is the market segment here?
You know, it's interesting. XDR is something that a lot of security vendors are talking about these days, and you'll find that the security vendors, you know, from the EDR and NDR side, which I'll define it all here in a second are kind of jumping on this bandwagon. So XDR the X stands for extended detection and response. We see detection and response for endpoints, that's EDR network detection and response. There's also a managed detection and response if you know, a third party services running some of those tools on behalf of customers. So there's lots of, you know, D R kinds of services and products that are out there. I think what makes XDR different is we've all become accustomed to EDR and the marketplace and the need for that to look for signs of compromise that may have been missed by other security tools. So it's, it's a tool that allows you to do investigations and threat hunting and things like that within your environment in the, our network detection and response is being able to detect threats and respond to them.
That show up on the network that may pass. You know, you may not see that with your EDR tools. So these typically plug into a network span or tap ports on routers and switches and things like that. And many of them have a, a cloud component too. They have images that you can run in the infrastructure as a service providers to be able to collect him telemetry from various cloud instances. So kind of rolling it all together. XDR we think of as something that should catch all of that, you know, it should have a cloud component and endpoint component and a network component, and then it also needs to be fed by identity information, whether that's user behavioral analysis and identity governments, governance, and administration kinds of tools, you know, audits, access, reconciliations, that sort of thing. Okay,
Great. So understood. I think that it's really a collection of, of many technologies combined under one umbrella, but why do we have XDR right now? Why, why are we moving towards that? And what is the history behind that Alexei?
I would say it's a much more important question than like, define like what XDR exits, like why and how is it different from the tools you already have? Because if, if you look at it from a layman's perspective, it's not really that much different from our quote unquote traditional SIEM or security information and event management solution, right? Because all it does is basically collecting security related stuff from everywhere in your it infrastructure, and then deciding what to do that. And I, I remember one person telling me that he believed that an XDR tool is basically a scene without data lake and the low. It sounds a little bit counter-intuitive. It actually makes a lot of sense in hindsight, because we have seen tools for probably like close to 30 years now in the first scene patrol three, basically glorified log management solutions. There's a rules engine where you can configure what a string to look for and alert people or something that might have happened.
If you detect something in the log, it kept evolving over years. We hadn't had a big data. So you could store a lots of logs and lots of other telemetry from different sources. You could dig through it in almost real time. You could probably apply some machine learning to correlate the data across different sources, but in the end, a scene is basically a tool to help, you know, what's going on around your company or configure some rules and triggers and the roads to detect if something bad is happening right. In a way XDR does exactly the same. So what is the difference? And I would argue that XDR is a typical case of this convergent evolution. It has evolved from a totally different routes of challenge as described, or it all started with those real time endpoint detection, systems, detection, and response, and then probably incorporated the network detection response. But in my opinion, the biggest difference that an XDR solution is first of all, distributed. So you do not need to keep a huge central database of everything that's going on, it's heterogeneous, so it can reach different types of systems, different types of infrastructure. And of course, it's real time, meaning that you don't actually need to keep them like a year of what's of history of your security telemetry. You can ingest their signal real time, analyze it in real time and deliver some insights or even mitigation actions in real time. That's the biggest difference.
Okay. Anything to add or to contradict John?
Well, I would just say let's not forget the, our part of XDR, you know, Sims in many ways seem pretty passive, you know, so I think it's, it's good to compare it to SIM or first-generation SEM, but you know, like soar products or ad-ons for Sams XDR NDR, EDR are all means response. So being able to act on the information, hopefully autonomously and take, take those actions as warranted and not have to wait in many cases for a human analyst interaction, some of the basic things like being able to go out and grab all the related forensic evidence, do the correlation, assemble that into a ticket, you know, make it easy for an analyst to come in and see what's going on. And then if need be, take additional actions on that, you know, and those actions can range from, you know, isolating a host off the network to, you know, maybe automatically deleting malicious files on end points automatically, you know, deleting phishing emails all around an organization. So the users aren't tempted to open them. Those are the kinds of advantages that I think that the XDR and then the forgoing EDR and NDR kinds of products can handle,
Right? So they really solve real life problems as of now that are occurring right now. So the promise of these products of this XDR is to keeping, keeping an organization safer, more secure by actively detecting and responding to these threats. Is this the reason why the industry is, is catching up on that, on that, on that acronym, on that technology it's really promoting that. Is that the reason for that? Or is there more behind that? Why is the industry moving towards XDR I dunno, who wants to answer Alex? Are you first? Yes.
Well, first of all, I have to say yes, absolutely. What I agree with. I works in Georgia and about seams and forth Toro, yes. One would argue that a scene without any kind of security orchestration and automation capabilities is a pastry event in the intro is a useless thing, or because you would end up doing a lot of manual research and manual mitigation, and the S store solutions have been specifically designed to fill this gap. And XDR is in a way, basically a kind of payment to replace if this combination of seam and soar the problem with that, they aren't actually, well, if you just did the industry pushing this acronym pretty strongly at the moment we offer just about the same set of capabilities, again, the modern next generation SIEM combined with a source solution. So I guess this is why many customers, not many customers actually expressed interest in even learning about XDR solutions to say nothing about actually deploying the, or replacing the existing seams and Sox isn't XDR tool, right? Because it's a totally new technology it's based on a different underlying stack of software, but it promises to the newer, the same capabilities. So I would ask like, why, why would I replace, or maybe a slightly outdated, but perfectly working solution with a new one, which does the same, maybe I'm missing something or what what's your opinion. John
Would say, this is almost entirely vendor driven by their marketing organizations at this point. I mean, I think that there are real use cases that this will solve, but I think it's a bit premature in some cases. I mean, you have vendors on the EDR side that say, you know, we can, we can listen to everything that goes by on the network. You really don't need a network detection and response solution, but, you know, I really don't think that's true because not every device in an organization can necessarily run an endpoint agent. So there's going to be things happening on different kinds of networks that would not be seen by EDR agents. And I think probably the two biggest examples of that are, you know, what we call OT, operational technology, industrial controls, SCADA, industrial IOT, those kinds of environments don't necessarily run desktops, laptops that can have agents installed on them to, to watch telemetry that goes by.
So, you know, in that case, it's, it's very advantageous to have a network layer sensing capability, whether you plug that into a switch or, you know, plugging in, in line to be able to collect that information. And then the other is medical environments. There are lots of medical devices that too, even if they run on standard operating systems like windows, they may be unable to install additional security software. So they can't have EDR agency either. And there have been cases that we've read about where medical devices get infected with malware. And obviously that's a horrible situation we want to prevent. So especially in OT and healthcare environments, I think it's important to be able to have network layer detection in addition to endpoint. So I see synthesizing the two, you know, end point network and by network, we do include cloud to so many organizations are hybrid. So you need a way to get information about what's going on in your various cloud instances and factor that into your overall risk posture and be able to take action on all those environments to shutting down network connections, maybe disabling users in the cloud. You know, however you need to be able to respond to threats in any given environment. I think that's where the value for XDR will come into play
The way you described these individual components and also the history, whether it comes from that sounds to me, like you said, heterogeneous, which is the nice word for, for a zoo of different components. We put together under this umbrella term of XDR, are these products, even if they're coined or named XDR, are they comparable to other comparable from functionality? And, and how do they relate to each other? Are there overlaps, are there other gaps in some products? How does the market look like?
Well, I guess we have to address this again. And again, that the same acronym, the same buzzword can be used in totally different contexts for different winters. It was the same with, or like AI. It was the same with the cloud back then. It was the same, it's a zero trust XDR again, kind of different vendors means different things. I personally are kind of really interested in this concept of open XDR, which some companies are pushing the idea that you do not need to deploy a special agent for each system you want to monitor, but instead talk to an existing agent from a totally different product. So if you are an XDR vendor, you might have a technology partnership with an EDR vendor or a network monitoring solution, or the cloud service provider to talk to the API APIs, to talk to the existing agents or clients and connect that real-time telemetry again, in this heterogeneous and open and flexible way. To me, this was like the only reasonable and future proof approach. Unfortunately, not many vendors actually implemented most, or basically develop this original EDR product. They have an agent which can collect something from an endpoint, and then they would continue to add more capabilities on the agent to sniff your network, to watch your cloud traffic and so on. But it's still the same standalone agent, but it's actually a sustainable in the future. I'm not sure,
You know, that sounds a lot like soar in some ways, you know, having a centralized collection point and action point, you know, to do the orchestration and response amongst many different kinds of downstream security tools. So I think, you know, you've hit upon something really interesting, and that is as business requirements sort of consolidate into, we need to be able to take in information from all around all of our assets. I won't say network and, and figure out what's going on and respond appropriately. There may be additional convergent evolution, as you were saying between soar and XDR. I think they're, they're both going to develop similar kinds of capabilities. We may come to the point where organizations choose between soar or XDR, or we also may see these kind of fold into one another.
Well, in a way, I would say that even now this combination of a reasonably good seen tool with a reasonable good Sora tool, it's almost equally capable to, again, a reasonably good modern XDR solution in terms of detection, analysis, forensic, and response, there is however, one more additional business requirement, which Xers are almost completely missing nowadays. It's though this whole compliance reporting and audit the game scene has a huge advantage. It has this huge data lake, which can keep all your historical data for a year or even more, as long as you have your storage paid for. So to say, and XDR traditionally do not rely on such a data lake. They only work in real time, so they want to keep the history of what was happening back then. So it would be really difficult to create a compliance reporting like, so am I protected? So how am I protected that week? Is it any better than last month? Like what if I want to monitor what Mike's kind of security posture trends over the last year? I can absolutely do it with a C. I cannot do it with an XDR.
You know, that's an interesting point too, the real time analysis nature of XDR versus storage SIM being operated upon by soar. You know, you think about some of the recent security incidents that have happened and like solar winds, you know, that took what seven or eight months to finally detect there's there's real value in being able to go back and look at that. In fact, you know, looking at some of the reports that I'm working on in this space, I think it's important to be able to offer customers if you're a security vendor, offer customers long-term storage, because you want to be able to go back six or nine months, especially when you look at some of the, the metrics out there about meantime to detect, you know, still 5, 6, 7 months in some cases. So the idea that you can only rely, or you only need to rely on real-time information from agents, I think is, is not quite accurate. I think there's always going to be a need for looking at data from the past. And, you know, it could be a rather large amount of storage that's needed for that. You know, some of these SIM source solutions, we'll try to make it as efficient as possible by looking at metadata and not, you know, saving every packet, but still there's, I think there's a storage element that's going to be needed going forward.
Well, if you remember, we had a very similar situation years ago with EDRs just when the first EDR solutions appeared, they will just boldly proclaim the antivirus. If they no longer need any signatures or heuristic analysis or whatever, quote, unquote, traditional antivirus things, you just analyze the behavior in real time and he will be able to detect and mitigate all the challenges. It only took a couple of years to realize that just doesn't work. You cannot come with all the use cases and all the types of attacks, it's just real time detection and response. So they had to adapt the head to incorporate some EPP functionality into those hardcore EDR tools. I believe the same aware actually happened with XDR as well, evolve towards
Seem like capabilities. Yeah, I think you're right. It we've seen that evolution in the market where just like you said, endpoint protection and EDR are now mostly wrapped together in what we're calling EPR endpoint protection detection and response. We see acquisitions and the network detection and response area. I think we will continue to see, you know, conglomerations of those functionalities as larger companies acquire some of the smaller ones that have functionality and those areas that they don't so they can compete more effectively as a security stack vendor. And then I think too, not just because I'm working on a report on distributed deception platforms right now, but certainly that has informed me that, you know, if you want to do active detection and response, these distributed deception platforms, I think we'll, we'll roll into XDR in the next three to five years as well, because, you know, it's a good way.
They're, they're very advanced honeypots. I mean, I know a lot of the vendors don't want to call them honeypots, but, you know, cause they can simulate not just in-points or servers, but you know, full, active directories and applications, even things on the OT and ICS side. So having a deception environment allows you to detect malicious activity with high fidelity, because anything that's happening in a deception environment, you can more or less be assured that it's malicious as long as you've properly concealed it. So that I think would make for very excellent information that feeds into an XDR platform in the future.
Right? So from what I understand, what you described is that the marketing machine for XDI is already running quite smoothly. The, the, the products they are here in a version, or it's it's older solutions rebranded to being XDR, but the market has to, as to move, has to evolve. You've described as that already. Are there any other areas where XDR should move in the future and where it makes sense from as of now, I understand that I still have to architect a security solution that, that combines these individual components into what I really need. This is not plug and play and off the shelf solution that I can just use. I still have to create my proper solution. So XDR misses at that promised to just protect you. So it's still, yeah. Having a strong security architecture in place and combining all these, these products. So where can the move to, to mitigate that problem that I see here? I don't know, Alex say you start.
Yeah. I think this is actually a great opportunity to mention that a blog post that John has recently written about, or the whole topic of XDR and that interesting kind of Venn diagram, we should probably bring up in the recording of the podcast. You will see that more than the XDR vendors are trying to sell us is just the minimum valuable minimum value product. It's just EDR NDR. It may be a little bit of soar. It doesn't incorporate all of other things which we have to cover as well. The cloud workload protection, the whole kind of part where we'll be proactively scan our infrastructure for vulnerabilities. These are just as important as real time detection. And of course you have to think about all those technologies, which probably do not completely fit into the XDR picture, but at least what tightly related to those, like, for example, this whole, a user behavior analytics one would argue, it's not really an integral part of like EDR, but at least it's related to user activities closely. And of course you have to incorporate user activities into this whole correlation and three all-time monitoring. And of course you have to think about this whole identity stuff. This is why, for example, the diagram includes identity governance and administration. So there was a lot of stuff which is still completely missing. And when I'm expected to see any of those capabilities deliberate with the XDR label, it's probably the most important question
I think there are. Yeah, I think there are a couple of vendors that are sort of leading the charge and XDR, and they they're doing a good job with, you know, some of these early phase requirements. And I would imagine they will continue to add on functionality. Like, like Alex says recommending, especially pulling in identity information, but you know, there's kind of been this Gulf between identity and cyber security. And I think that needs to be addressed in general, you know, because XDR and soar, both are good places to unify your approach to identity management, as well as overall cybersecurity posture and both need to be considered in any organization's overall risk management system as well.
Okay. So if we look at this market arm of XDR and we, and if it is like we described it, so it's still something that we should keep an eye on and we expect that to evolve rather rapidly over time. I understand John that you've written that blog post, where we've seen the picture from just right now and this, this Venn diagram to show where the individual functionalities can be located within this, this area. So I think a good starting point would be the, the block posts, which other reports, which other research are you working on? You've mentioned the, the work you are currently working on. What else is there? So
I'm close to finishing the leadership composts, our comparative report on distributed deception platforms. I'm also writing an update to network detection and response NDR. At some point in the near future, I'm going to start a leadership compass on endpoint protection detection response. And then probably next year I'll be working on a leadership compass or a market compass on XDR. I think it will be good to survey then there's well, what their current capabilities are and see how that compares. And then also I'll be updating their report on soar at some point.
And I am currently working on the leadership compass on a, as they call it intelligent SIEM platforms. Of course it's like the opposite of XDR, but I think it would be really interesting to compare, like to see what kind of capabilities you should expect from external tools to deliver, to be at least on the same kind of feature parity as the modern SIEM tool.
Right. Perfect. So I, I would, I would expect that we will cover that topic in that podcast quite closely in the upcoming coming time, because I think there will be lots of changes in, it's been great to talk to act two, to talk to two experts here that that can provide two different angles actually agreeing, but, okay. So it's, it's important to see that this is really something that is an evolving market and to continue monitoring that. So we have a starting point for reading more to, for the audience. So, and we have given a first insight into a evolving market, not yet mature markets, lots of rebranding market. So thank you very much, John and Alex for joining me today, any final recommendations from one of you, what else could the audience look at?
I would say if there was only one big takeaway from all today's discussion, I don't trust the label. XDR, isn't kind of XDR tools aren't creating the same. You have to look behind the label, you have to understand what is it exactly that the vendor is delivering and how difficult would it be to extend it in the future? I believe open XDR like is the way, but maybe it will be called differently when you look at specific product.
And I, I agree. I think we're in the early days, I think even the definition of XDR will change. I mean, if this convergent evolution takes three to five years to really happen, then there will probably be other kinds of functionality represented by new acronyms that haven't even been born yet. That will get rolled into this. So stick with us, we'll continue to follow this we'll update. And, you know, as, as definitions and capabilities change, we'll stay on top of it.
Great. Final words. Thank you very much, John. Thank you very much, Alex, for joining me today. Thank you. Goodbye. Bye-bye see you soon.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Cybersecurity-Teams mit Managed Detection Response stärken

Organisationen, die die Digitalisierung ihrer Businessprozesse versäumen, werden es in naher Zukunft schwer haben, wettbewerbsfähig zu bleiben. Mit zunehmender Digitalisierung steigen aber auch die Cyberrisiken, weil die Verlagerung von Dienstleistungen in die Cloud und die…

Webinar Recording

Effective Threat Detection for Enterprises Using SAP Applications

Determined cyber attackers will nearly always find a way into company systems and networks using tried and trusted techniques. It is therefore essential to assume breach and have the capability to identify, analyze, and neutralize cyber-attacks before they can do any serious…

Analyst Chat

Analyst Chat #130: Leadership Compass Endpoint Protection, Detection and Response (EPDR)

The previously distinct but now converged fields and product lines of Endpoint Protection (EPP) and Endpoint Detection & Response (EDR) are covered in the brand new KuppingerCole Analysts Leadership Compass on EPDR (Endpoint Protection Detection & Response). Lead Analyst John…

Webinar Recording

Enabling Full Cybersecurity Situational Awareness With NDR

Effective cyber defense depends on detecting, preventing, and mitigating threats not only on desktops, laptops and servers, but also on the network, in the cloud, and in OT, ICS and IoT, which is where Network Detection & Response (NDR) solutions come into play. Support for a security…

Analyst Chat

Analyst Chat #111: From SIEM to Intelligent SIEM and Beyond

A comprehensive cybersecurity strategy typically includes the use of modern, intelligent Security Information and Event Management (SIEM) platforms. These go far beyond simply aggregating and analyzing log files. Alexei Balaganski outlines the latest market developments based on his…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00