While not at quite the same fever pitch as ‘Zero Trust’ or ‘SASE’ (Secure Access Service Edge), the cybersecurity industry conversation around extended detection and response (XDR) has been intense.
When discussing XDR with the many stakeholders in the industry – end-user organizations, vendors, service providers, investment professionals and more – we notice the discussion often turning to the nuances of telemetry sources and analytics, but here’s a thought: are we missing a critical element?
Telemetry sources are essential, of course. We argue that being able to handle endpoint telemetry – usually extracted from endpoint detection-and-response (EDR) products or native capabilities – is all but mandatory for any XDR offering. To us, this doesn’t mean XDR is the ‘evolution’ of EDR in terms of products, just that endpoint support is a critical component of XDR.
Other sources matter – a lot: XDR needs to be able to ingest/understand network telemetry, threat intelligence, email activity, user identity and activity insights. Vulnerability management can help with contextualization and prioritization. Depending on the remit for the security team, cloud security telemetry should be there too, and more. Sources abound. Vendors with a pedigree in having telemetry sources usually emphasize how XDR is the natural evolution of their existing offers.
A Shift in Staffing Strategies for Information Security
Analytics capabilities then come into play. These generally include taking the telemetry from multiple sources, smartly enriching them where applicable with the kind of contextual information that makes sense (WHOIS records, registrars, IP/domain/file reputation, etc.), then applying different techniques including:
- behavioral modeling
- content rules
- statistical analysis
- the ever-present ‘machine learning’ magic
The result is that XDR analytics helps security teams better contextualize the information they’re receiving, often aggregating multiple instances of separate signals into a cohesive story and then expediting response. Vendors with a pedigree in analytics sources will quickly highlight how existing analytics products already do this.
The Missing Piece
If there is a unifying idea behind XDR, it is that supporting multiple sources, performing analytics, then addressing response should be easier, and that XDR is but a means to an end. Much like the famed statement from Theodore Levitt – “People don’t want to buy a quarter-inch drill. They want a quarter-inch hole!” – XDR is about quickly and efficiently enabling a security team to better resolve security incidents.
With that in mind, we propose that what both camps (telemetry-centric vendors and analytics-centric vendors) may have been missing in their discussions is a greater focus on security operations user experience.
Telemetry-centric vendors usually have a deep understanding of how security teams use their products, but often face a gap in thinking about broader incident response with additional telemetry sources, particularly from competitors.
Analytics vendors can handle multiple sources but have often optimized ingestion and query support without being ‘opinionated’ about security workflows.
As you assess your options around XDR, consider those that are able to do more than just expand on an existing installed base or offer unbounded flexibility in parsing/querying sources, but are also able to effectively guide users along more opinionated paths toward security operations.
XDR may not be what every user needs – for some even that may be too much; for others, XDR may be too little – but for those for whom XDR is a fit, we suspect a focus on guided user experience will be key.
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.