Ask any Frenchman and they’ll tell you that Champagne Only Comes From Champagne. Everything else is just sparkling wine. In cybersecurity, unfortunately, we don’t have nearly as much clarity on our definitions.
Case in point is XDR, possibly the hottest category in cyber. Vendors across the industry are adopting the XDR label, with Barracuda being the latest shop announcing that they’ve entered the XDR market via acquisition. So what is XDR?
The Current Jumble of Definitions
Oliver Rochford from Securonix recently pointed out that there are multiple definitions for eXtended Detection and Response floating around. Many are conflicting, causing confusion with buyers and eye-rolling with practitioners. Here’s the list that Rochford put together:
The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.
XDR is a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.
Extended detection and response (XDR) is cross-layered detection and response. XDR collects and automatically correlates data across multiple security layers — email, endpoint, server, cloud workloads, and network — so threats are detected faster and security analysts improve investigation and response times.
Extended detection and response (XDR) delivers visibility into data across networks, clouds, endpoints, and applications while applying analytics and automation to detect, analyse, hunt, and remediate today’s and tomorrow’s threats.
What’s not clear from these definitions is how XDR differs from Security Information and Event Management (SIEM). Remember that SIEM has supported threat detection and response across security sources for decades. The grandpappy of SIEM solutions, ArcSight, calls out the following benefits:
- Monitor threats from across your enterprise
- Reduce exposure with faster threat detection
- Automated response saves your analysts’ time
- Maximize the ROI of your existing tools
Sounds familiar? If XDR is just a rebranding of SIEM, it’s bound to fail the same way SIEM failed. The cybersecurity status quo is so bad we have the President of the United States issuing emergency orders- never a good sign.
XDR was born out of frustration with the prevalent approach to threat detection and response (with SIEM at its core) so let’s not miss this opportunity for meaningful change.
The Shortest Definition
The best category definitions are succinct and memorable. Champagne Only Comes From Champagne. For XDR, security practitioners should insist on a meaning that is intrinsic rather than incremental. Any definition based on “faster” detections or “tomorrow’s threats” should be tossed out as marketing fluff. Automatic correlation across everything? No way, in real life it takes dedicated effort to develop detections across new solutions and environments. We must insist on a definition that is clear and positions teams for success.
In that spirit, I’d like to propose the following definition. If nothing else, it qualifies as the world’s shortest definition of eXtended Detection and Response.
An XDR solution provides modular detection and response capabilities that can run on the customer’s data platform of choice.
Fewer than 20 words and minimal buzz.
Why This Definition Matters
Having removed subjective terms like “better scalability” and “improved response times”, this definition goes to the heart of the category’s opportunity. To fix threat detection and response, solutions must separate the security-specific elements (which cybersecurity vendors do well) from the data platform elements.
Big data is a hard problem. That’s why billions are being spent in fierce competition between Snowflake, Google BigQuery, Databricks, Oracle and others. It’s highly unlikely that Trend Micro (with all due respect) is going to develop a better data platform within its XDR product than the Microsoft engineers working on Azure Synapse.
This definition is important because it pushes vendors to focus on added value beyond broad visibility and correlation. With the underlying data platform handling “event management” at scale, XDR vendors will have to deliver better detections, less noise, more automation, and whatever else is going to set them apart from the pack.
Modular threat detection and incident response is what makes Open XDR solutions the “real” XDR and not rebranded SIEM. The economics of cloud data platforms, and their existing role as the home of business data (much of it potentially relevant to security) makes this model inevitable. Let’s define this new category accordingly.