Defining XDR’s Role in the Security Stack
By Steve Garrison, VP Marketing, Stellar Cyber
XDR and Open XR are two of the latest buzzwords in the cybersecurity tools market, but there are many definitions of XDR and several approaches to delivering it. Let’s clear the air a little.
In general, cybersecurity products use preventive physical and software measures to protect the network and its assets from unauthorized access, modification, destruction, and misuse. These products typically protect specific assets on the network:
- Firewalls: prevent unauthorized users from accessing the network by allowing or denying traffic.
- Anti-Virus/Malware software: protects network endpoints and servers from becoming infected by damaging software that can corrupt files, export sensitive data, or perform other malicious activities.
- Application Security: systems look for and block vulnerability points in application software.
- Network Access Control: systems manage access permissions for authorized users and devices, preventing unauthorized users from gaining access.
- User Behavior Analytics: solutions monitor user activity, baseline normal behavior, and alert on activities that deviate from normal activity.
- Network Traffic Analysis: Network Detection and Response (NTA/NDR) products analyze network traffic, look for abnormal patterns that can indicate attacks, and act based on the results. Network traffic does not lie and contains strategic data for threat detection.
- Cloud Security: solutions protect resources in the cloud.
- Intrusion Prevention Systems (IPS): monitor for and block attacks from outside users or processes that get past the firewall.
- Security Information and Event Management (SIEM): SIEM products collect data from various device logs on the network and can monitor for anomalies. Traffic-based NTA/NDR products complement SIEMs by analyzing logs and acting. In fact, NTA/NDR is critical to advancing visibility beyond logs.
As you can see, there’s a lot to protect in a network, and a lot of approaches to protecting it. But rather than having a dozen or more point solutions (each with its own interface console) to manage, wouldn’t it be easier, faster, and more efficient to have just one? That’s where XDR / Open XDR comes in.
Definitions of XDR
Initial definitions of XDR – eXtended or Everything Detection and Response – envisioned it as a single platform that unifies detection and response across the entire security kill chain. The idea is that instead of manning a dozen or more separate security consoles to monitor and protect the network, XDR unifies the telemetry from those tools and presents it in a single dashboard. The more advanced products not only unify the data, but also correlate and analyze it automatically to present a prioritized list of threats with recommendations about how to neutralize them.
So how does the market define XDR, specifically? That depends on who you ask. According to Rik Turner, a lead analyst at Omdia who coined the XDR acronym, XDR is “a single, stand-alone solution that offers integrated threat detection and response capabilities.” To meet Omdia’s criteria to be classified as a “comprehensive” XDR solution, a product must offer threat detection and response functionality across endpoints, networks, and cloud computing environments.
Gartner’s definition is similar in that it points to features such as alert and incident correlation, built-in automation, multiple streams of telemetry, multiple forms of detections (built-in detections), and multiple methods of response. However, Gartner requires XDR to be achieved through consolidating multiple proprietary, vendor-specific security products.
Forrester’s definition of XDR requires the platform to be anchored around an EDR. It defines Native XDR as EDR integrating with a vendor’s own security tools; Hybrid XDR as EDR integrating with third-party security tools; a SAP (Security Analytics Platform) as a platform without built-in EDR, but with built-in NAV and SOAR with third-party integrations; and SSA (Standalone Security Analytics) as those platforms that rely solely on third-party tools for telemetry sources and responses.
Open XDR
Open XDR was initially created by Stellar Cyber with the same features Gartner mentions, except that not all the security products/components have to be from the same vendor. Instead, the platform is open and integrates with third-party security tools. Some components are built-in, and others are added through deep third-party integrations.
The Open XDR moniker was later picked up by vendors who purely rely on a wide ecosystem of third-party tools for telemetry sources and response, but who don’t offer any built-in components.
How Open XDR Helps
Open XDR addresses a key reality in organizational cybersecurity infrastructures, which is that companies have already invested heavily in security tools, and they don’t want to have to abandon those investments to adopt XDR. Rather, Open XDR allows companies to leverage these existing investments while making them more valuable by automatically correlating their data with data from other tools and sensors.
In addition, the more advanced Open XDR platforms leverage AI and machine learning to cut down on analysts’ “alert fatigue.” Instead of managing thousands of alerts from a dozen or more tools, XDR combines related alerts into higher-level incidents and automatically dismisses many alerts based on what it “learns” to be normal behavior in any given environment.
Given the rising tide of cybersecurity attacks affecting every type of organization, combined with a global shortage of cybersecurity analysts and high analyst turnover rates and burnout, any solution that improves protection along with analyst productivity is welcome indeed. That’s the real promise of XDR.
About the Author
Steve can be reached online at [email protected] and at our company website http://stellarcyber.ai.