What is XDR (Extended Detection Response)?

4 min read
Security Operations/SOC

XDR (Extended Detection Response) is defined by Gartner as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

XDR is designed to improve detection and response capabilities and optimize SOC performance by providing a holistic view of threats across an organization’s entire technology stack. The technology brings insights and data into detecting and responding to modern attacks by integrating security controls such as endpoint and network, data and analytics and SecOps.

XDR is filling a critical need for enterprise security teams. Experts agree that we should continue to see increased adoption of these solutions as a way to combat the increasing frequency and sophistication of cyber-attacks.

  •  70% of security professionals say their organization is already formally investing in XDR or plans to do so within the next 6 months. (ESG Research, October 2020)
  •  More than 80% of organizations are planning increased investments in threat detection and response technologies. (ESG, The Impact of XDR in the Modern SOC, November 2020)

What is driving adoption of XDR?

XDR’s combination of threat intelligence, automation and machine learning helps companies optimize SOC performance and strengthen their ability to find and address the worst of the worst threat actors. The growth in adoption of XDR is driven by its ability to help organizations address two critical security challenges:

1. Detecting and responding to threat actors that continuously change tactics and innovate new ways to bypass traditional controls. Increasingly sophisticated and stealthy, emerging threats have become more difficult to detect by traditional SIEM systems, creating a greater need for multi-technology detection controls such as XDR.

2. Hiring experienced and knowledgeable security professionals amidst the widespread cyber security skills shortage, particularly in the area of threat hunting and investigative work.

Do companies need to replace existing SIEM systems and SOAR platforms with XDR?

Not all XDR systems are equal. While some single-stack XDR systems are designed to replace existing security solutions with a vendor’s own suite of products, hybrid or open XDR systems are vendor- agnostic and complement existing technologies. When combined with SIEM and SOAR solutions, hybrid XDR solutions give companies a more robust threat hunting, detection and response mechanism and performance at scale, helping them maximize their security investments.

For example, while SIEM systems and SOAR platforms require lengthy deployments, additional coding and programming by security engineers, and ongoing hands-on maintenance, XDR is typically SaaS-based so deployments and ongoing management are simplified. Additionally, XDR automatically correlates real-time threat intelligence with security data, relieving engineers from any hands-on programming. XDR integrates with third party security tools and automates responses to every alert, ensuring no event goes undetected and arming security teams with actionable steps to take against malicious incidents.

What are the key elements to look for in an XDR solution?

There are several features to look for in an XDR solution to ensure it supports best-of-breed technologies, performs at scale and contributes to a powerful position of cyber defensiveness:

  • Controls-agnostic – integrates with multiple technologies and doesn’t require vendor lock-in
  •  Machine-based correlation and detection capabilities – enables faster analysis of much larger data sets and reduces the number of false positives
  •  Pre-built data models – integrates threat intelligence and automates detection and response without the need for software engineers to do programming or create rules
  •  Integration with SIEMs, SOARs and case management tools – rather than requiring the replacement of such products, XDR allows companies to maximize the value of their investments
  •  Integration with security validation – when XDR and security validation work together, enterprise security teams are continuously made aware of the effectiveness of their security stack, where weak points exist and what steps to take to remediate performance gaps

How is the Mandiant approach different from other XDR offerings?

Mandiant Advantage fulfills many of the investigation and triage capabilities that organizations seek from an XDR, but we do not provide security controls or a SIEM/Data Repository. We work with the solutions you already have to deliver outcomes and ensure that you get the full range of benefits of an XDR engine.