10 things you should know about XDR

There was early chatter about XDR at the RSA Conference last February.  Since then, XDR has gained momentum and will likely become the hot term at next year’s event. 

Despite the energy, XDR is still in an early stage and fraught with hyperbole leading to confusion.  My wicked smart colleague Dave Gruber and I have spent hours on Zoom analyzing our data and debating the value and future of XDR.  Allow me to answer some of the your burning XDR questions (in no particular order).

What the heck is XDR anyway?

ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response.  In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. 

Which security technologies are included in XDR?

Here’s where it gets confusing as each vendor is going to skew XDR to the products they offer.  If you sell email security products/services, it’s likely going to be part of XDR.  If not, it won’t be part of XDR.  While vendors will offer different XDR bundles, ESG research indicates that large organizations really want XDR to include endpoint/server/cloud workload security, network security, coverage of the most common threat vectors (i.e., email/web), file detonation (i.e., sandboxing), threat intelligence, and analytics.  XDR vendors have also added basic security orchestration, automation and response (SOAR) capabilities. 

What are the benefits of XDR?

The promise here is that technology integration and advanced analytics will help organizations greatly accelerate threat detection and response — especially compared to the piecemeal tool-by-tool way they do things today.  XDR should also help detect low-and-slow campaigns and advanced persistent threats (APTs) where analytics can detect attack kill chains rather than discrete signals.  In this way, the XDR vision is to tightly couple security controls with security operations into an integrated solution.

Is there a market for XDR? 

Apparently so.  ESG research indicates that 84% of organizations are actively integrating security technologies so XDR can act as a turnkey security technology integration solution.  Furthermore, 80% of organizations would be willing to spend the majority of their security technology budget with a single enterprise-class security vendor.  XDR vendors will have to convince CISOs that they have the right integration and enterprise chops.  If they can do so, the research points to a goldmine opportunity. 

How will XDR be deployed?

This is the tricky part.  For XDR to succeed, organizations must buy into the vision and be willing to deploy XDR through phases as they replace point tools with XDR components.  CISOs will need to pick a starting point (e.g., endpoint security).  When their network traffic analysis (NTA) technology is fully amortized (or at the end of their subscription) they would then add the XDR component for NTA.  Same story for other control points like cloud workload security, email security, web security, etc.  In theory, XDR delivers incremental value with each additional component—the old 1 plus 1 is greater than 2 story.  Due to this phased approach, XDR vendors will have to convince CISOs that the long-term value of XDR is a superior alternative to any level of integration and value they can achieve by cobbling together best-of-breed tools on their own.

What types of organizations are best suited for XDR?

The most obvious sectors include mid-market companies and small enterprises that don’t have the staff or skills to roll their own integrated architecture.  Some industries come to mind as well:  Higher education, health care, state/local government, etc.  There will likely be regional differences in consumption as well.  This doesn’t mean that XDR won’t appeal to large enterprises, but the deployment path will be more difficult for organizations with a large distributed potpourri of security controls and operations technologies.  Enterprise CISOs will need more proof points and hand holding before jumping into the XDR pool. 

Will XDR compete with EDR and MDR offerings?  

In competitive deals with endpoint detection and response (EDR), XDR vendors will have to convince prospects that EDR is just a piece of a greater, fully integrated solution.  Why buy a cog when you can buy the whole machine?  As for managed detection and response (MDR), XDR vendors will likely compete with managed XDR services.  The pitch here is that customers can get the best technology and tailored managed services. 

Are XDR solutions proprietary?

Yes and no.  Every XDR vendor will try to convince customers to anchor their XDR security infrastructure with their components.  Nevertheless, the security industry is extremely heterogeneous, so XDR vendors will have to support some level of openness.  Support will include open source message bus integration, open APIs, partner ecosystems, industry standards, etc.  Some type of open source XDR solution may evolve a la the ELK stack, but I am unaware of anything like this today.

Will XDR compete with security operations technologies like security information and event management (SIEM), SOAR, and threat intelligence platform (TIP)?

That’s the vision, but none of the XDR solutions I’ve seen thus far have the scale or feature/functionality to play in a large enterprise security operations center (SOC) today.  That’s not to say that they won’t add scale and functionality in the future, but nothing is imminent at this point.  This means that XDR solutions must interoperate with SOC systems for the foreseeable future.  Vendors who can improve the efficacy and efficiency of the SOC with XDR will be most successful.  It’s worth noting that XDR may be a great fit for level 1 SOC analysts for “eyes on glass” security alert triage.  This will be especially true if XDR solutions can deliver on the promise of advanced analytics and simple ease-of-use. 

Which vendors are marketing/selling XDR solutions today?

The roster changes frequently, but my list includes Broadcom (Symantec) Cisco, FireEye, McAfee, Microsoft, Palo Alto Networks, Stellar Cyber, Trend Micro and VMware.  The EDR gang (CrowdStrike, Cybereason, SentinelOne, etc.) will also play over time, pivoting from the endpoint to other controls.  I’d also add Secureworks with its Red Cloak offering. 

Like I said upfront, these are just an initial set of questions. We are also digging into deeper technology and customer questions: Will the complexity of XDR deployment dampen market penetration?  Will XDR be subsumed into the SOC as user and entity behavior analytics (UEBA) was?  Ultimately, will XDR succeed and upend the security technology market? 

Stay tuned! Ol’ Dave Gruber and I will be following the market and answering these questions soon.