What is XDR?
Extended detection and response or XDR is a new approach to threat detection and response that provides holistic protection against cyberattacks, unauthorized access and misuse. Coined by Nir Zuk, Palo Alto Networks CTO, in 2018, XDR breaks down traditional security silos to deliver detection and response across all data sources.
According to analyst firm Gartner, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.” The definition of XDR from Forrester Research is a bit more expansive: “The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”
How Does XDR Work?
XDR solutions bring a proactive approach to threat detection and response. It delivers visibility across all data, including endpoint, network, and cloud data, while applying analytics and automation to address today’s increasingly sophisticated threats. With XDR, cybersecurity teams can:
- Identify hidden, stealthy and sophisticated threats proactively and quickly
- Track threats across any source or location within the organization
- Increase the productivity of the people operating the technology
- Get more out of their security investments
- Conclude investigations more efficiently
From a business perspective, XDR platforms enable organizations to prevent successful cyberattacks as well as simplify and strengthen security processes. This, in turn, lets them better serve users and accelerate digital transformation initiatives – because when users, data and applications are protected, companies can focus on strategic priorities.
- Block known and unknown attacks with endpoint protection: Block malware, exploits, and fileless attacks with integrated AI-driven antivirus and threat intelligence.
- Gain visibility across all your data: Collect and correlate data from any source to detect, triage, investigate, hunt, and respond to threats.
- Automatically detect sophisticated attacks 24/7: Use out-of-the-box analytics and custom rules to detect advanced persistent threats and other covert attacks.
- Avoid alert fatigue: Simplify investigations with automated root cause analysis and a unified incident engine, reducing the number of alerts your team needs to review and lowering the skill required for triage.
- Increase SOC productivity: Consolidate endpoint security policy management and monitoring, investigation, and response across your network, endpoint, and cloud environments in one console, increasing SOC efficiency.
- Root out adversaries without disrupting your users: Stop attacks while avoiding user or system downtime.
- Shut down advanced threats: Protect your network against insider abuse, external attacks, ransomware, fileless and memory-only attacks, and advanced zero-day malware.
- Force multiply your security team: Stop every stage of an attack by detecting indicators of compromise (IOCs) and anomalous behavior as well as prioritizing analysis with incident scoring.
- Restore hosts after a compromise: Quickly recover from an attack by removing malicious files and registry keys, as well as restoring damaged files and registry keys using remediation suggestions.
- Extend detection and response to third-party data sources: Enable behavioral analytics on logs collected from third-party firewalls while integrating third-party alerts into a unified incident view and root cause analysis for faster investigations.
How does XDR compare to EDR or MDR?
XDR security is an alternative to traditional reactive approaches that provide only layered visibility into attacks, such as endpoint detection and response, or EDR; network detection and response, or NDR; and user behavior analytics, or UBA, and security information and event management (SIEM). Layered visibility provides important information, but can also lead to problems, including:
- Too many alerts that are inaccurate and incomplete. EDR solutions only detect 26 percent of initial vectors of attack,1 and due to the high volume of security alerts, 54 percent of security professionals ignore alerts that should be investigated.2
- Time-consuming, complex investigations that require specialized expertise. With EDR, the mean time to identify a breach has increased to 197 days3, and the mean time to contain a breach has increased to 69 days.3
- Technology-focused tools rather than user- or business-focused protection. EDR focuses on technology gaps rather than the operational needs of users and organizations. With more than 40 tools used in an average Security Operations Center4, 23 percent of security teams spend time maintaining and managing security tools rather than performing security investigations.5
What is EDR Security?
Endpoint detection and response refers to a category of tools used to find and investigate threats on endpoint devices. EDR tools typically provide detection, analysis, investigation and response capabilities. Compared to these security solutions, XDR takes a wider view, integrating data from endpoint, cloud, identity, and other solutions.
EDR products monitor events generated by endpoint agents to look for suspicious activity, and alerts they create help SecOps analysts identify, investigate and remediate issues. These solutions also collect telemetry data on suspicious activity and may enrich that data with other contextual information from correlated events. However, they lack key capabilities that slow down incident response. EDR solutions do not offer integrations with other tools and data sources for full visibility, so they cannot provide holistic protection.
What is MDR?
Managed detection and response (MDR) services offer dedicated personnel and technology to improve the effectiveness of security operations in threat identification, investigations and response. These services complement traditional managed security services that focus on broad security alert management and triage.
While various definitions exist, MDR services universally provide the following value:
- Resource augmentation aids SecOps teams in tasks that require specialist skill sets, such as threat hunting, forensic investigations and incident response.
- Increased security maturity provides a mature approach to threat management that is proactive and available 24/7, year-round, paving the way for transformation across other aspects of security operations.
- Faster time to value delivers a curated technology stack, security experts and operational best practices to reduce detection and response times to days, not years.
- Reduced mean time to detect (MTTD) and mean time to respond (MTTR) guarantee faster detection of and response to advanced threats inside a fixed, time-based service level agreement (SLA).
Cortex XDR | Our XDR Product
Cortex XDR is the world’s first extended detection and response platform that natively integrates network, endpoint, cloud and third-party data to stop modern attacks. It unifies prevention, detection, investigation, and response in one platform for unrivaled security and operational efficiency. Cortex XDR accurately detects threats with behavioral analytics and reveals the root cause to speed up investigations.
Tight integration with enforcement points accelerates containment, enabling you to stop attacks before the damage is done. Combined with our Managed Threat Hunting service, our XDR solution gives you round-the-clock protection and industry-leading coverage of MITRE ATT&CK techniques.
Watch this video to learn the capabilities and benefits of Cortex XDR.
For more information on XDR, download one of our resources:
The Essential Guide to XDR eBook
Cortex XDR Customer Success Datasheet
At a Glance: Cortex XDR for the US Government