Skip navigation
Locks lined up with one unlocked Getty Images

What Is — and Who Needs — Extended Detection and Response?

Does your business need XDR? Here's a look at when it's beneficial to implement XDR instead of EDR or SIEM.

Extended detection and response, or XDR, is one of the newest buzzwords in the cybersecurity realm. But does it actually represent something new? Or is it just a novel term for something that businesses have been doing for a while?

Those questions are up for debate. Let's explore them by examining the meaning of XDR, how it's similar to and different from other practices (like EDR), and why businesses may or may not choose to jump on the XDR bandwagon to enhance their cybersecurity strategies.

What Is Extended Detection and Response?

Extended detection and response is a type of cybersecurity solution designed to detect and remediate threats at all layers and across all components of a business's IT estate.

Thus, rather than focusing on just one type of IT resource (like cloud services) or one layer of the hosting stack (like servers), XDR aims to provide holistic, comprehensive threat detection and response.

How Does Extended Detection and Response Work?

To do this, XDR tools collect, correlate, and analyze data from across all IT resources and services that a business manages or uses. Based on this information, XDR solutions can detect threats no matter where they originate. They can also analyze the severity of the threat and determine which resources it places at risk.

The ability to correlate data is a critical component of extended detection and response. XDR is not just about finding threats in individual resources and then compiling a central list of which resources are at risk. Instead, by comparing threat data from multiple resources, XDR makes it possible to determine where threats originated, how they spread (and may be continuing to spread), and how to remediate the root cause of a security issue.

What Are the Benefits of Extended Detection and Response?

XDR solutions offer two main benefits:

  • Centralization: XDR tools centralize security data within a single platform or set of dashboards. Instead of having to juggle different security tools for different types of resources, security teams can manage everything through their XDR solution.
  • Broad visibility: By correlating and comparing security data from across the entire IT estate, XDR solutions provide broad visibility into where threats exist and how they impact the overall IT assets of the business. It would be much harder to achieve this holistic visibility if you use different tools to secure different types of resources.

XDR vs. EDR and SIEM

The term "XDR" was coined in 2018 by a cybersecurity vendor in an effort to differentiate the latest breed of cybersecurity platforms from an older generation.

The older generation of tools was known as endpoint detection and response, or EDR, tools. As the term implies, EDR tools focus on securing endpoints — meaning individual servers, PCs, or other resources that operate on the network as distinct entities.

A limitation of EDR is that it's hard to extend endpoint-centric cybersecurity tools to protect cloud services, scale-out data storage, and other resources that aren't endpoints. XDR solutions aim to solve this challenge by making it possible to secure all types of assets using a single platform.

XDR is similar in some ways to Security Incident Event Management, or SIEM, platforms. SIEM solutions also collect security data from across the enterprise in order to detect threats across any part of the IT estate.

However, proponents of the XDR concept argue that XDR goes beyond SIEM because XDR does more than just detect threats. It also provides advanced threat intelligence and analysis to help teams form response plans.

To be fair, some SIEM tools also provide more than just threat detection, and some platforms billed as EDR solutions can secure more than just endpoints. For these reasons, the line separating XDR from EDR or SIEM is an ambiguous one. Critics could argue — with some reason — that XDR is just a fancy new buzzword that cybersecurity vendors are slapping on end-to-end security platforms that they would have been calling SIEM or EDR solutions until a few years ago.

On the other hand, a lot has changed over the past few years in terms of what businesses need to secure. Widespread adoption not just of the cloud, but of multicloud architectures, has increased the importance of having as broad a view into cyberthreats as possible. At the same time, the ever-increasing complexity and scale of cyberthreats has made it hard for older solutions to keep up. Arguably, XDR prepares businesses for that.

Do You Need Extended Detection and Response?

So, does your business need XDR?

The answer depends in part on how comprehensive and centralized your security tooling is today. If your security analysts are constantly context-switching between different tools and dashboards, XDR may be able to improve outcomes. On the other hand, if your security operations are already efficient and provide holistic visibility, you may not stand to benefit much from XDR.

The answer also depends on what type of infrastructure you have to secure. If you still rely mostly on conventional servers to host your workloads, traditional EDR may be enough to secure those endpoints. But if you make heavy use of cloud services, XDR could bring value, especially if those services span multiple clouds.

About the author

Christopher Tozzi headshotChristopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish