Extended detection and response (XDR) was coined by Nir Zuk at Palo Alto Networks in 2018 to address challenges in siloed approaches to data analysis for security. Previous approaches focused on a single type of device or area, such as endpoint, network, or user behavior, thereby missing context and indicators from other areas that could have identified risk.
XDR analyzes all these focus areas, bringing them into a holistic platform that can understand all the data involved in an event. Then it provides tracking and remediation steps across the entire environment to help the security operations center (SOC) respond to malicious or risky events.
What Is XDR?
Enterprises often raise challenges around visibility and difficulty understanding which security events in their environments are significant. Palo Alto Networks realized there was a gap between the focused, siloed products vendors release and the broad coverage of a unified platform enterprises need. XDR was designed to bridge this gap by connecting information from all sides of an enterprise IT infrastructure.
It is exceptionally important to include a machine learning engine to analyze this massive increase in raw data. Machine learning verifies that only significant events would be brought to an analyst’s attention so that they are not drowned in unactionable or irrelevant alerts.
The “X” in XDR is key to this philosophy of extending detection and response to any and every IT operation. To demonstrate this, Palo Alto Networks created a vision map of how XDR came about and where it is expected to grow in the future.
How Is XDR Important in Cybersecurity?
Moving from segregated datasets for endpoints, networks, and threats into a single platform that aggregates these and other areas creates a fundamental shift in how enterprises can understand their entire security operations and IT landscape. Having a single view for everything reduces missed significant events, false positives, false negatives, skill barriers, and manual aggregation and reporting. Analyzing these combined data sets with machine learning has already transformed how businesses can handle the shift in cybercrime — from individual “hacktivists” to cybercrime businesses to nation-state level operators — and the increasingly complex attacks expected from this evolution.
How Has the Market Responded to XDR?
Many vendors are begrudgingly adopting the term XDR while trying as hard as they can to pass off their endpoint detection and response (EDR), network detection and response (NDR), or network traffic analysis (NTA) products as XDR. Multiple vendors have redesigned their user interface to present all the information as a “unified single source” without changing the underlying application to ingest data from all sources; they’re merely showing their siloed data streams in one view.
There has also been a rise in new players who are focused on gaining in-depth visibility but do not have coverage across all the different types of equipment that make up an IT infrastructure. This leaves holes in the information they can present.
Finally, and most egregiously, other vendors are releasing products without automation through machine learning. This leaves businesses with a deluge of alerts that cannot be given proper attention or incomplete data that prevents analysts from understanding the full chain of events that led to an incident.
What to Look For When Adopting XDR
The concept of XDR focuses on two main topics that must be fundamentally intertwined:
- All data streams need to be brought together and correlated into a single understanding of an event.
- There must be a system to automatically determine the severity of an event and whether the incident needs further investigation by an analyst.
Neither of these can be lacking, and they must work in tandem for a business to achieve success in today’s cybersecurity defense programs. Learn more about how Palo Alto Networks approaches endpoint security.
About the Author
Zachary Malone is a Systems Engineering manager at Palo Alto Networks’ SE Academy. With more than a decade of experience, Zachary is a seasoned security engineer specializing in cyber security, compliance, networking, firewalls, IoT, NGFW, system deployment and orchestration.
