Is XDR (Extended Detection and Response) over-rated? Is it just marketing hype? Do you need it? Not everybody does. You’ve probably heard a lot about Endpoint Protection and Endpoint Detection and Response these days. Well, now we’re on th Extended Detection and Response, and even Managed Threat Response. We’re going to try to clear up a little of the confusion for you, and see if maybe one of them might be a goos option for you. Okay, what’s an Endpoint?
Fair question. An endpoint is a device.
Endpoint Protection
Endpoint protection, refers to the protection of internet-connected devices such as PCs, workstations, servers and smartphones from cyber threats. Endpoints are vulnerable to a wide range of attacks. It is an integrated security solution that detects and blocks threats at device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention and data loss prevention. Traditional Endpoint Protection is inherently preventative, i.e; passive.
Endpoint Detection and Response certainly has elements of next-gen antivirus. But, it boasts additional abilities, as well, For example, you can also expect real-time anomaly detection and alerting, forensic analysis and endpoint remediation capabilities.
The benefits of proactively searching an organization to identify hidden threats and shut them down before they cause damage and disruption are easy to see. For example, it helps to greatly reduce mean time to respond to threats. It’s a lot easier to defend your organization when you are constantly uncovering security events and highlighting gaps in threat visibility and coverage.
So what is XDR?
Extended Detection and Response, is a natural step in the evolution of EDR (Endpoint Detection and Response). Or SIEM. Whichever you prefer. Think of it as an approach that unifies information from multiple security products. It then automates and accelerates threat detection, investigation, and response in ways that isolated point solutions cannot. Corporate Armor has several partners that can implement this new capability. Sophos, teaming firewalls like the XGS 116 and XGS 126, with Intercept X/EDR, for example.
XDR takes a much broader approach than EDR. It provides visibility across all an organization’s endpoints, the network, and the cloud. Typically, it analyzes the collected data. Then, it acts upon threats. Subsequently, it sends unified alerts and action items to security analysts. So, it’s holistic, in other words.
Extended Detection and Response does a lot, and it involves multiple technologies. As a result, vendors from all over the IT spectrum offer services and bundles. But it’s important to note that XDR isn’t necessarily a replacement for EDR, SIEM, SOAR, or anything else. Especially if you already have several layers of defense in place, and only need to tweak your defense posture. Or, if your organization just isn’t large enough to justify a full-on XDR set-up.
Who needs this?
There are organizations that prefer the simplicity of a single security vendor to the “tool overload” that many security professionals complain about. EDR already widely accepted as a security tool category. So XDR can be an evolutionary step rather than a massive change in security strategy.
On the other hand, XDR is seen by some as an opportunity to address the skills shortage, then security analysts can focus their energy on the most critical incidents.
In any event, the ease and practicality of shifting to XDR will rely on several factors. Among them are the size and skill of existing in-house IT staff, and whatever security tools might already be in place. But if your organization is looking for the all-seeing-eye visibility of SIEM, plus the weapons to act on that data, XDR might be worth a look.
So is XDR just marketing hype?
Definitely not. It’s not a cure all, either. It’s just a powerful new category, and it has a ‘target demographic.’ Not everybody needs it.
Some analysts have said that XDR is what SIEM should have been. It was built to deliver the results SIEM should have. That is, a holistic, over-all Eye of Sauron fo ‘rule them all,’ over an entire organization, as it were. And provide quick, authoritative responses to threats real-time. Or even before they occur.
XDR does this without the overhead or cost that a pieced-together SIEM system would carry. And, with a more authoritative source for data — the endpoint.
Admittedly, the working definition is rather ambiguous. This makes suspicions that it’s just a marketing ploy understandable. But the idea of a large, geographically spread out, technologically-complex organization having such top-to-bottom network-omniscience was going to take time to develop. It was also going to happen in evolutionary steps, and XDR is certainly not the last one.
The promise of XDR
The biggest selling point of Extended Detection and Response — and the biggest promise — is its ability to ingest all the things, and make it easier for human beings to get to the right answer more quickly. But it’s only as good as the team that’s using it, and the data it can ingest.
In any event, your need for XDR will rely on several factors. Among them are the size and skill of existing in-house IT staff, and whatever security tools might already be in place. But if your organization is looking for the all-seeing-eye visibility of SIEM, plus the weapons to act on that data, XDR might be worth a look. Corporate Armor is ready to help, so email us, or call 877-449-0458. Thanks for reading!