XDR Explored: The Evolution and Impact of Extended Detection and Response

November 27, 2023
Tim Wade
Deputy Chief Technology Officer
XDR Explored: The Evolution and Impact of Extended Detection and Response

The rise of Extended Detection and Response (XDR) is both a validation and indictment of Security Information and Event Management (SIEM) technology – the incumbent market category associated with performing aggregate threat detection, investigation, and response.

It is a validation because it underscores the central thesis that aggregating multiple signals across the attack lifecycle is fundamentally correct.  But it is an indictment because the emergence of a second market category solving the same problem clues us into the inefficacy of the incumbent approach.  

Clearly the marketplace has signaled keen interest, but how much of the promise of XDR is just hype?  

Buyers who want to know what they’re in for before inviting a partner to the XDR dance will be well served to recognize that nearly every vendor in the XDR space arrived from an adjacent market – and they’ll carry that adjacent market over with them as they plant their XDR flag.  

Buyers should be aware that there are really four primary spaces that XDR vendors are coming from.

SIEM and XDR: Transformation or Cosmetic Change?

There’s a lot of incentive for SIEM vendors to rebrand as XDR vendors.  In the obvious case of smaller players that lack the market share of the big boys, it is an opportunity to pivot into the new hotness and try again.    

But even for dominant players, rebranding from the incumbent solution starts to make a lot of sense when you realize that many SIEM deployments are just expensive log collectors – not threat detectors.  

The failure to live up to promises of correlated threat detection creates something of a reputational albatross and the rise of XDR presents an opportunity for a new lease on life – especially if the vendor has made some material improvements to the underlying technology.

Buyers considering a SIEM-based XDR solution really need to consider if anything has fundamentally changed or if this is just a new coat of paint.  There’s a heavy bias to building rather than buying when going down the XDR path with a SIEM vendor.  

For well-resourced buyers that can afford the extensive soft costs of operationalizing this technology or have bespoke use cases left uncovered by more purpose-built solutions, this may still have merit.

The EDR Influence in XDR: Expansion Beyond Traditional Boundaries

Considering the incentives at play with Endpoint Detection and Response (EDR) vendors and industry analysts, it’s understandable that defining XDR as EDR++ has traction.    

EDR companies themselves continue to need to find growth to appease shareholders and disqualifying competition at the requirements stage makes dividing that new pie easier.  Meanwhile, industry analyst gatekeepers have all those nervous incumbent SIEM vendors to placate and creating an XDR category may be a temporary means of keeping the peace between the EDR and SIEM camps.  

While EDR provides a useful signal for a lot of traditional threat detection, the problem with overweighting EDR in any XDR approach becomes apparent when considering that roughly 70% of enterprise assets and services won’t run an EDR agent.  If a modern hybrid enterprise is facing threats to cloud, identity, SaaS apps, and even OT/IoT networks then pretending that all breaches involve the compromise of an EDR-enabled endpoint is late to the party by about a decade.

Buyers that pursue an EDR-based XDR solution have two things to consider:  The EDR performance itself, and the aggregation and correlation of other signals.  Good EDR performance should be prioritized, but not to the exclusion of a compelling treatment of the full signal ecosystem.  

If the picture that starts to emerge is that an EDR and something resembling a SIEM have just been bolted together, your spider-sense should be tingling and all of the previous guidance to SIEM-based XDR buyers applies.

Services-Based XDR Solutions: The Human Element

These guys looked at the outcomes that XDR proposed to achieve and asserted that if the price is right, whether these outcomes are achieved by technology or people is secondary.    

Frankly, this makes a lot of sense and it’s one of the reasons that for many buyers an XDR solution may be delivered as a managed service.  Where this runs into a little trouble is the execution, not the thesis.  

Many buyers will recall the time when their Managed Security Solution Providers (MSSPs) were incentivized to morph into Managed Detection and Response (MDR) providers overnight without any material improvements to their service quality.

Buyers that pursue a Services-based XDR solution with a competent provider at a compelling cost may have a lot of upside ahead of them – service providers can do things at a scale that aren’t always feasible for an organization to do on their own.  

Unfortunately, finding a competent service-provider isn’t as simple as checking a magic quadrant and some of the buyers that find the capabilities of a service-provider attractive, lack the maturity to effectively measure the quality of the outcomes.  

Buyers here should go on the offense and hold their vendor’s feet to the fire when it comes to clearly defining how risk will be mitigated in quantifiable terms and implement regular no-notice red teams as a cross-check.  

The Network, Identity, and Cloud Approach to XDR

Lastly, there are a class of vendors whose platform portfolios included multiple threat detection signals and recognized that the whole was greater than the sum of its parts.

Network Detection and Response (NDR), Cloud Detection and Response (CDR), Identity Threat Detection and Response (ITDR), and even those legacy Next-Gen Firewall (NGFW) companies running Intrusion Detection System (IDS) tech can all contribute threat detection signals.

This category tends to contrast most sharply with the legacy SIEM-based approach as these vendors tend to have purpose-built threat detection where the underlying data and streaming analytics are tightly coupled.

Buyers that pursue a Network, Identity and Cloud-based XDR solution tend to accrue benefits associated with broad visibility, ease of use, and time-to-value.  

This stands in contrast with the traditional SIEM, but there is a trade-off to consider – while the most common use cases will be covered, there may be bespoke or long-tail use cases that are out of scope.  If that’s you, you may have to roll some of these yourself.  

For some buyers, this means that full SIEM replacement isn’t viable, even if many of the use cases previously pursued in the SIEM can be offloaded into the XDR.  Additionally, there is real differentiation between closed and open ecosystems.  

Buyers should look for cooperative, Open XDR – requiring a vendor’s entire ecosystem along with a second-rate EDR agent to enjoy the benefits of XDR should probably be a deal breaker for anyone.

Conclusion: XDR's Place in the Future of Cybersecurity

While the above may offer some insight into what to expect on an XDR journey, there’s still plenty of ground to cover before the ultimate arbiters – the buyers themselves – drive clarity into the topic.

Nonetheless, despite the potential confusion and disagreement in the interim, there is one point that is a win for everyone who cares about stopping threats – the rise of XDR as a market category indicates an important point of maturity in the pursuit of resilience through cybersecurity.  

It signals that moving past the expensive failures of prevention-focused security has gone mainstream. In the end, that’s something that everyone should be celebrating.

Explore how the Vectra AI platform can revolutionize your XDR strategy. Connect with us to redefine resilience and stay ahead in the cybersecurity game.