5 observations about XDR

It’s safe to say that my esteemed colleague Dave Gruber and I were following XDR before the term XDR existed.  Yup, we were heads down studying the SOC and a security platform we called SOAPA (security operations and analytics platform architecture).  XDR has a different name but a similar history and pedigree. 

Fast forward to today and the security industry is ga-ga over XDR, leading to even more hyperbole, misinformation, and user confusion.  Now, ol’ Dave and I have done ample qualitative and quantitative research, so we believe we have a good perspective of where XDR is today and where it’s going.  Based on this persistent digging, I have a few XDR observations:

1. No one owns the definition of XDR.

With all due respect to my fellow analysts, dogmatic definitions of what XDR is (and is not) are not only misguided but also counterproductive.  What am I talking about?  One analyst firm claims that XDR must be an extension of endpoint detection and response (EDR) while another says that XDR must be an integrated product suite from a single vendor.  There are two fundamental problems with these strict definitions.  First, XDR is still in the early stages of its evolution.  It’s as if someone decided to define the automobile industry based on the Model T ford (all cars must be black, mass produced, offer a 4-cylinder engine, etc.). 

More importantly, XDR is about outcomes—security efficacy and operational efficiency.  Organizations care about the “why,” security technicians care about the “how,” so XDR will be adopted based on its overall benefits, not its technical make up.  Inflexible definitions do everyone a disservice—business executives, CISOs, security professionals, and technology vendors. 

2. XDR solutions will win or lose based on advanced analytics.

Today’s threat detection solutions use a combination of signatures, heuristics, and machine learning for anomaly detection.  The problem is that they do this on a tactical basis by focusing on endpoints, networks, or cloud workloads alone.  XDR solutions will include these tried-and-true detection methods, only in a more correlated way on layers of control points across hybrid IT.  XDR will go further than existing solutions with new uses of artificial intelligence and machine learning (AI/ML).  Think “nested algorithms” a la Russian dolls where there are layered algorithms to analyze aberrant behavior across endpoints, networks, clouds, and threat intelligence. 

Oh, and it kind of doesn’t matter which security telemetry sources XDR vendors use to build these nested algorithms, as long as they produce accurate high-fidelity alerts.  This means that some vendors will anchor XDR to endpoint data, some to network data, some to logs, and so on.  To be clear, this won’t be easy:  Many vendors won’t have the engineering chops to pull this off, leading to some XDR solutions that produce a cacophony of false positive alerts.  Those vendors that can pull this off however will be wildly successful.

3. XDR is all about turnkey automated response.

While XDR may replace a lot of security technologies, it won’t replace security orchestration, automation, and response (SOAR) anytime soon.  Why?  SOAR is designed to automate complex, multi-staged security operations processes that are often unique to each organization.  That said, XDR will do a bit of SOAR “bottom feeding” by automating basic stuff—enriching data, piecing together investigation elements, looking up malicious file hashes, and taking elementary remediation steps like blocking IP addresses, quarantining systems, or stopping malicious files from executing.  The best XDR solutions will let security teams customize and build on these turnkey automated remediation tasks while providing new ones on a regular basis. 

4. The MITRE ATT&CK framework is the lingua franca of XDR.

Security professionals love the MITRE ATT&CK framework, but it’s been used mostly as a reference point for understanding adversary behavior.  XDR has the potential to operationalize MITRE ATT&CK with visualization of adversary tactics, techniques, and procedures (TTPs), collection, processing, and analytics from multiple data sources, and automated response aligned with adversary behavior. 

It’s also my belief that XDR will integrate with security observability, prioritization, and validation (SOPV) tools like risk-based vulnerability management, attack surface management (ASM), security asset management, and breach and attack simulation (BAS).  From a MITRE perspective, this integration will help security analysts gain greater visibility over their attack surface, understand defense gaps, pinpoint remediation actions, and mitigate high priority cyber-risks.

5. “Openness” is critical.

While it’s likely that some companies will buy the whole XDR enchilada from a single vendor, the vast majority of firms will have a heterogeneous mix of control points, data sources, applications, and infrastructure types, requiring integrated XDR solutions.  Leading XDR vendors must do the obvious things here—open APIs, developer support, partner ecosystems, etc. 

What I’d really like to see, however, is for the big guys (i.e., Cisco, Fortinet, Microsoft, Palo Alto Networks, Trend Micro, and others) to work together on open standards—data formats, API standards, protocol standards, etc.).  Some vendors are moving in this direction through the Open Cybersecurity Alliance, but most are going it alone.  An industry-wide XDR effort to define and promote XDR standards would do everyone a world of good.

Dave and I have also learned that XDR must include capabilities to correlate cyber-attacks with identities—especially due to the rise in insider attacks associated with working from home.  In this way, XDR overlaps with UEBA.  XDR must also be integrated with leading SaaS applications like Office365, Salesforce, ServiceNow, etc. to detect things like atypical administrator behavior and data exfiltration.  Finally, XDR will become a community affair with security teams writing and sharing their own detection rules (detections as code)—especially within industries. 

One final observation:  The early hype over XDR reminded me of a similar pattern around UEBA around 7 years ago.  As you may recall, stand-alone UEBA kind of morphed into a feature of SIEM over time.  The same thing could happen to XDR, but I don’t think it will.  As it evolves, XDR will be a security operations game changer.  Meanwhile, the security diaspora must be curious, innovative, and open-minded as XDR progresses.