ThreatConnect recently celebrated its 10th anniversary. We started ThreatConnect because it was easy to see that there was a need to improve the state of protection, detection, response, and recovery.
Some are talking about eXtended Detection and Response (XDR) — the next evolution of analyzing security data and events — as if it is the silver bullet for detection and response.
I’m skeptical — but not of the opportunity XDR creates as a product. In fact, Jon Oltsik, senior principal analyst at research firm ESG, recently wrote that XDR “is not only real but may also disrupt the industry in 2021.” I agree with Jon in that XDR can and will be very powerful. However, the promises many XDR vendors are making about capabilities that are outside their core competencies and, just like the previous false silver bullets in the security industry (AV, SIEM, etc), will not be the answer to all detection and response needs.
What XDR Is & Isn’t
According to Gartner, XDR solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability. In general, XDR takes a broader approach to endpoint detection and response (EDR) by providing visibility across all endpoints, the network, and cloud infrastructure.
It simplifies and consolidates comprehensive visibility across the network and host. Because it presumably understands that data better, it can perform end-to-end analytics across networks and hosts at an unprecedented level and allow defenders to more quickly detect and investigate an attack, and provides enhanced visibility. If you assume it is easier to deploy, and easier to use, and is more powerful for the users, it is a no-brainer that XDR is going to be powerful.
XDR will thrive in the market due to its turnkey capabilities and the opportunity to look at host and network data at a level not otherwise possible. But XDR vendors will have no choice other than to create tight couplings between the layers within their own products, and for this reason, they will be limited in terms of the data they consume and analyze and what they can do to manage the response. In other words, XDR detection, intelligence, workflow, and orchestration will be purpose-built around the vendors’ own requirements and will not incorporate external products and processes as some may think.
The best of both worlds is possible but requires the XDR vendor to also integrate into a full SOAR solution. The integrated SOAR allows the XDR vendor to maximize their out-of-the-box capabilities and ability to configure around customer automation needs inside their XDR product, while simultaneously providing a way to integrate with the rest of the security ecosystem and processes through a full SOAR offering.