Is XDR the Silver Bullet We Have Been Waiting For? Spoiler: “No.”

eXtended Detection and Resoonse, XDR

ThreatConnect recently celebrated its 10th anniversary. We started ThreatConnect because it was easy to see that there was a need to improve the state of protection, detection, response, and recovery.

Some are talking about eXtended Detection and Response (XDR) — the next evolution of analyzing security data and events — as if it is the silver bullet for detection and response.

I’m skeptical — but not of the opportunity XDR creates as a product. In fact, Jon Oltsik, senior principal analyst at research firm ESG, recently wrote that XDR “is not only real but may also disrupt the industry in 2021.” I agree with Jon in that XDR can and will be very powerful. However, the promises many XDR vendors are making about capabilities that are outside their core competencies and, just like the previous false silver bullets in the security industry (AV, SIEM, etc), will not be the answer to all detection and response needs.

What XDR Is & Isn’t

According to Gartner, XDR solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability. In general, XDR takes a broader approach to endpoint detection and response (EDR) by providing visibility across all endpoints, the network, and cloud infrastructure.

It simplifies and consolidates comprehensive visibility across the network and host. Because it presumably understands that data better, it can perform end-to-end analytics across networks and hosts at an unprecedented level and allow defenders to more quickly detect and investigate an attack, and provides enhanced visibility. If you assume it is easier to deploy, and easier to use, and is more powerful for the users, it is a no-brainer that XDR is going to be powerful.

XDR will thrive in the market due to its turnkey capabilities and the opportunity to look at host and network data at a level not otherwise possible. But XDR vendors will have no choice other than to create tight couplings between the layers within their own products, and for this reason, they will be limited in terms of the data they consume and analyze and what they can do to manage the response. In other words, XDR detection, intelligence, workflow, and orchestration will be purpose-built around the vendors’ own requirements and will not incorporate external products and processes as some may think.

The best of both worlds is possible but requires the XDR vendor to also integrate into a full SOAR solution. The integrated SOAR allows the XDR vendor to maximize their out-of-the-box capabilities and ability to configure around customer automation needs inside their XDR product, while simultaneously providing a way to integrate with the rest of the security ecosystem and processes through a full SOAR offering.

Adam Vincent
About the Author
Adam Vincent

Adam is an information security expert and is the former CEO and co-founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, four children, and dog.