One of the biggest buzzwords (or really, buzz acronyms) to pop up in the cybersecurity space in recent years is XDR, or, extended detection and response. The term was coined in 2018 by Nir Zuk, CTO and co-founder of Palo Alto Networks. It was posited as a new way to think about security, where data is taken from several platforms and it gets correlated and analyzed.
There are several ways this positioning could be taken, but in general I think it was meant to be seen as a “vision of the future” where security and threat detection could be pulled from numerous sources.
Interoperability certainly has become important here, but the vagueness of what exactly is XDR became part of the picture. As part of our look at debunking cybersecurity myths, I wanted to make sure we address the hype of XDR, the myths around what it actually is, and what you should look out for as a security technology buyer.
What the Heck is XDR Anyway?
So, what exactly is XDR? The answer is…it depends on the vendor trying to sell it.
Sometimes, it’s a platform that attempts to take a more holistic view than just the endpoint. Sometimes it can be a vendor choosing not to call themselves what they really are, like if they’re a SIEM but believe that to be a tired product category. A lot of it is defined based on Endpoint Detection Response (EDR), and it makes sense that XDR would be the next evolution of that.
In my research for this piece, I found the following definitions for XDR among vendors:
- Endpoint technology plus Security Orchestration Automation and Response (SOAR)
- Endpoint plus logs
- Endpoint plus data management
- Endpoint plus Network Detection and Response (NDR)
- NDR plus EDR
Basically, any two things put together can now be called XDR by everyone that is bum rushing this category. This also includes MSSPs, who I saw several examples of saying they offer XDR by putting together a couple different security technologies.
Based on all these factors, it’s safe to say that broadly, XDR is a way of bringing in multiple data sources from a lot of different places, correlating and analyzing that data, and then prioritizing the detection of anomalies or events, and then conducting incident response and threat investigation. That sounds an awful lot like any of a number of individual security technologies you can buy, and not just from one vendor.
So, what are we doing here? The truth is, someone coined a very good marketing category, did a great job with it, and now everybody is clamoring to say they do the same thing.
I hear the term XDR come up often in conversations with prospective customers, and when the question is asked, I figure another vendor has set the expectation in their minds on what XDR is or should be to them.
As a buyer, you have to be prepared to ask a lot of questions to find out what your vendor is actually talking about. For example, ask about the vendor’s deployment model. If they don’t use agents, then how do they get endpoint data? Don’t architect your very expensive security tooling budget around a vague concept.
Logz.io’s View: We’re a Cloud SIEM
We believe that calling things what they are is helpful to a buyer, and obfuscating them or having non-existing definitions is not. We don’t want to confuse anybody about what we do. We want to offer the best Cloud SIEM possible and serve our customers as well as we can, by saying what we do.
This means that we need to offer the most sophisticated version of a Cloud SIEM, with these capabilities:
- A custom correlated detection engine
- A dynamic lookups engine
- Threat intelligence out of the box as a data source
- Writing detections on behalf of our customers, so we do the correlation for them
- Researchers to put all that together and deploy it across a SaaS-based SIEM
We’d rather be the best at all these things instead of calling ourselves XDR on an at-best flimsy basis. That’s what we offer customers, and hope you’ll take a look at how we can help your organization.
Leave a Reply