Over the past 10 years, our mission at Cisco Secure has been to develop, acquire and integrate a security portfolio that simplifies operations,...
Over the past 10 years, our mission at Cisco Secure has been to develop, acquire and integrate a security portfolio that simplifies operations, accelerates team success, and positions organizations to secure their futures. Other vendors have recognized the critical nature of this effort and followed suit in their own manner. The result of these efforts are solutions that bring detection and response tools together into a platform that promises a myriad of benefits. Gartner has recently defined a market category for these offerings — Extended Detection and Response (XDR). As is often true with new security concepts, vendors are quickly adopting this terminology to showcase their products' capabilities.
This is where things get tricky. Some vendors are using it as a marketing strategy for their existing solutions, others explicitly naming their products “XDR”. With the same term being used in multiple ways it can be hard for buyers to understand what it actually means.
• Understand the needs driving XDR adoption
• Explore Gartner’s definition of the category
• Learn how Cisco delivers XDR use cases with our solutions
• Discover ways to start your XDR journey
If you’re like most security teams, strong detection and response is a mission-critical pursuit that is often illusive. No matter how much you invest, there’s constantly a need for “one more layer” of security. Threats continue to increase in sophistication, the perimeter continues to expand, work habits continue to be challenged, and business resiliency needs to be prioritized more than ever. As the attack surface grows, detection gets harder and dwell times go up, putting businesses at risk.
With the plethora of security tools available today, why isn’t the paradigm shifting? Because all of your security solutions were likely designed and built in isolation and they don’t natively integrate with one another in any meaningful ways. Since effectively defending against modern threats is predicated on gaining a complete-enough picture across all control points, having a patchwork of non-integrated point solutions simply doesn’t make the cut anymore.
Services are usually available to bring multiple different point solutions together, but they’re generally expensive. These siloed technologies prevent streamlined security processes and result in important decision being made in isolation and with only a fraction of the available data.
In theory, adding a new SIEM (Security Information and Event Management) or SOAR (Security Orchestration, Automation, and Response) tool to a security environment can provide some incremental benefits including analytics and automation. However, In practice most security teams don’t have the time, knowledge, or staff on hand to perform the level of calibration required to integrate their detection and response capabilities through these tools. And even when they do, adding a new layer of security to the environment requires an unpredictable amount of recalibration. While valuable in certain contexts, the integration achieved through SIEM or SOARs aren’t enough to overcome the underlying incompatibilities between your security solutions that are preventing you from detecting threats rapidly and reducing response times.
This translates to teams that are buried in alerts, unable to improve metrics like mean time to detection (MTTD), mean time to remediation (MTTR), and end up struggling to make time for other critical tasks like identifying opportunities for automation and fine-tuning critical policies.
XDR solutions were designed to alleviate the challenges of too many vendors, too little integration, too little coordination, and too little time.
Gartner defines Extended Detection and Response (XDR) as a unified incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. This means that XDR solutions operate across various layers of detection and response tools, normalize their different datasets, run high-fidelity analyses, and coordinate actions to make it easier for teams to understand the full scope of security issues and remediate quickly and efficiently.
First, it must centralize collections of historic
and real-time event data in common formats and make it available for fast indexed searches over indefinite periods through high-performance and scalable storage resources.
Second, it must use multiple machine learning techniques to analyze huge amounts of telemetry data from multiple products to detect subtle malicious activity.
Lastly, it must offer automation capabilities to take care of routine tasks that accelerate response — or even proactively improve protection and posture.
While similar in function to SIEMs or SOARs,
XDRs are differentiated in three ways.
First, the level of turnkey integration is much
higher and does not require expensive, labor-intensive calibration.
Second, XDRs are focused solely on threat detection and incident response and have much better detection and analysis labs.
Third, they are generally built on cloud-native architectures and deploy rapidly.
XDR solutions enable more efficient and effective security operations, while lowering the overall total cost of ownership of the solutions they integrate. This making the promise of these systems highly compelling for any enterprise company.
While a unified detection and response platform is a simple concept to grasp, it is difficult to execute one in practice. According to Gartner, unifying data sets together meaningful ways is the central challenge of building an effective XDR platform. Again, security solutions are often built stand alone and generally lack APIs, compatible database structures, and data normalization functions; even when made by the same vendor. While APIs are improving, understanding the different data sets and getting the right syntax in place to offer a single view of across your entire environment requires an incredible amount of work.
Bottom line, XDR is not a solution that can be slapped together quickly. Unfortunately, that hasn’t stopped vendors from trying to do just that. Many that sell stand-alone Network Detection and Response (NDR) or Endpoint Detection and Response (EDR) solutions are increasingly forming “partnerships” to make XDR claims. However, due to the loose and non-native integrations between these partnerships, they cannot deliver on the promise of the XDR.