Extended detection and response (XDR) is no longer a future state in cybersecurity practice — it's a full-fledged reality for some. In fact, it's been a thing for a lot longer than you might think.
Still, XDR is new vocabulary for many security operations center (SOC) teams, and the contours of this wide-ranging term can often feel a little fuzzy.
Sam Adams, VP for Detection and Response at Rapid7, recently sat down with Forrester Analyst Allie Mellen to dig deeper into the conceptual framework behind XDR and unpack how organizations can benefit from this approach.
Allie and her colleagues at Forrester think of XDR "as an extension of endpoint detection and response technology," she told Sam. "It's about taking that philosophy that endpoint detection and response vendors have had for a long time around protecting where the business data is, around protecting the endpoint, and recognizing that, ultimately, that's not enough for a SOC."
The key concept behind XDR is to expand the sources of telemetry that SOC teams have at their disposal in order to widen their capabilities and help them better protect their organizations.
Identifying the right detections
Sam echoed the importance of this shift in mindset. He noted that when Rapid7 first launched InsightIDR as a security information and event management (SIEM) tool, we started out with a more prescriptive mindset: "Let's find attacker behavior we're interested in finding and figure out what sort of data we need to collect that." But that quickly shifted to an approach that opened up the data sources, rather than narrowing them down.
"What we realized really early in our SIEM journey, and in our journey in building a detection and response platform, was that the endpoint data was an incredibly rich source of detections," Sam said.
But at some point, you have to figure out what detections are most important. Allie noted that while SIEM has been an integral tool for SOC teams because it lets them easily bring in new sources of telemetry, endpoint detection and response vendors are introducing tools with much more targeted detections. An XDR vendor's ability to identify threats and author detections for them is a key value-add for many end users.
"One of the reasons that they're drawn to XDR is because a lot of the detection engineering is done for them," Allie said, "and they know that they can trust it because it's backed by this vendor that specializes not only in the technology but also has a whole threat research team dedicated to finding these threats and turning them into detections."
Threat detected — what next?
These capabilities also enhance the "R" in XDR, with dynamic response recommendations that reflect the detections themselves, rather than a predetermined playbook. And given the current cybersecurity talent shortage, it's all the more important for security teams to democratize this skill set so they can act quickly, with better insight.
But as Allie points out, it's the intermediary step between detection and response that often trips teams up.
"The longest part of the incident response life cycle is investigation," she said. This step can be especially difficult when detections are particularly complex.
But while investigation and root cause analysis remain a challenge, the slow-downs in this stage of the detection-and-response life cycle provide an important insight into the gaps that XDR needs to fill.
"While tools are able to provide detections and while we can orchestrate response actions, we're not really giving the analyst everything they need to make a decision up front," Allie said.
3 key outcomes of XDR
With XDR, Allie says, the goal is to better understand what's going on in your environment and what to do about it by bringing in data across telemetry sources beyond just the endpoint. This drives better outcomes in 3 core areas:
- Improving detection efficacy: Whether you're looking to lighten your detection engineer's workload or you simply don't have one on staff, XDR aims to provide the most effective detections on an ongoing basis.
- Making investigation easier: XDR makes analysts' lives easier, too, by expanding the pool of telemetry sources to provide more comprehensive data and insights on threats.
- Enabling faster response: With better, shorter investigations, SOC analysts will know what to do next — and be able to put the gears in motion more quickly.
By bringing these benefits along with proactive use cases like threat hunting, the vision is for XDR to become the go-to tool for everything SOC teams need to do to keep organizations secure.
Want more XDR insights from our conversation with Allie? Check out the full talk.