XDR, Naughty or Nice? Defining True XDR With Our Dummies Guide

Like it or not, the holiday season has arrived in all of it’s retail glory, infused with enough pumpkin spice spiciness to kick that Elf-on-a-Shelf up to the stratosphere. It’s a time when your inner Scrooge might suddenly appear, unwittingly provoked by one too many exposures to “All I Want for Christmas is You.”

Let’s face it, working in security can leave you a bit on edge, even without the added caffeine or last minute shopping. Yet, the holidays should be a time of reflection and spreading cheer, embracing the values that matter. We set our sights on the horizon of the approaching New Year, making resolutions, determined to improve some aspect of our daily lives.

For security practitioners, this often means staying ahead of the security curve, keeping critical data safe. And a part of that ongoing strategy is to stay up-to-date on the latest industry innovations like Extended Detection and Response, or XDR.

While gaining acceptance and traction in the industry by the analyst community and end-users at large, there are companies that rely on EPP/NG-AV. And since “NG-AV” is no longer Next Generation, how can these companies determine what is the most appropriate XDR to choose given there are so many flavors of XDR in the market? Some XDR "flavors" might simply be a rebranding of endpoint detection and response (EDR), so it pays to pay attention.

While EDR provides granular visibility and provides response action for endpoints, it lacks these capabilities for non-endpoint network telemetry, cloud environments and email behaviors. XDR takes prevention capabilities further than NG-AV or EDR, offering full-scale visibility and powerful analytics that security teams need to fight modern attacks now and in the future.

So, how does one distinguish between the various options available on the market to determine whether a solution is true XDR as opposed to another vendor hopping on the XDR bandwagon? The following specifications (while not exhaustive) can help separate the winners from the wannabes.

A true XDR solution:

• Should provide stitching of key data automatically, rather than table joins, simple correlation or manual queries.
• Natively stitches together network, endpoint, identity, and cloud data into a single “story” or integrated log record for cross-data analytics.
• Applies intelligent, advanced logic to show the complete story of an incident in a single view.
• Automatically maps evidence and artifacts to the MITRE ATT&CK framework.
• Provides a built-in capability to perform deep forensic analysis.
• Is backed by world-class security research and security services teams.

Does the solution take a prevention-first approach?

While XDR is defined as “eXtended detection and response,” its strength lies in the ability PREVENT attacks to block, disrupt, and contain threats and attacks before any damage occurs. For all other activities, XDR provides a deep level of integration with devices to build a complete record of communications and endpoints, and how users interact with all applications and data to detect attacker TTP (techniques, tactics and procedures.)

Does the solution base detections on identity, endpoint, network and cloud? 

Can the solution detect attacks based on identity, cloud, and network data, including between unmanaged devices? Some endpoint only "XDR" vendors will say they see network data when what they really mean is network traffic coming from the endpoint agents instead of getting data from network security devices like NGFWs. A true XDR will analyze data from at least these sources and correlate with threat activity, and tag with MITRE ATT&CK TTPs to help provide a more detailed picture of adversarial movement.

Does the solution have native investigation and response capabilities? A true XDR:

• Uses security analytics to automate response recommendations.
• Allows for native response actions on the endpoint.
• Can support, but does not require integrations with other tools like SOAR for response.
• Enables response across endpoint, network and cloud enforcement points vs. endpoint only.
• Allows native support for ad-hoc searching across all third-party data sources using analyst-optimized investigative and hunting methods.
• Optimizes triage and investigations by surfacing all related malicious artifacts, hosts, users, and correlated alerts, mapped to MITRE ATT&CK.
• Can provide smart recommendations for targeted response actions, based on MITRE ATT&CK.

The mission of Cortex XDR:

“Empower organizations to know about and stop all attacks by ingesting, integrating, and analyzing every data source to encompass the entire environment, and leveraging multi-layer cross-data analytics for higher fidelity detection, continuous learning for automated investigation and response, and all threat context and insight in one place.”

At Palo Alto Networks, we have a steadfast commitment to providing best-in-class security solutions, and Cortex XDR—as the first XDR product in the industry—continues to lead by example by adding robust new third-generation capabilities such as forensics, identity analytics, and cloud security.

Survive the holiDAZE with some inspirational reading material

For further reading on the subject, our “XDR for Dummies” e-book discusses the current state of detection and response, including threats, limitations, and challenges faced in an enterprise SOC. For teams evaluating XDR solutions, the e-book provides guidance with a chapter devoted to ten key XDR capabilities and features to look for. Join the Cortex XDR Revolution today!