What is XDR?
Extended detection and response or XDR is a new approach to threat detection and response that provides holistic protection against cyberattacks, unauthorized access and misuse. Coined by Nir Zuk, Palo Alto Networks CTO, in 2018, XDR breaks down traditional security silos to deliver detection and response across all data sources.
According to analyst firm Gartner, XDR “is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.” The defintion of XDR from Forrester Research is a bit more expansive: “The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”
How Does XDR Work?
XDR brings a proactive approach to threat detection and response. It delivers visibility into data across networks, clouds and endpoints while applying analytics and automation to address today’s increasingly sophisticated threats. With XDR, security teams can:
- Identify hidden, stealthy and sophisticated threats proactively and quickly
- Track threats across any source or location within the organization
- Increase the productivity of the people operating the technology
- Get more out of their security investments
- Conclude investigations more efficiently
From a business perspective, XDR enables organizations to prevent successful cyberattacks as well as simplify and strengthen security processes. This, in turn, enables them to better serve users and accelerate digital transformation initiatives – because when users, data and applications are protected, companies can focus on strategic priorities.
- Block known and unknown attacks with powerful endpoint protection: Leverage AI-based local analysis and Behavioral Threat Protection to stop the most malware, exploits, and fileless attacks in the industry.
- Gain visibility across network, endpoint, and cloud data: Collect and correlate data from Palo Alto Networks and third-party tools to detect, triage, investigate, hunt, and respond to threats.
- Automatically detect sophisticated attacks 24/7: Use always-on AI-based analytics and custom rules to detect advanced persistent threats and other covert attacks.
- Avoid alert fatigue and personnel turnover: Simplify investigations with automated root cause analysis and a unified incident engine, resulting in a 98% reduction in alerts and lowering the skill required to triage alerts.
- Increase SOC productivity: Consolidate endpoint security policy management and monitoring, investigation, and response across your network, endpoint, and cloud environments in one console, increasing SOC efficiency.
- Eradicate threats without business disruption: Shut down attacks with surgical precision while avoiding user or system downtime with Live Terminal.
- Eliminate advanced threats: Protect your network against malicious insiders, policy violations, external threats, ransomware, fileless and memory-only attacks, and advanced zero-day malware.
- Supercharge your security team: Disrupt every stage of an attack by detecting indicators of compromise (IOCs) and anomalous behavior as well as prioritizing analysis with incident scoring.
- Restore hosts to a clean state: Rapidly recover from an attack by removing malicious files and registry keys, as well as restoring damaged files and registry keys using remediation suggestions.
- Extend detection, investigation, and response to third-party data sources: Enable behavioral analytics on logs collected from third-party firewalls while integrating third-party alerts into a unified incident view and root cause analysis for faster, more effective investigations.
How does XDR compare to EDR or MDR?
XDR is an alternative to traditional reactive approaches that provide only layered visibility into attacks, such as endpoint detection and response, or EDR; network traffic analysis, or NTA; and security information and event management, or SIEM. Layered visibility provides important information, but can also lead to problems, including:
- Too many alerts that are incomplete and lack context. EDR detects only 26 percent of initial vectors of attack,1 and due to the high volume of security alerts, 54 percent of security professionals ignore alerts that should be investigated.2
- Time-consuming, complex investigations that require specialized expertise. With EDR, the mean time to identify a breach has increased to 197 days3, and the mean time to contain a breach has increased to 69 days.3
- Technology-focused tools rather than user- or business-focused protection. EDR focuses on technology gaps rather than the operational needs of users and organizations. With more than 40 tools used in an average Security Operations Center4, 23 percent of security teams spend time maintaining and managing security tools rather than performing security investigations.5
Endpoint detection and response, or EDR, refers to a category of tools used to detect and investigate threats on endpoint devices. EDR tools typically provide detection, analysis, investigation and response capabilities. Compared to EDR, XDR takes a wider view, integrating security across endpoints, cloud computing, email, and other solutions.
EDR tools monitor events generated by endpoint agents to look for suspicious activity, and alerts EDR tools create help security operations analysts identify, investigate and remediate issues. EDR tools also collect telemetry data on suspicious activity and may enrich that data with other contextual information from correlated events. Through these functions, EDR is instrumental in shortening response times for incident response teams
Managed detection and response (MDR) services offer dedicated personnel and technology to improve the effectiveness of security operations in threat identification, investigations and response. These services complement traditional managed security services that focus on broad security alert management and triage.
While various definitions exist, MDR services universally provide the following value:
- Resource augmentation aids security teams in operations that require specialist skill sets, such as threat hunting, forensic investigations and incident response.
- Increased security maturity provides a mature approach to threat management that is proactive and available 24/7, year-round, paving the way for transformation across other aspects of security operations.
- Faster time to value delivers a curated technology stack, security experts and operational best practices to reduce detection and response times to days, not years.
- Reduced mean time to detect (MTTD) and mean time to respond (MTTR) guarantee faster detection of and response to advanced threats inside a fixed, time-based service level agreement (SLA).
Cortex XDR | Our XDR Product
Cortex XDR is the world’s first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks. It unifies prevention, detection, investigation, and response in one platform for unrivaled security and operational efficiency. Cortex XDR accurately detects threats with behavioral analytics and reveals the root cause to speed up investigations.
Tight integration with enforcement points accelerates containment, enabling you to stop attacks before the damage is done. Combined with our Managed Threat Hunting service, our XDR solution gives you round-the-clock protection and industry-leading coverage of MITRE ATT&CK techniques.
Watch this video to learn how to rewire security operations with Cortex XDR.
For more information on XDR, download one of our resources:
- “Endpoint Protection and Response: A SANS Survey,” SANS Institute, 2018
- “2017: Security Operations Challenges, Priorities, and Strategies," ESG, 2017
- “2018 Cost of a Data Breach Study,” Ponemon Institute, 2018
- “SANS 2018 Security Operations Center Survey,” SANS Institute, 2018
- “Investigation or Exasperation? The State of Security Operations,” IDC, 2017