There’s a lot of confusion about the exact definition of an XDR solution, which can obfuscate the important details around what it can specifically do for your security posture. For those looking for value in an XDR solution, there are six critical capabilities that should be considered a must.
1. Integration with everything
This is one of the capabilities that everyone agrees on. Whether you’re looking at it as a single vendor or open best-of-breed solution, the entire point of XDR is to consolidate your security stack into a single, tightly integrated solution. While this immediately disqualifies any solution that doesn’t have strong API-centric integration capabilities, there are other considerations that are also important to address early. XDR needs to do more than just receive a data feed from other solutions, which is effectively what a SIEM already does. The XDR also needs to be able to query any other tool in the stack for additional data and context, as well as initiate response actions without requiring the analyst to login to another tool.
If you’re looking for an XDR solution that will adapt to your requirements rather than being tailored to a single vendor’s portfolio, it’s important to understand how integrations are done. If you’re overly dependent on the vendor to roll out integrations on a release cycle that won’t prioritize your requirements, it can severely limit your ability to add new sources of telemetry to your XDR. Either the vendor needs to commit to rapid development of new integrations, or you need to make sure that the process for adding your own is easy.
2. Intelligent Automation
Based on many of the recent entries into the XDR market, maybe any automation capability is a good starting point. Without automation in some form, you’re really dropping back into the SIEM/Security Analytics concept where the platform is merely a data aggregator that has a minimal impact on operational efficiency. Analysts must manually investigate and respond to threats, which not only drains valuable time and resources, but increases MTTD and MTTR as well.
But simple automation that runs a handful of fixed playbooks or one-off actions isn’t enough. For an XDR to deliver simplified and consolidated processes that deliver better detection and response outcomes, automation needs to be smart. This intelligence needs to not only follow predefined playbook logic, but adapt based on the variables unique to each specific threat so that it can accurately determine risk and automatically respond in the right way. And it needs to be able to do so at scale to help eliminate alert fatigue through automated triage.
3. Artificial Intelligence
While a lot of the discussion around AI (and the source of much skepticism) is focused on its ability to analyze threats like a human, one of the most underappreciated applications of AI is to drive product usability and adoption. That means not just performing calculations to assess threat probability and risk on the fly, but also learning what you need in your specific environment and then telling you what you should do and how to do it.
Embedded AI/ML modules that help your playbooks deliver more effective threat detection and alert triage are incredibly valuable. Yet one of the biggest blockers to solution adoption is not having the time, resources or expertise to determine what to configure and how to do it effectively. When evaluating your XDR options, make sure that you assess not only how well the system can learn and adapt, but also its capacity for delivering unique configuration guidance based on what it learns from your business needs.
4. Deep Analytics and Consolidated, Advanced Threat Detection
This is the aim of any modern security solution, and there are many (SIEM, EDR, NDR, etc.) that provide critical aspects to the overall goal. A successful XDR deployment will consolidate all of that data and analyze it under one lens, identifying and correlating all of the relevant threat data to give a complete assessment of any potential threat. Just as important to the analysis is the ability to quickly distinguish between true threats and false positives, without missing real attacks.
The advantage that XDR delivers is the ability to tie threat data together and automatically apply multiple analytical methodologies to accurately detect, investigate, assess, and verify the validity of the threat, and then immediately respond to it. By looking at every potential threat vector in one place, the XDR platform can assess all of the different Tactics and Techniques being used by an attacker to correlate which are being used in conjunction with one another to deliver rapid, comprehensive, deep threat detection and deliver an appropriate response.
5. Extensible, Affordable Data Layer
No detection and response program works without access to security event data. That should be a given, but with high licensing and operating costs associated with long term retention, many organizations are forced to either limit their data retention or use secondary archives that can be difficult to search or analyze. SIEM solutions have long been the primary repository for data storage, both for near-term and historical analysis, and compliance mandated retention, but legacy architectures designed for rapid analysis come at a high cost.
One of the key reasons SIEM storage is so expensive is that it is largely built on outdated architectures that have trouble separating the near-term data required for rapid threat detection, and older data that is more useful for identifying historical trends and threat hunting. Data that doesn’t need to be analyzed immediately is still stored in an expensive tier, and the volume over time means that the cost continues to grow. An effective XDR can distinguish between the two, using more efficient and lower cost methods to retain historical data and deliverthe required access without the unreasonable expense.
6. Deployment Flexibility
When it comes to deployment requirements and solution form factor preferences, every organization is different. An XDR solution should support on-premise and cloud-based implementations, as well as managed deployments to accommodate organizations that lack the resources to manage them on their own. Cloud-based and managed deployments should have multi-tenancy and operating certifications like SOC 2 to ensure that the operating platform is secure. Over time those preferences/requirements can change. It’s important to be able to adapt, so the ability to quickly migrate between deployment options is important.