Every few years comes a new wave of technology solution marketing that is centered around a common acronym, introducing the latest approach to solving a specific problem, and cyber security technology is no different. This isn’t necessarily a bad thing, as it often reflects critical innovations to make your security operations team more effective, like improving visibility, delivering better analytics, reducing complexity (not always succeeding), and other capabilities that ultimately make your organization more secure.
But along with the new acronyms comes a lot of confusion for anyone tasked with assessing new solutions. First, you have to figure out what it actually means, and whether or not that sort of solution applies to your organization’s needs. Then, once you’ve determined that it’s a potential fit, you have to wade through the muddy waters of every vendor staking a claim on the market, no matter how tenuous their connection.
XDR is the latest technology making the rounds as dozens of vendors have latched onto the term. It promises to both simplify and optimize your security stack by tying everything together to increase threat detection capabilities, consolidate the number of screens your analysts need to work within, and significantly reduce the number of false positives they waste time investigating every day. And unless you've defied the odds and completely insulated yourself from new messaging, you’ve seen potentially dozens of vendors referencing their XDR capabilities.
What do they actually mean when they’re talking about XDR?
Given the amount of white noise obscuring any easy answer, it’s a valid question. So let’s start with the definition(s).
The definition of XDR according to Gartner is eXtended Detection and Response, and it’s a new category of vendor-specific platforms created to provide a better user experience around multiple threat-focused security technologies. In other words, large vendors are making a concerted effort to tie all of their individual point solutions together through integrations and a common UI. But this means if you want the XDR you’re tied to one vendor’s portfolio, potentially requiring a forklift reinvestment in an entirely new technology stack.
The alternative vendor response to this has been the introduction of OpenXDR solutions, which also offer a consolidated approach and a common UI but focus on working with best-of-breed technologies from any vendor rather than just one. The OpenXDR platforms promise to work with your preferred technology stack, integrating everything together while also delivering centralized detection and response capabilities through a single interface.
Interestingly, OpenXDR messaging is also being embraced not just by security software vendors, but by MDR and other service providers. Which makes sense, since the concept is more about data aggregation and operating simplification than a specific delivery method.
But if OpenXDR integrates your security operations stack to more effectively centralize and streamline your detection and response process, then what does SOAR do?
The key difference is that SOAR is an automation driven solution, while XDR (at least at this point) is more concerned with centralized analysis and a single UI for managing your detection and response strategy. (There is a similar question that can be asked about the difference between XDR and SIEM, addressed in this ebook…) The drawback is that there is a larger variation in capabilities for OpenXDR, and if you’re truly looking for something that cuts down on alert fatigue and lowers your MTTD and MTTR, you need to make sure that automation is central to the platform. Which brings us back to SOAR. If that is, in fact, your end goal, then in most cases SOAR-like automation capabilities should be your first stop in the hunt for an OpenXDR platform.
XDR may be a more open-ended term than SOAR, but both were created to solve the same problem. So, what’s the real difference?
The real question is, if the solution you choose solves a significant problem for you, do you care about the acronym? The real importance is that whatever the solution that you choose, the outcome delivers value. You need a solution that will help consolidate your tools, automate workflows, and simplify and accelerate your detection and response capabilities.
How do I determine what’s right for my organization?
Whether it’s SOAR or XDR, these solutions often remain out of reach for smaller organizations with limited resources. Without the in-house expertise to integrate your security stack, build your detection and response content and manage the solution, either option will most likely fail during implementation.
Before you begin any evaluation, make sure to:
Document and rank your solution requirements to narrow down your evaluation criteria
Align your needs to documented product capabilities independently of the specific acronym/category
Check the availability of integrations specific to your environment, as well as ensuring that a process is in place to quickly deliver new integrations
Identify the use cases that you wish to solve and assess the vendor’s ability to address them quickly with existing content and/or rapid playbook development
Create a shortlist based on the solutions that best map to your product requirements
Determine what internal resources you have available to dedicate to implementation and management
Identify what options are available from the vendors you plan to evaluate for helping to implement, configure and manage their platform. You should determine the level of help you need and look at options for deployment and on-demand professional services to fully managed deployments
If you’d like to learn more about how you can cost effectively consolidate your security operations in whatever way works best for your organization, schedule some time with us to discuss your options here.