I often feel for security teams who need to make sense of the alphabet soup of vendor acronyms that look so similar—present company included. At first glance when looking at NDR and XDR you would be forgiven for not knowing the difference.
That said, there are some very marked differences between network detection and response (NDR) and extended detection and response (XDR) that will impact your security operations depending on which approach you choose. This post will clarify the differences between NDR and XDR and leave you better equipped to decide between the two technologies.
What Are NDR and XDR?
Network detection & response (NDR) is a category of security solutions that both complement and go beyond the capabilities of traditional log aggregation and analysis tools (SIEM) and endpoint detection and response (EDR) products.
NDR solutions passively ingest and analyze Layer 2 to Layer 7 network data and monitor north-south and east-west traffic. This category of solution generally applies advanced behavioral analytics coupled with cloud-scale machine learning to rapidly detect, investigate, and respond to threats that would otherwise remain hidden.
XDR vendors define their product as a solution that gathers data from a broad array of sources: endpoints, networks, servers, cloud workloads, email, and more—then analyzes the data to monitor and defend against cybersecurity threats.
How XDR Works
This ambitious definition of XDR does a great job providing a scaffold that can be used to understand XDR in a more general market context.
- For many vendors, XDR consists of two or more vendor-specific log sources, often EDR and firewall, with some kind of Active Directory log integration for additional context and enrichment.
- In some cases there will be ML engines built on top of these data sets to help provide anomaly or user behavior analytics. This ends up introducing data normalization requirements that can add a significant amount of work to getting value from XDR.
- If the data from the EDR, firewall, and other sources aren't already in similar formats or schemas, they'll need to be processed and normalized before analysis, which requires specialized skills, adds compute cycles, and ultimately delays when a security analyst is able to respond to it.
- Once these log sources are aggregated, the XDR platform will help support security operations by correlating alerts into attack campaigns to provide a single interface from which to investigate and respond to security alerts.
In this way XDR can be thought of as a vendor-specific security orchestration, automation, and response platform with customized cross-product playbooks and vendor-specific ML engines.
Still confused? I don't blame you. Let's dig in a little deeper.
XDR and NDR Comparison
NDR and XDR share the same goal: to help customers detect and respond to threats. The fundamental difference lies in the data source, the analytic approach, and the requirements necessary to benefit from those different data sources.
|Network tap, traffic mirror, or AWS flow logs (on premises, virtual, hybrid, or public cloud)
|Combination of endpoint agents analyzing host process behavior, NGFW appliances analyzing network traffic, and potentially other data sources
|No agents. Out-of-band in cloud, datacenter, and remote sites
|Agents on each endpoint and NGFW appliances both internally and at perimeter for greater visibility
|Low deployment friction
|High deployment friction
|No negative performance impact
|When monitoring east-west traffic, performance may be impacted
|Best in class: Purpose-built NDR for passive monitoring of L2-L7 network data that leverages ML and is natively integrated with threat intelligence data, EDR, and SIEM to avoid vendor lock-in
|Single vendor:XDR platforms are typically vendor-specific, limiting 3rd party integrations to data enrichment such as threat intelligence feeds
Many vendors build their XDR solutions on top of a core product competency such as EDR or NGFW. This allows investigators to rapidly correlate north-south network traffic with endpoint process data, improving visibility for investigators and allowing them to rapidly determine the source of undesirable north-south traffic. While correlating endpoint, network, and log data is valuable for security operations, the approach taken by many XDR products has big limitations.
Drawbacks of XDR
While XDR does offer benefits to those looking to improve their security posture, there are significant drawbacks to the platform that security analysts need to be aware of. In today's security landscape vendors often specialize in specific security tools such as endpoint detection and response or next generation firewalls.
In order for XDR to provide broad-based benefits, these vendors are often building additional security capabilities that are outside their core competencies. The result is often a flawed tool kit, lacking important feature functionality and table-stakes detection capabilities.
The Benefits of Best-of-Breed Security
Security tool sprawl and shelfware are real problems that CISOs face. In security, you can't afford to sacrifice—the stakes are too high. Often when one tool tries to do too many things you lose the ability to do anything well.
At face value it may seem like an XDR tool would make sense, but evaluation teams need to dig deeper. In reality, working with best-of-breed security tools that are optimized for your use cases will ensure you are able maximize the benefits for each requirement you have. Accepting a sub-par data set or tool as a free add-on is tempting, but often leads to shelfware and budget woes.
Deployment Friction and Throughput Challenges
As previously mentioned, XDR is generally built on top of a single vendor combination of EDR and NGFW technologies.
However both EDR and NGFW technologies suffer from inherent limitations such as throughput, visibility, and supported platforms. These limitations create gaps in both protection and visibility, resulting in blind spots that are difficult to address.
EDR & NGFW Limitations
Endpoint detection and response (EDR) requires an agent on each endpoint and is focused on endpoint file systems, processes, and network traffic to and from the specific endpoint only. There are several best-in-class EDR technologies on the market, yet due to their inability to deploy agents on devices like printers, IP phones, thermostats, security cameras, and more, large organizations often encounter issues achieving full deployment coverage. Further, if a new endpoint is deployed, it is not always done properly and may go unmonitored for a long time.
NGFW technologies are critical to securing the enterprise gateway, blocking inbound and outbound traffic, applying IDPS signature rule sets and allowing for the enforcement of IP-block and allow lists. The feature sets for these appliances is extensive, but due to the high computational overhead of ML and full packet inspection, it's difficult if not impossible for NGFW appliances to fully evaluate network traffic on all potential metrics, let alone perform UEBA or high-fidelity ML against traffic.
NGFW platforms also suffer from traffic throughput issues when activating multiple advanced features, creating a traffic bottleneck that is expensive to overcome. The result is a high level logging view of traffic allow/block and log data for which IDPS rules were encountered for a given traffic stream. While this type of analysis certainly serves to improve security posture, it lacks in-depth analysis provided by purpose-built, out-of-band technologies such as NDR.
While some companies use NGFW technologies to segment important sections of their corporate networks, these appliances are too expensive for the type of zero-trust deployment model required to capture log data for the majority of east-west network traffic.
To Do XDR Right, You Need a Totally Open Architecture
While XDR platforms provide a variety of benefits, vendor lock-in can be a detriment to security practitioners. By leveraging second and third tier tools in order to take advantage of an XDR platform, security practitioners are actually compromising their network's security in exchange for the simplicity XDR claims to provide.
XDR's promises of analyst efficiency seem to make sense on the surface, but there are security risks created by not using best-in-class solutions. An extra burden is placed on analysts who will have to turn to other tools to gain the visibility they need to do their jobs.
Additionally, XDR vendor lock-in creates new hurdles for security teams looking to migrate to best-of-breed tools, forcing customers to consider the inherent costs of wide-spread toolkit replacement rather than replacing point products. While this might seem cheaper on the surface, security practitioners should be wary of buying into the promises of any XDR platform that prevents the ability to leverage and integrate best-in-class tools.
Looking to the Future
As we look toward the future of the security industry we must keep in mind the trends of the past. The last twenty years of industry evolution has resulted in a shift from tools simply collecting and storing data to high-fidelity, ML-based detection and response capabilities.
EDR is constantly working to build in response and recovery–based automation with in-depth investigative and forensic tools, allowing analysts to do their jobs more efficiently. SIEM and SOAR products allow for broad-based tool integration wrapped around machine learning and and playbooks for vendor-agnostic automated response capabilities.
With XDR we see the next generation of the SIEM and SOAR products. They combine vendor-specific log data with vendor-specific machine learning capabilities for higher-fidelity data and log aggregation. The goal of providing a unified analysis that helps security teams understand the broader picture of what's happening across different data sources is a good one, but trying to achieve that through a single vendor is too limiting.
XDR has the potential to deliver a solution that enables the analyst by providing that one touch analysis and forensics interface, but only when vendors work to provide open interfaces, enabling integrations with best-of-breed tools to enhance a vendor's native detection and response capabilities.
ExtraHop has taken the position for a while now that intelligent integrations are the best option for sophisticated security operations. All-in-one solutions too often function as a jack of all trades but a master of none. Reveal(x) is, in our (admittedly biased) opinion, the best-of-breed network detection and response solution.
NDR is a critical component of security because it provides coverage in ways that are just not possible using any other data source. Detection and response is the future of cybersecurity, and the network is the key data source for that future.