I often feel for security teams who need to make sense of the alphabet soup of vendor acronyms that look so similar—present company included. At first glance when looking at NDR and XDR you would be forgiven for not knowing the difference.
That said, there are some very marked differences between network detection and response (NDR) and extended detection and response (XDR) that will impact your security operations depending on which approach you choose. This post will clarify the differences between NDR and XDR and leave you better equipped to decide between the two technologies.
The Definitions: What Is NDR and What Is XDR?
Network detection & response (NDR) is a new category of security solutions that both complement and go beyond the capabilities of traditional log aggregation and analysis tools (SIEM) and endpoint detection and response (EDR) products.
NDR solutions passively ingest and analyze Layer 2 to Layer 7 network data and monitor north-south and east-west traffic. This category of solution generally applies advanced behavioral analytics coupled with cloud-scale machine learning to rapidly detect, investigate, and respond to threats that would otherwise remain hidden.
For a broadly defined view of what constitutes XDR one can look to Cisco, who defines XDR as follows:
"XDR collects and correlates data across email, endpoints, servers, cloud workloads, and networks, enabling visibility and context into advanced threats. Threats can then be analyzed, prioritized, hunted, and remediated to prevent data loss and security breaches." - Cisco
This ambitious definition of XDR does a great job providing a scaffold that can be used to understand XDR in a more general market context.
- For many vendors, XDR consists of two or more vendor-specific log sources, often EDR and firewall, with some kind of Active Directory log integration for additional context and enrichment.
- In some cases there will be ML engines built on top of these data sets to help provide anomaly or user behavior analytics. This ends up introducing data normalization requirements that can add a significant amount of work to getting value from XDR.
- If the data from the EDR, firewall, and other sources aren't already in similar formats or schemas, they'll need to be processed and normalized before analysis, which requires specialized skills, adds compute cycles, and ultimately delays when a security analyst is able to respond to it.
- Once these log sources are aggregated, the XDR platform will help support security operations by correlating alerts into attack campaigns to provide a single interface from which to investigate and respond to security alerts.
In this way XDR can be thought of as a vendor-specific security orchestration, automation, and response platform with customized cross-product playbooks and vendor-specific ML engines.
Still confused? I don't blame you. Let's dig in a little deeper.
What Are the Similarities and Differences Between NDR and XDR?
NDR and XDR share the same goal: to help customers detect and respond to threats. The fundamental difference lies in the data source, the analytic approach, and the requirements necessary to benefit from those different data sources.
|Data Source||Network tap or traffic mirror (on premises, virtual, hybrid, or public cloud)||Combination of endpoint agents analyzing host process behavior, NGFW appliances analyzing network traffic, and potentially other data sources|
|Deployment Location||No agents. Out-of-band in cloud, datacenter, and remote sites||Agents on each endpoint and NGFW appliances both internally and at perimeter for greater visibility|
|Deployment Model||Low deployment friction||High deployment friction|
|Performance Considerations||No negative performance impact||When monitoring east-west traffic, performance may be constrained|
|Fundamental Approach||Best in class: Purpose-built NDR for passive monitoring of L2-L7 network data that leverages ML and is natively integrated with threat intelligence data, EDR and SIEM to avoid vendor lock-in||Single vendor:XDR platforms are typically vendor-specific, limiting 3rd party integrations to data enrichment such as threat intelligence feeds|
Many vendors build their XDR solutions on top of a core product competency such as EDR or NGFW. This allows investigators to rapidly correlate north-south network traffic with endpoint process data, improving visibility for investigators and allowing them to rapidly determine the source of undesirable north-south traffic. While correlating endpoint, network, and log data is valuable for security operations, the approach taken by many XDR products has limitations that outweigh the benefits.
The Vendor Lock-In Challenge
While XDR does offer benefits to those looking to improve their security posture, there are significant drawbacks to the platform that security analysts need to be aware of. In today's security landscape vendors often specialize in specific security tools such as endpoint detection and response or next generation firewalls.
In order for XDR to provide broad-based benefits, these vendors are often building additional security capabilities that are outside their core competencies. The result is often a flawed tool kit, lacking important feature functionality and table-stakes detection capabilities.
The Benefits of Best-of-Breed
Security tool sprawl and shelfware are real problems that CISOs face. In security, you can't afford to sacrifice—the stakes are too high. Often when one tool tries to do too many things you lose the ability to do anything well.
At face value it may seem like an XDR tool would make sense, but evaluation teams need to dig deeper. In reality, working with best-of-breed security tools that are optimized for your use cases will ensure you are able maximize the benefits for each requirement you have. Accepting a sub-par data set or tool as a free add-on is tempting, but most often leads to shelfware and budget woes.
In the next post in this series on NDR vs. XDR, we'll talk about deployment friction and throughput challenges, and compare the two approaches along those axes.