Ever watch the old '80s cartoon the Smurfs? If you did, you may recall a quirky pattern in Smurf language, where everyday adjectives, verbs, and nouns were replaced by the word smurf: "I smurfed into the smurf for a smurf!" It's a fun word, but without context, the word smurf means everything—which ultimately makes it mean nothing. In cybersecurity, we're doing the same thing with XDR.
With tech acronyms growing exponentially, anytime we use a new acronym in cybersecurity, we should do our best to explain it clearly. We already have EDR, SIEM, SOAR, and NDR, to name a few, and as I walked the RSA Conference floor earlier this year, it looked like the acronym XDR was everywhere. The term is applied to many products and features in a vague, high-level fashion, making it truly hard to understand what it means. I feel really smurfed out thinking about it.
Defining Extended Detection and Response (XDR)
Extended detection and response (XDR) is a security solution based on the concept of correlating and analyzing data from multiple sources, including machine data, log data, and network data into a single, unified stream.
The concept leans on the Gartner-coined SOC visibility triad, which advocates for the use of SIEM, EDR, and NDR solutions to close visibility gaps and enable effective response times and investigations by using diverse data sources. The SOC visibility triad offers comprehensive security, but can also create data silos, which XDR—at least in theory—aims to solve.
The Reality of How XDR Works
XDR is typically marketed as a single tool that encompasses SIEM, EDR, and NDR capabilities—but this definition hinges on the belief in a perfect security system across all data sources that detects and responds to any threat from anywhere, in any environment.
The reality of XDR typically goes one of two ways: Security organizations scrambling for the top of the security solution food chain have started to repackage any expanded detection capability as XDR to jump on the trend, or an approach that may offer aspects of SIEM, EDR, and NDR, but hands control to a single vendor.
The first pitfall isn't exclusive to XDR. Throughout my career, I have seen vendors chase the latest buzzword. For example: When NDR first hit the scene, a number of products claimed NDR capabilities, despite offering nothing more than the top websites visited and basic NetFlow data. Similarly, the offerings under the XDR umbrella vary widely in the depth of capabilities. The XDR label has allowed even the most basic solutions to try to capitalize on the halo-effect of the buzzword du jour without making the corresponding product investments necessary to make those claims a reality.
The second pitfall is more accurate to the promise of XDR, but risks serious shortcomings in other areas. Single vendor solutions fail by diluting their offerings across the security spectrum. All too often, when a security vendor attempts to build solutions beyond core competencies they spread precious development resources thin. The end result is underwhelming solutions. There are of course occasional exceptions to this: Companies that acquire leaders in other security categories for integration into their product framework (such as SIEM & firewall solutions purchasing SOAR solutions) can do so more effectively, but customers can still lose flexibility if they get locked into products with limited integrations.
Rethinking the Value in XDR
The underlying concept of XDR is a solid reminder to look deeper and ask, 'what's out there that could help me be more secure?' The ideology behind XDR is to make siloed tools and systems work together to solve the security challenges of your organization. Separate the concept of XDR from a single product, and it starts to make more sense.
I think of effective XDR as a philosophy or a strategy and not a product or solution. That philosophy is to integrate (when possible) disparate data sources to identify and investigate more threats in a simplified way.
The goal of XDR is to make security teams more effective at securing their organizations. The reality of defending against today's threat landscape requires a massive amount of data from logs, packets, agents, instrumentation, and telemetry. These requirements are outpacing most security organizations' ability to effectively process this massive amount of data. If we subscribe to XDR as a philosophy we can evaluate solutions based on their ability to correlate and help us understand and effectively use massive amounts of data from disparate sources.
Evaluating Strategic XDR Solutions
We should be critical but open-minded to the possibilities of purpose-built, turn-key integrations that qualify as strategic XDR. Talk is cheap; anyone can write up a one-pager claiming smurftacular capabilities, but a real-world proof of concept of each XDR competency (firewalls, NDR, SIEM, and EDR), including the fidelity of purpose-built integrations will separate the hype from reality. This will allow anyone purchasing an XDR solution to make an informed decision.
The Future of XDR?
If nothing else XDR should make you look at your framework and systems and ask, 'what can be done better?' The XDR concept can be used as a catalyst to examine and challenge the effectiveness of our current security toolsets: It reminds us to push forward and challenge ourselves in our current frameworks and beliefs on what is secure. The concept also asks vendors to do more to collaborate on high-fidelity integrations that support the common goal of stopping advanced threats.
I believe that ultimately the concept of XDR will push the industry forward on new innovations and challenges once competing security vendors work together to offer the integrations security teams need—we just need the hype train to leave Smurf Station and arrive in the world of reality.