Monday, September 20, 2021

Frequently asked questions on Extended Detection and Response

This article will answer some of the more frequently asked questions by those trying to understand the XDR Space.


Image: iStock/LeoWolfert

As is normal with any new market segment or capability there will be many questions about extended detect and response (XDR). This article answers some of the more frequently asked questions by those trying to figure out this space. 

What is XDR? 

EDR++ is a simplified way to think about XDR. 

A more complex, but accurate way to think about XDR is: 

There are tools available today that use traditional security operations, such as ingesting data from the environment and performing security analysis on top of it. There are a number of tools that offer a new approach to security operations, namely performing detections based upon where the data is. 

This has been the point of view of endpoint detection and response (EDR) vendors since inception — that the location of the data (on the endpoint) can provide the highest efficacy telemetry source for detection and response. It started with the endpoint — thus, EDR was born. However, it must now include other aspects as data moves from being on-premises to cloud. This is the first motion leading EDR vendors to evolve to XDR — to identify and protect where the data moves next. 

There is also a second motion that allows EDR vendors evolve to XDR. 

EDR is a market-validated tool that allows for effective endpoint detection. However, incident responders need more than just the endpoint. They also need telemetry from the network, email, and other applications. Security teams have used security analysis platforms to match endpoint-telemetry with telemetry coming from other parts to overcome this problem. However, some solutions have had high resource consumption, high false positive rates, large data volumes, and created their own big data challenges. 

XDR addresses this problem by using a different approach to detection. It is anchored to endpoints and other high-efficacy telemetry resources, but correlates endpoint detectors with telemetry coming from other sources to simplify investigation. 

What’s the difference in Hybrid XDR and Native XDR? 

Native XDR incorporates elements of the vendor’s own suite of tools, while hybrid XDR focuses on integrations with third-party vendors. Both native XDR and hybrid XDR have native EDR capabilities. This is still the most important and defining feature of XDR. 

Native XDR is a vendor’s XDR solution that includes the EDR product. It then integrates other aspects of the vendor’s portfolio first, such its email security tools and network analysis and visibility tools (NAV). 

This contrasts with hybrid XDR which integrates third-party tooling first. Hybrid XDR is based on a vendor’s XDR solution and includes the EDR product. It also prominently integrates third parties security tooling. 

Does Native XDR not integrate with other tools? 

Most native XDR tools can be integrated with other security tools. 

Forrester research has shown that security teams prefer integration capabilities to tooling. Thus, both native XDR and hybrid XDR must support integration with third-party security tools by some means — there is simply no other option. Native XDR vendors are likely to continue to lead with their offerings, but may offer integration through their security event management (SIEM), security analytics platform, or security information management (SIEM). 

Vendors are limited in the amount of resources that they have to spend on integrations with third-party vendors versus integrations with their technology. A native XDR offering may be more beneficial for some end users because it integrates so closely with the vendor’s native technology. Vendors will need to spend time and effort building meaningful integrations with a limited number of vendors they are committed to maintaining. 

What does XDR replace within the SOC? 

XDR replaces EDR at the security operations center (SOC). This is the easiest way to put things. It will eventually replace the SIEM but this is a five year vision. 

Asking vendors this question is a great way to find out what they are selling when discussing XDR. XDR vendors that claim to replace SIEM or security analytics platforms are likely security providers using a security analysis approach. There are fundamental differences between XDR (security analytics platforms) and SIEM in both product architectures, and deliverable outcomes. These hinder XDR’s ability to replace SIEM today. 

Is XDR a requirement for SOAR? 

XDR doesn’t require SOAR. In fact, it is redundant to buy SOAR on top XDR in order to meet the response capabilities of XDR. XDR is not intended to mash together existing security technology in order to create a magically superior technology. It is designed to optimize incident response processes through automation, based in EDR technology. 

Security teams are clamoring for XDR. 

They aren’t, honestly. Chief information security officers often ask me questions about XDR. But it’s mostly questions like “What is XDR?” XDR is being pushed on me by vendor Y. Is it worthwhile? It is now the right time for experimentation and education about XDR. Security professionals can make the most out of XDR. This is possible by taking a journey starting with an endpoint protection platform (EPP), EDR, and then to XDR. 

Why is XDR so popular? What is the real interest of security teams in XDR? 

It’s easy to believe that XDR has become a buzzword because vendors believe they can increase their portfolio sales by naming everything they sell XDR. It’s true! However, there’s another reason that security teams need to be focused on: There is a desire in the security community to find a better solution than what they currently use. 

Security professionals face three challenges that XDR seeks to address: 

1. Detection 

Security tools generally take a very abstract approach to security analytics. We can see and understand more about incoming attacks if we gather a lot of data and then do analytics on it. This sounds great at first glance. However, this becomes quickly untenable due to the huge amount of enterprise information. XDR prioritizes data that is used for detection in order to avoid overwhelming analysts by sending out alerts. 

2. Investigation 

The investigation phase is the most time-consuming part of the incident response process. It’s especially difficult for new analysts who don’t necessarily have the skill set required to perform fast investigation. EDR technology has a lot to offer in terms of automated root cause analysis. This is one aspect that has been so appealing. XDR adds another telemetry to root cause analysis and investigative processes for more detailed incident information. 


You must respond quickly and fully. It is easy to respond quickly and separate from that, it is also simple to complete the response. It is difficult to respond quickly and fully. EDR technology’s ability to recommend response actions is a compelling feature. XDR goes one step further, integrating other tools into recommended responses to give analysts the context they need to know how to respond and the ability execute that response in one location. 

Does XDR and SIEM work together 

Yes! At least, for now. XDR is on a collision course with SIEM, but for now they are complementary, as XDR can’t address all the SIEM use cases around governance, risk management and compliance. Some vendors offer SIEM solutions in conjunction with their XDR offerings, while others recommend that you work with a third party. 

What are the architectural similarities and differences between SIEM & XDR? 


Forrester Research Inc.

What outcomes does XDR offer in comparison to SIEM? 


Forrester Research Inc.

Does XDR being an evolution of EDR mean EDR no longer matters to you? 

In a recent report about XDR, I stated that “EDR is dead.” Long live XDR to emphasize that XDR represents the next evolution of EDR. It will eventually replace EDR. This is true even though the budget line still shows EDR. Security teams still look for EDR. It will take time to replace EDR in the SOC with XDR. It will also be a journey for practitioners. It is crucial that we recognize and identify the differentiable capabilities EDR vendors have to offer in their endpoint offering. This will allow us to distinguish it from the next step in our practitioner journey: XDR. 

Some organizations may prefer to limit the integrations in their XDR technology, and instead use XDR as an EDR. One benefit of XDR evolving form EDR is that practitioners may be able to integrate more telemetry sources with their security program. 

Analyst Allie Mellen wrote this post. It originally appeared in Here

Also, see

    Leave a Reply