XDR (eXtended Detection & Response) designates a holistic approach to cybersecurity operational. It stands out for its ability to consolidate and automate on a unified SaaS platform all data, analyzes and responses to cyber threats, regardless of their origin, supplier or specialization. The first promise of XDR is thus to provide operational security made much more effective by breaking down the silos between data or equipment, i.e. to:
- Increase detection capabilities Tenfold
- intelligently link the different capabilities to circumscribe and apprehend the threat
- Adequately automate incident response actions, for example, through playbooks.
What are the differences between XDR, EDR and other cybersecurity tools?
XDR vs. EDR
On the contrary, the use of XDR quite simply makes it possible to completely open up the areas of observation and intervention to the entire IT perimeter and not only on the terminals, on the networks (Network Detection & Response, Firewalls) , or any other front-end or expert solution.
However, it does not refer either to an accumulation of security tools (EDR, EPP, AV, FW, NDR), as we have already explained in a previous post. Its added value lies in its ability to interconnect each of these security devices and to generate, with the help of the CTI, contextualized alerts, a minimum of false positives but also to quickly activate remediation activities on a single platform. In other words, an XDR platform must enable composable security.
Gartner, in its guide to the XDR market, suggests defining the functional coverage of XDR solutions by identifying two sides. A real foundation, the back-end must flawlessly provide all the cross-cutting functions of operational security: intelligence, event collection and processing, inter-channel correlations, automation orchestration, administration, etc. On this foundation can be integrated a multitude of expert solutions or solutions dedicated to specific segments of the IS, which Gartner collectively calls the Front-end: EDR, NDR, CWPP, FW, MTD, etc…
Open XDR versus monolithic XDR
There are currently many offers on the market labeled “XDR”. Apart from those that fall under unscrupulous marketing discourse dressing up expert capacities and claiming to provide XDR on the pretext that they have an API, XDR offers can be classified into two large families.
Monolithic, integrated or native XDRs
On the one hand, monolithic solutions offer to fulfill the promise of XDR by directly integrating all possible front-end capabilities, at the cost of mediocre performance on those that are furthest from their historical expertise. This approach is often found among vendors of EDRs or network solutions converted to XDR. Too often, these solutions lock their customers into a closed ecosystem.
Open or hybrid XDRs
On the other hand, so-called open XDR solutions take advantage of the opening of interfaces. It is a pragmatic approach, which is not always as integrated as monolithic XDRs, but in return makes it possible to compose cybersecurity according to the existing situation, and to retain the best solutions for each perimeter. For example, SEKOIA.IO offers a large catalog of integrations, constantly growing, covering more than 80% of the cybersecurity solutions market, in terms of incoming data integration and response means management interfaces.
Why choose an XDR solution?
Three major elements justify the choice of XDR. It is primarily about their concrete contribution to increasing the level of security, their operational efficiency allowing to relieve the tensions on the resources, and their digital-native character which makes them agile and for all intents and purposes future-proof.. These three elements combined can lead to significant productivity gains.
Increased level of security
Deploying an XDR makes it possible to federate existing means, to complement them with the best solutions on the market, and ultimately to ensure a higher level of security for the organization and its information system. By crossing data sources that were previously isolated from each other, an XDR can detect advanced threats such as APTs better and earlier, and provide different levels of response from reflex reactions to investigations and threat hunting.
At SEKOIA.IO, we also add our expertise and our threat data, the CTI, which unlocks additional performance in both detection and reduction of false positives. Thus, this natively integrated intelligence allows teams SOC and CERT to focus on real danger areas.
Automate to better focus resources
Detection is useless without adequate response capability. However, this is often where conventional solutions find their limits. In the past, it was necessary to be able to afford SOAR-type orchestration or automation solutions that were sometimes cumbersome and expensive, or delivered “bare” without libraries.
Response capabilities, automated or not, are part of the core functionality of any XDR. With the presence of playbooks, it is now possible to automate a certain number of remediation actions in the event of a threat without writing a single line of code. Within our SEKOIA.IO XDR platform, there is, for example, a playbook editor delivered with its catalog of pre-wired. This allows operators to be efficient right from the start, while capitalizing and adapting to the specific processes of the client organization.
This automation system thus makes it possible to better deal with the thorny issue of human resources in cyber. Cyber teams can, for example, focus on resolving real incidents and not false positives.
The agility, flexibility and robustness of SaaS
To choose their security tools, publishers should propose but never impose. This is why a good XDR solution should always be open and flexible in terms of the sources to be interconnected and the equipment to be controlled. Depending on your needs, you can integrate your existing solutions or go for the alternatives of your choice.
The natively SaaS architecture provides all the advantages of this mode of deployment: maintenance in operational and security condition provided by the publisher, easy deployment, fluid integrations by public APIs…
At SEKOIA.IO we have pushed this to the mode of invoicing: where others had become accustomed to invoicing by volume or data rate, we offer invoicing by the scope covered, to ensure determinism and predictability of budgets.
You can also find other definitions on topics such as: