Information technology (IT) is indispensable for core processes in companies that face a tremendous threat to their IT systems. Cybersecurity has moved beyond the IT department to become a central management task. Laws, regulations, and the associated rules of critical infrastructures (CRITIS) make it clear how great is this threat and the need for suitable countermeasures. Manufacturers and service providers have long since responded with an almost countless range of products and services, from traditional software products such as antimalware to artificial intelligence (AI)-based systems for identifying security incidents and the complete operation of security operations centers as a service.

One of the biggest challenges is not the lack of suitable technology, but how to use it correctly and the personnel and knowledge required to do so. Even where technology is good and powerful, it still has to be used properly, and the skills gap (i.e., the lack of personnel and knowledge) has long been a central issue, especially in the complex field of IT security. In this environment, can improved and more powerful integrated solutions such as extended detection and response (XDR) be understood, and what exactly do you need to understand these solutions?

Devices and Networks

XDR as a term emerged in 2018 and is attributed to software vendor Palo Alto Networks. As the term implies, it is about extending existing systems and detecting, identifying, and responding. The integrated approach is not inherent in this term but is an important implicit component. XDR systems are typically offered as software as a service (SaaS), although this is not a requirement in terms of strategy.

The extension part in XDR specifically refers to endpoint detection and response (EDR), as well as network detection and response (NDR). XDR now creates approaches that focus on both endpoints and networks, where endpoints are by no means just client systems (e.g., notebooks, PCs, tablets), but go beyond that to workloads in the cloud. In other words, this definition is genuinely broad, far beyond the scope of EDR and NDR.

XDR collects data from various systems and then correlates and provisions the data in a structured manner for downstream analysis. One key part of XDR's functionality is automatic detection of threats, including complex threats that only become visible through an analysis of data across multiple devices and networks. The detected threats are analyzed, sorted, and prioritized so they can then be dealt with in a targeted manner. On the basis of this analysis, it is then possible to react to possible attacks.

On the one hand, XDR's value promise stems from its integrated approach, which is designed to detect even complex threats better by correlating data from a variety of different systems. At the same time, vendors tout the benefits of SaaS-based integrated products that are implemented quickly, instead of a multitude of standalone systems that would first need to be linked together. The basic idea behind this process makes sense, especially if you look at the situation in many organizations today, with a large number of IT security products in use as isolated solutions, generating a great deal of overhead in terms of both licensing and operating costs.

Detection and Response

XDR is not a technology for all aspects of IT security. As the term suggests, the focus is on the phases of detection and reaction – or in the more common wordage: response. Currently, the two most popular frameworks for IT security – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and MITRE D3FEND – address central areas, and the protection side, which has long been in the foreground, is supplemented by XDR.

One way to view these technologies is that XDR involves extending protective measures (e.g., firewalls, antimalware, and other solutions) to include continuous analysis of data to detect potential threats and provide a targeted response, and NIST CSF describes the established cycle from risk identification, through protection, to detection, response, and recovery. Various established frameworks and standards such as ISO 27001 are referenced (e.g., to identify and describe the risk areas and protective measures). MITRE D3FEND is clearly more technical in nature and primarily focuses on specific technical measures, with the first phase being hardening the systems, followed by detection and three detailed response phases: isolation, deception or diversion, and threat elimination.

XDR focuses on the detect and respond phases (i.e., respond, isolate, deceive, and evict). However, for a holistic approach to IT security, the other phases (e.g., as described in NIST CSF and MITRE D3FEND) need to be in place. In addition to this indispensable protection, the ability to recover quickly also plays a central role, especially when faced with ransomware.

Integrated Technology Platform

Like any popular IT technology, XDR is interpreted quite differently by different vendors. A basic understanding exists regarding the combination of network- and end-device-related functions and the correlation and analysis of events across these different domains. In terms of the functions implemented and of the scope of the analytic functions, the solutions have some considerable differences. Figure 1 provides an overview of core functions and important integrations.

Figure 1: XDR is the combination of a variety of technologies.

As already mentioned, the mandatory functions in XDR are NDR and EDR. EDR products are now typically offered as endpoint protection, detection, and response (EPDR) or as an endpoint protection platform (EPP). NDR analyzes data from networks; leverages threat intelligence information, including information from external entities; and performs correlations – typically by established static and analytical techniques, as well as machine-learning-based approaches. The goal is always to identify deviating and critical patterns and to derive concrete indications of possible threats and tangible suggestions for possible countermeasures.

Part of the value proposition of XDR is that it identifies potential threats proactively and detects unknown threats (i.e., threats that were not previously known or documented) by anomaly analysis, making it more active than EDR and network traffic analysis (NTA). That said, many of today's EPDR and NDR systems use comparable approaches, just without the integration approach that XDR uses. EPDR works similarly, but with a focus on device usage. EPDR traditionally comes from the client area but, in the meantime, especially in the XDR environment, has developed significantly beyond clients.

Other technologies found in XDR systems include cloud workload protection platforms (CWPPs) for analyzing and protecting functions delivered through cloud services, distributed deception platforms (DDPs) for automating the process of creating sitting duck systems to distract attackers, and vulnerability management systems (VMSs) for detecting vulnerabilities in the IT infrastructure.

XDR also interfaces with user behavior analytics (UBAs) and user and entity behavior analytics (UEBAs) for detecting anomalies in user behavior, with unified endpoint management (UEM) for managing and securing endpoints, along with identity and access management (IAM) for managing users, their authorizations, and, in particular, authentication information that is important in the context of security analysis.

Last but not least, of course, is the need to integrate with threat intelligence platforms that provide information on current threats and update it continuously. XDR systems need to adopt this information immediately when analyzing the acquired data to respond quickly to new threats.