Self-Operated XDR

For many organizations, the question is whether they are even capable of effectively and efficiently running an XDR environment themselves. In the vast majority of cases, the answer is going to be "No," because XDR requires a high level of skills and up-to-date knowledge of security threats – even if the application manages to provide concrete, usable threat intelligence. Even then, employees need to understand the intelligence and respond appropriately.

In these cases, cooperation with service providers proves useful, because they can draw on expertise. Whether this takes the form of an MSSP approach, a SOCaaS offering, or simply MDR for the more technical side of XDR system operations depends on the skill set available within the organization. Moreover, the offered services are never exclusively about the XDR solution.

The decision must always be made within a higher level framework (i.e., with a view to the existing and future overall architecture of the IT security solutions with SIEM and SOAR), which is prerequisite to an organization arriving at both manageable and affordable solutions that focus on helping to identify and address critical risks to the extent possible. Moreover, a holistic concept needs to include the phases that go beyond detection and response (i.e., identification, protection, hardening, and recovery) in case an attack causes damage.

Conclusions

XDR is an interesting and logical development in the technology space because it integrates different technologies in a meaningful way to provide a holistic view of security threats. Before you look into XDR, however, you first need to define an overall concept that includes both the technical architecture and modular solutions to be deployed and, in particular, the operating concepts. Without such an overall picture, XDR is just another isolated solution that fails to deliver the promised value in terms of IT security improvements.

Additionally, XDR's integrative approach always involves focusing on your choice of solution provider (i.e., the risk of dependence on the vendor). Interfaces to other products and strategies that enable a change of provider therefore also need to be taken into account from the outset. In any case, organizations need to review the status of their IT security organization and infrastructure regularly, including analyzing if and where technologies such as XDR, MDR, or SOCaaS can help them reduce threats.