What is XDR?
While endpoints are a critical component of the attack surface it’s really a small part of the big picture that makes up our network. Modern networks have IoT devices, cloud applications, firewalls and many other areas that must be considered that brings us to XDR or extended detection and response.
Gartner defines XDR as a SaaS-based and vendor specific security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operation system that unifies all license components. Put another way, XDR digests data from multiple security products in order to correlate telemetry data that would otherwise be difficult to find manually.
By having integration with these various products, XDR gives you the ability to respond to threats either automatically or manually. At a high level, there’s three main components that make up XDR: The integration, the analysis and the response.
The XDR integration piece is a critical component to any XDR platform and that’s the level to which the XDR solution can ingest and work with the products on your network. This means not only monitoring telemetry data like Syslog and SNMP, but also having deep integration via API to respond to threats when incident is detected. With the telemetry data being ingested by all the relevant sources on your network, XDR then normalizes and correlates that data between all the different data types and vendors.
This part of the process is the analyze or detect phase and it’s usually powered by some version of an artificial intelligence tool to find outliers in the breadcrumbs of data. The AI engine is trained to look for behaviors from all the telemetry data ingested throughout the network. So, here lies the beauty of XDR what would be nearly impossible for a team of sock engineers to do manually. XDR can calculate these breadcrumbs in real time.
Eventually, finding patterns of behavior that otherwise would have gone undetected. When the AI engine determines that investigation is deemed to be a security risk, the response phase can automatically remediate the issue by responding to the relevant security devices depending on the playbook that you have configured. For example, this could include blocking an IP at your firewall, quarantining a user at the switch port or blocking a domain on your mail server.
Ultimately, XDR is about an AI system that can take in telemetry data, make a decision based on the supervised learning it has received and then respond to the relevant device to mitigate the risk on your network.