Research from ESG has shown that 66% of organizations agree that the detection/response effectiveness of threats is limited because it is based on multiple independent point-to-point solutions. Verizon states in their 2019 DBIR report that 94% of malware infections come from email, which is the number one source of cyberattacks.
Josh Zelonis, an analyst at Forrester, was the one who put the term XDR on the market. XDR stands for Cross-Layer Extended Detection and Response where most importantly the detection and response is over multiple layers of security including the application (e.g., Office 365) but also the telemetry from the network and the integration with the other components such as the Active Directory. This is very close to a SIEM with detection and response capabilities with orchestration and automation. XDR is employed by both the Security Operations Center and the Incident Response team within an organization.
It extends visibility to a wider environment than just the endpoint and provides automatic detection and correlation across the different layers of security. In addition to being able to (almost) forensically investigate, there is also threat hunting and automatic response. Unlike standalone solutions that only send alerts to a central environment, full context is provided.
A cyber security threat often starts with an email message, which then tries to get the user to click on a link. Next, there will be a download of malicious code or scripts that need to be executed and the route to the data center and rest of the network or cloud assets will be searched as quickly as possible from the workplace to cause further damage. This passes through several layers of security, each reporting "something" for themselves, but with all those alerts no link has yet been found.
XDR creates a significant addition to the SIEM solution. In this market, we are moving towards an environment where a cloud-based data lake brings together all events, alerts and logs from the Office 365 environment, the Endpoint with EDR, the Active Directory with domain information, cloud applications and network activity, even combined with information from IoT devices.
XDR provides collection, standardization, correlation, detection and visualization of the collected data in a simple and clearly understandable format for IT Security administrators and Security and Compliance managers. This information is then fed towards a SIEM and Security Orchestration (SOAR) solution. Cloud-based is preferred as it is always available and is externally accessible should the environment be completely contaminated and proactively offline. Bringing all data from cloud environments and applications back on-site is undesirable and requires a large storage environment to keep storing the ever-increasing amount of collected data. The processing power for correlation and visualization is easily and scalably available in the cloud. Our advice is to go for cloud-managed EDR/XDR.
Is it a SIEM? No. A SIEM sees all security events but not necessarily all security alerts are detected. An alert can be a detection of a Command & Control (C&C) server that is contacted to obtain further instructions from the cyber criminals. A phishing attempt, opening an email, opening a Word document, booting PowerShell, accessing Microsoft Azure credentials, booting a container or lateral traffic between containers is not simply forwarded. The just written short description of an attack is therefore not easy to trace as only the step of the C&C server that comes after the launch of the PowerShell command is visible.
With EDR, an enrichment is already created in which the SIEM is fed based on all endpoint activity (not just alerts). With XDR and the use of a data pool in the cloud, all activity of all the components involved is included in the attack. In the SIEM, there will be fewer warnings, less noise and less false positives, more context and a complete story will be presented. This creates much more insight and a powerful and mature security platform. This saves time and security knowledge that reduces the overall security costs.