What’s next?

Multilayer EDR (XDR)

What's next in Endpoint Security: From Intelligent "Next-Gen" EDR to Multilayer EDR (XDR)

  • 24 November 2020
  • 10.2 minutes to read

In my previous blog - Endpoint Security: What you need to know about "Next-Gen" EDR - I explained the specifics of Endpoint Security (Antivirus/Endpoint protection), the challenges with standalone EDR solutions and the differences with a SIEM. Now organizations know where they're going to go to get maximum insight and control and keep track of the IT assets within (and outside of) the organization.

In this article, intended for everyone active in IT Security, I will discuss the trend towards Managed Detection and Response, Cross Layer Detection and Response and SOAR solutions. In addition, I recommend what to look at when selecting and evaluating EDR tooling.

MDR - Managed Detection and Response

Endpoint Detection & Response (EDR) ultimately generates more alerts that IT Security experts need to analyze. We see that many organizations see this as a barrier to working with EDR. This is due to lack of time and expertise to investigate the diversity of alerts, to analyze them and then to draw conclusions. For this purpose, several vendors have developed Managed Detection & Response (MDR) as an additional service on the EDR solution.

With MDR, the most time-consuming tasks are taken out of their hands. Indicators of Compromise (IoCs) are detected, analyzed and investigated. After this, advice will be given on how to remove a current threat or how to prevent it in the future. In addition to the periodic reports, reports are also prepared and shared with the customer for each incident.

Threats can be detected and prioritized by the clever use of Machine Learning techniques. Suspicious events appear in a summary with name, date of detection, threat score, and the number of endpoints they are on. Analysis of the 'threat' is done completely automatically – on-demand – fueled by the threat intelligence of the supplier.

Each process must show the reputation and detection status. Here too, the latest threat intelligence must be able to be requested live from the security supplier. A match with the exploitation techniques used in the MITRE ATT&CK framework is becoming increasingly commonplace, as the available tactics, techniques and procedures used by cyber criminals are extensively documented.

Cross-Layer EDR

Research from ESG has shown that 66% of organizations agree that the detection/response effectiveness of threats is limited because it is based on multiple independent point-to-point solutions. Verizon states in their 2019 DBIR report that 94% of malware infections come from email, which is the number one source of cyberattacks.

Josh Zelonis, an analyst at Forrester, was the one who put the term XDR on the market. XDR stands for Cross-Layer Extended Detection and Response where most importantly the detection and response is over multiple layers of security including the application (e.g., Office 365) but also the telemetry from the network and the integration with the other components such as the Active Directory. This is very close to a SIEM with detection and response capabilities with orchestration and automation. XDR is employed by both the Security Operations Center and the Incident Response team within an organization.

It extends visibility to a wider environment than just the endpoint and provides automatic detection and correlation across the different layers of security. In addition to being able to (almost) forensically investigate, there is also threat hunting and automatic response. Unlike standalone solutions that only send alerts to a central environment, full context is provided.

A cyber security threat often starts with an email message, which then tries to get the user to click on a link. Next, there will be a download of malicious code or scripts that need to be executed and the route to the data center and rest of the network or cloud assets will be searched as quickly as possible from the workplace to cause further damage. This passes through several layers of security, each reporting "something" for themselves, but with all those alerts no link has yet been found.

XDR creates a significant addition to the SIEM solution. In this market, we are moving towards an environment where a cloud-based data lake brings together all events, alerts and logs from the Office 365 environment, the Endpoint with EDR, the Active Directory with domain information, cloud applications and network activity, even combined with information from IoT devices.

XDR provides collection, standardization, correlation, detection and visualization of the collected data in a simple and clearly understandable format for IT Security administrators and Security and Compliance managers. This information is then fed towards a SIEM and Security Orchestration (SOAR) solution. Cloud-based is preferred as it is always available and is externally accessible should the environment be completely contaminated and proactively offline. Bringing all data from cloud environments and applications back on-site is undesirable and requires a large storage environment to keep storing the ever-increasing amount of collected data. The processing power for correlation and visualization is easily and scalably available in the cloud. Our advice is to go  for cloud-managed EDR/XDR.

Is it a SIEM? No. A SIEM sees all security events but not necessarily all security alerts are detected. An alert can be a detection of a Command & Control (C&C) server that is contacted to obtain further instructions from the cyber criminals. A phishing attempt, opening an email, opening a Word document, booting PowerShell, accessing Microsoft Azure credentials, booting a container or lateral traffic between containers is not simply forwarded. The just written short description of an attack is therefore not easy to trace as only the step of the C&C server that comes after the launch of the PowerShell command is visible.

With EDR, an enrichment is already created in which the SIEM is fed based on all endpoint activity (not just alerts). With XDR and the use of a data pool in the cloud, all activity of all the components involved is included in the attack. In the SIEM, there will be fewer warnings, less noise and less false positives, more context and a complete story will be presented. This creates much more insight and a powerful and mature security platform. This saves time and security knowledge that reduces the overall security costs.

What do SOAR Solutions Have to do With SIEM and EDR/XDR?

Security Orchestration, Automation and Response (SOAR) has been a term we have heard in the world of cybersecurity for some time. The capabilities of SOAR are the next step in business security. Gartner describes SOAR as "technologies that enable organizations to collect data and alerts on security threats from a variety of sources, enabling incident analysis and assessment to be performed using a combination of the power of man and machine, to define, prioritize, and manage standardized incident response activities according to a standard workflow." They predict that by the end of 2020, 15 percent of organizations with a security team consisting of more than five people will use SOAR.

SOAR provides security teams with customizable workflows and controls to streamline and accelerate the investigation and neutralization of identified cyber threats. It also automates many of the everyday tasks that security teams often face. In addition, by using case playbooks, analysts can react and act within one platform. The result? Higher efficiency and effectiveness, just when it really matters. In addition, SOAR improves both the productivity of organizations and the ability of IT teams to respond and resolve cyber threats more quickly.

At present, dedicated SOAR solutions are mainly designed in the larger business environments in combination with a SIEM. The SOAR then does the actual automatic follow-up based on the information that has entered and correlated in the SIEM system. Many traditional security parties offer SIEM capabilities in their security platforms – as often advised by SoftwareONE – with coverage of all layers of security and integrated automatic SOAR clean-up capabilities. For example, one  use case may be the automatic deletion of a phishing email from all Office 365 email boxes that was rated safe at the time of entry but was later  found to have a malicious link in it, which was detected after the user clicked on it.

XDR offers an awful lot of added value compared to what can be gained from EDR solutions due to the correlation of the security layers. XDR is therefore also a solution that can be offered by those companies in the market who can offer a complete range of security solutions. In addition to being able to use Data Leakage Prevention (DLP) effectively and easily and reducing the number of security vendors within your organization, XDR is an extra reason to also go to a security platform.

What are Things to Consider when Selecting an EDR solution?

A mature EDR solution offers possibilities for cross-estate hunting that can be used to search for potential threats within the entire corporate network. The process should be able to be extensively analyzed with a wide set of characteristics, preferably a worldwide overview of the total amount of 'known good' and 'known bad', which gives an accurate prediction.

Should an incident still occur, it is important to understand the scope and impact of the incident. Attacks that are currently undetected must be uncovered. Indicators of Compromise (IOC) should be able to be searched for throughout the company network. Events must be prioritized in order to conduct further investigations. Files should be able to be analyzed to determine whether they are a threat or potentially undesirable. This is to be able to report with confidence about the overall security position at any point in time.

In addition to understanding the threat cases at the level of which workplace, which application, what process, time of detection, number of business files involved, and associated action from the solution (block/clean), it is important to get as clear as possible direction as to what the next step is in the process. There is value in being able to keep track of the status per case and to be able to set priorities. A graphic overview of processes with uncertain reputations should be possible. Suggested steps can be isolating the computer (if the investigation is ongoing) or explicit on-demand scanning of the workplace.

EDR Tooling

In a study of EDR solutions, it is recommended to specifically ask for the following things as 'must-haves' as they offer a lot of added value:

  • Cross Estate Search (also called threat-hunt)
  • Suspicious events (detection and prioritization)
  • Malware analysis based on a cocktail of all available detection techniques both "Next-Gen" as well as "classic": machine learning, deep learning, exploit detection, anti-ransomware, behavior (HIPS), signatures etc.
  • On-Demand (live) analysis by the Endpoint supplier's lab
  • Possibilities for exporting forensic data (forensic snapshots)
  • On-Demand Endpoint insulation (while investigating the threat)
  • Single-click (Clean & Block)
  • Link to the MITRE ATT&CK framework
  • Cross Layer - XDR - capabilities within the solution
  • The possibility to not only be able to do detection but also  to do remedial actions on the respective workplaces or servers by a (remote) live connect via the command prompt.

In addition to the above must-haves, I also recommend looking at:

  • How difficult and time consuming is the EDR solution?
  • Does the supplier also offer to provide (for the future) further care in the EDR area with a form of Managed EDR, Managed Threat Response or Managed XDR?
  • Can the solution be integrated with other security solutions?
  • Where is the EDR data stored?
  • What is the performance impact on the endpoints and especially the servers to the workstation or server to ask for patches, services, or other things that may provide additional context, for example?

This can answer questions like why the device is running slowly - is it awaiting a restart? Have registry keys or files of processes been recently changed? What processes try to create network connections on non-standard ports?


EDR provides more knowledge, more insight and better protection against contemporary threats. Significant advantages are offered over the capabilities of traditional endpoint tools. Also, in EDR is an evolution in which we move from intelligent EDR solutions (often integrated into the modern "Next-Gen" Endpoint Protection) towards cross-layer XDR solutions. The market is now mature and a must for your organization in order to go from the often-reactive mode to proactive protection.

SoftwareONE's security team is happy to help determine the requirements and needs for the right security solutions that fit your environment, budget and preconditions. In addition to providing advice and drawing up a Security Roadmap, we can deliver, implement and maintain the solution(s) throughout the Software Lifecycle.

Optimize Your Endpoint Security Strategy for the Future

Do you want to learn more about Managed Endpoint Detection and Response? Reach out to our experts to discuss this topic together and to find the best solution for your business.

Get in touch
  • Managed Security, Cybersecurity User Awareness, Cybersecurity
  • Endpoint Security, Endpoint Management

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Related Articles

Cybersecurity Update March 2021
  • 13 April 2021
  • Bala Sethunathan
  • Cybersecurity User Awareness, Cyber Threat Bulletin, Cybersecurity, Managed Security
  • Cyber-Threats

Cyber Security Update March 2021

About 80% of breaches occur due to poor passwords. Keep your business protected and learn how to improve your password security.

Implementing Artificial Intelligence

Beginning Your Journey to Implementing Artificial Intelligence

Artificial intelligence is much simpler than you may think. Discover the benefits and challenges of implementing AI within your organization.

How to Improve Your Microsoft 365 Security
  • 24 March 2021
  • Bala Sethunathan
  • Managed Security, Cybersecurity
  • Microsoft, Microsoft 365, Security, Azure, Identity Protection, Windows Hello

How to Improve Your Microsoft 365 Security

Your most sensitive data passes through your M365 deployment - but is it protected? Read this to ensure your assets are safe from malicious actors.