The next gen future of EDR: XDR (Extended detection and response)

What is XDR (Extended detection and response)

We all know the prominence of EDR solutions. However the latest technology to enter the space is now: extended detection and response (XDR) which is the result of evolution from endpoint detection and response (EDR). XDR can be considered as the upgraded EDR but with further unified capabilities with other security tools as well to provide combined security analysis visibility, highly efficient detection, and a vastly improved correlation, investigation, and response.

 

Background and reason for developing XDR:

EDR served as the baby steps towards the journey of XDR.

In every way, EDR solutions did help to provide effective endpoint detection and response integrating a number of threat detection solutions.

However, on the bigger picture, the question still remained about the security team’s challenges around the best possible way to leverage combined capabilities around analytics platforms, security information, and event management (SIEM) solutions and backend data lakes to integrate data from other parts of the environment. The loose ends however consisted of extremely high resource consumption and false positives with bulk data consumption.

 

Enter XDR:

XDR was built to unify EDR with other security toolkits giving enhanced visibility and control to other parts of the business via integrations and providing collection and co-relation based detection and deep activity data across email, endpoint, server, cloud workloads, and the underlying infrastructure.

This ultimately leads to automated analysis of this combined set of data helps detect threats faster.

 

XDR vs. EDR

While endpoint detection and response (EDR) has been enormously valuable, at the end of the day, it gets restricted to the fact it can only look at managed endpoints thereby limiting its scope of threats that can be detected like other security tools.

XDR represents the evolution of detection and response beyond the current point-solution, single-vector approach.

Clearly, XDR evolves detection and response into a consolidated, centralized activity that delivers results greater than the sum of the parts. It can help collect deep activity data and feeds for transforming the information into a data lake for cross-layer sweeping, hunting, and investigation.

This further is fine-tuned by applying AI and expert analytics to the rich data set enables fewer, context-rich alerts, which can be sent to a company’s SIEM the solution further augmenting it, reducing the time required by security analysts to assess relevant alerts and logs and decide what needs attention and warrants deeper investigations.

 A interesting comparison between different security analytics platforms vs SOAR and EDR can be illustrated as below:

Img Source: Forrester report: Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR

XDR Capabilities:


·        XDR broadens the scope of detection and response across more than just endpoints. It extends EDR to important additional activity areas such as email security

·        XDR feeds activity data from multiple layers to a data lake. All applicable information is made available for effective correlation and analysis in the most relevant structure.

·        Pulling from a single vendor’s native security stack prevents vendor/solution proliferation. It also provides for an unmatched depth of integration and interaction between detection, investigation, and response capabilities.

·        Integration with SIEM and security orchestration, automation and response (SOAR) enables analysts to orchestrate XDR insight with the broader security ecosystem.

·        Purpose-built AI and expert security analytics with enhanced data collection and faster detection is XDR’s end goal.

·        Single, integrated and automated platform for complete visibility

·        Provide insightful investigations with a consolidated view of:

o   How the user got infected

o   What the first point of entry was

o   What or who else is part of the same attack

o   Where the threat originated

o   How the threat spread

o   How many other users have access to the same threat


Automation towards incident response:


XDR allows a vastly automated approach throughout each stage of the incident response lifecycle with enhanced root-cause analysis and attack co-relation as follows:



As we can see the underlying benefit is not only having managed endpoint protection but also a host of other security capabilities built inside such as email security, cloud security, behavioral detection, threat hunting capabilities, and many more.

Hope this was an informative read for all of you!


References:

·        https://www.trendmicro.com/en_ae/what-is/xdr.html

·        Forrester report: Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR

 

Comments

Popular posts from this blog

Stored XSS in Wonder CMS- CVE-2017-14522

Host Header Injection In Wonder CMS - CVE-2017-14523

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529