Threat detection and response remain a key priority for organizations as ransomware and data breaches continue to disrupt business operations. With multiple solutions known as EDR, NDR, and XDR, as well as the “managed” versions known as MNDR and MXDR, it can feel like an acronym soup and be challenging to determine the best fit for an organization’s unique security needs.
Let’s start by breaking down the components of the acronyms. Starting from right to left - ‘R’ is Respond, ‘D’ is Detect. In such a landscape, the important question is what and how do they detect? Response without detection is not possible and lack of good detection capability on a complex, evolving threat landscape leads to SOC inefficiencies.
Organizations are doing the best they can with the tools they have. Plus, as organizations hold on to technological debt (i.e., legacy tools that are still part of the stack) and continue to add more, they end up with a disparate mix and likely overlapping – but perhaps still not comprehensive – products from a detection perspective. Between commercial, homegrown, and open source, large enterprises run an average of 25 security tools. Instead of making things easier, this onslaught of inadequate tools adds work and risk for CISOs and SOC teams.
With the increased focus on threat Detection and Response, security teams continue to face challenges regarding:
- Time Management - scrambling to respond to emergencies along with alert fatigue;
- Blind Spots - limited network visibility in the hybrid work environment;
- Data Correlation - correlating disparate data elements from multiple tools and sources;
- Attack Lifecycle Tracking/Measuring - requires advanced skills for voluminous data
analysis and action
In response to some of these challenges, eXtended Detection and Response (XDR)
technologies have emerged and benefited from significant marketing investment by security vendors as the market strives toward improved ‘D’ detection. XDR is a term coined by industry analysts and subsequently adopted by vendors, though there continues to be a lack of full consensus on what it means.
XDR as a cybersecurity concept integrating threat detection and response to combine, correlate and contextualize data and alerts from multiple security prevention, detection and response components. XDR must have the ability to correlate at least three (but not all) of the following capabilities:
- Endpoint detection and response (EDR)
- Endpoint protection platforms (EPP)
- Network (firewalls, intrusion detection and prevention systems [IDPS])
- Network detection and response (NDR)
- Identity, email security, mobile threat detection, security services edge
(SSE), cloud workload protection, and deception
While this à la carte approach may be helpful from a marketing perspective, it is concerning from a security perspective. Further, it more than likely compromises the messaging from numerous XDR vendors that promise to improve one’s cybersecurity posture by accomplishing the following:
- Unified visibility by integrating data from multiple sources;
- Enhanced detection by correlating data across various security layers;
- Streamlined response by automating and orchestrating the incident response
- Continuous improvement by centralizing data collection and analysis to
provide valuable insights into the organization's security posture;
- Reduced complexity by consolidating multiple security tools;
- Scalability by making it suitable for businesses of all sizes and industries.
XDR Cannot Exist Without NDR
A lot of the XDR capability in the market today is EDR-centric and not fully encompassing the network telemetry available to make the solution more robust. Far too often, adversaries evade endpoint detections, leaving endpoint-centric strategies in the dust.
Let's examine why XDR cannot exist without NDR:
- Comprehensive Network Visibility: The primary objective of XDR is to provide a
complete and unified view of organizations’ security landscape. NDR is crucial to
achieving this goal as it offers visibility into network traffic, which is often a blind spot for traditional security tools like EDR. Without NDR, XDR would lack crucial network-level insights and could not provide the comprehensive protection it promises.
- Detection of Lateral Movement: Cyber attackers often use lateral movement techniques to traverse through an organization’s network, seeking sensitive data or assets. NDR is essential for detecting such lateral movement, which might not be visible at the endpoint level. Without NDR, XDR would be limited in its ability to detect threats that have bypassed traditional endpoint defenses.
- Correlation of Data Across Layers: XDR relies on the correlation of data from various
security layers to provide meaningful insights and facilitate effective responses. NDR contributes valuable network traffic data that enriches this correlation process, enabling better threat identification and more informed decision-making.
- Enhanced Response Capabilities: XDR aims to improve an organization’s ability to
respond to threats by streamlining and automating the process. NDR’s network-based insights are crucial for understanding the full context of a threat and designing appropriate responses such as isolating affected network segments or blocking specific network traffic.
From a detection and evasion perspective, the network is significantly more difficult for
adversaries to evade. The network packet cannot be altered by an adversary and is a source of truth. The network serves as a potential chokehold for adversaries and a position of strength for security teams.
Bottom line: NDR is a critical component of XDR, as it provides vital network-level visibility and enhances the overall effectiveness of threat detection and response. Without NDR, XDR would not be able to deliver the comprehensive security coverage it promises, leaving organizations vulnerable to threats that exploit network-level vulnerabilities.
Postscript: This is the first post of a three-part series. Watch for the next post in the series about our thoughts on whether XDR is a “solution,” or rather, a “strategy.”