What is XDR?

As extended detection and response (XDR) emerges as a new market category within the detection and response cybersecurity stack, every “DR” vendor seems to be making its own definition of XDR. In short, XDR improves SOC efficiency by giving analysts a unified view of threats detected across multiple data flows and across multiple security tools such as firewalls, email security tools, endpoint detection solutions, cloud security tools, or network detection platforms. From there, triage and response steps are streamlined as well.

What do industry analysts
say about XDR?

What are the benefits
of XDR?

What’s the difference between NDR and XDR?

How does Collective Defense enhance XDR?
IronNet-XDR SEO-Hotspot inside red hexagon

What do industry analysts say about XDR?

What do the analysts say? According to Gartner, “Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.” Some definitions, such as Forrester’s, place endpoint detection and response (EDR) as the centerpoint of this new market category:
The evolution of endpoint detection and response (EDR), which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management (IAM), cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.
While Gartner and Forrester offer solid market definitions of this emerging technology, many vendors disagree with such an EDR-led definition. Some define XDR more generally as a capability that delivers a streamlined threat detection experience, which matters more than the underlying tools themselves.

Perhaps the best way to understand XDR, though, is to take a closer look at how we got here … from the evolution of both EDR and network detection and response (NDR) … and where we’re going. What is the promise XDR hopes to achieve?

What are the benefits of XDR?

As most SOC analysts know, common SOC challenges include too many alerts to triage and too many tools to review, investigate, triage, and respond to an incident. It’s typical to have more than a dozen tabs open from many different security tools all the time, not to mention that not detection tools that don’t integrate seamlessly in the security stack. XDR seeks to streamline such overload.

Typical analysts flow before XDR:

(adapted from Forrester “Adapt Or Die: XDR Is On A Collision Course With SIEM and SOAR; EDR Is Dead, Long Live XDR by Allie Mellen, April 28, 2021.)
IronNet-XDR SEO-Analyst flow before XDR

Typical analysts flow after XDR:

(adapted from Forrester “Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR; EDR Is Dead, Long Live XDR by Allie Mellen, April 28, 2021.)
IronNet-XDR SEO-Flow after XDR

The benefits of XDR:

red-check@2x
More robust telemetry than endpoint tools alone provide for greater visibility
red-check@2x
The ability to integrate behavioral analytics for more robust threat detections
red-check@2x
Faster triage and incident response from a single pane of glass

What’s the difference
between NDR and XDR?

For XDR to have any value, threat detections must be timely, relevant, and actionable across the incident-to-response playbook. The critical role of NDR cannot be overlooked in an XDR framework. As Forrester analysts suggest in “The Zero Trust eXtendedEcosystem: Networks,” “Anywhere that packets pass is a place that can offer cybercriminals command and control of critical network assets.” That “anywhere” is the network.

IronNet’s NDR platform IronDefense, with an automated expert system that rates alerts and integrated threat hunting, along with tech partner integrations (e.g., Crowdstrike, Palo Alto, and Splunk), allows SOC analysts to streamline and reduce tasks.

IronNet-XDR SEO-NDR vs XDR

How does Collective Defense enhance XDR?

Lack of analysts, integration issues, and the rise in complex incidents are trends driving the need for XDR to ensure security controls can combat sophisticated threats. While XDR focuses on a single company, IronNet Collective Defense platform brings together companies, sectors, supply chains, or governments into a real-time threat sharing community. Drawing on anonymized network threat detections based on behavioral analytics, Collective Defense serves as an early threat warning system for all community members, who have visibility to a real-time, cyber radar view dashboard of the threat landscape. By crowdsourcing threat response insights, Collective Defense community members can pool analyst resources.

Sharing incident response insights with a Collective Defense community

IronNet-XDR SEO-Sharing insights with Collective Defense community