Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
XDR will converge from different directions: XDR, Open XDR, Native XDR, Hybrid XDR -> XDR
By Aimei Wei, co-founder and CTO, Stellar Cyber
Initial definitions of XDR envisioned eXtended Detection and
Response - a single platform that unified detection and response across the
entire security kill chain. According to Rik Turner, who coined the XDR
acronym, XDR is "a single, stand-alone solution that offers integrated threat
detection and response capabilities." To meet Omdia's criteria to be classified
as a "comprehensive" XDR solution, a product must offer threat
detection and response functionality across endpoints, networks and cloud
computing environments.
Gartner's definition is similar in that it points to
features such as alert and incident correlation, built-in automation, multiple
streams of telemetry, multiple forms of detections (built-in detections), and multiple
methods of response. However, Gartner requires XDR to be achieved through
consolidating multiple proprietary vendor-specific security products.
Open XDR was initially created by Stellar Cyber as with the
same features Gartner mentions, except that not all the security products/components
have to be from the same vendor. The platform is open and integrates with third-party
security tools. Some components are built in, and others are through deep third-party
integrations.
Open XDR was later picked up by vendors who purely rely on a
wide ecosystem of third-party tools for telemetry sources and response without
any built-in components.
Forrester's definition of XDR requires the platform to be
anchored around an EDR. It defines Native XDR as EDR integrating with a vendor's
own security tools; Hybrid XDR as EDR integrating with third-party security
tools; SAP (Security Analytics Platform) as a platform without built-in EDR,
but with built-in NAV and SOAR with third-party integrations; and SSA
(Standalone Security Analytics) as those purely relying on third-party tools
for telemetry sources and responses.
We predict that in 2022, XDR will converge from different
directions.
- XDR will trend towards openness and integration
with third-party security tools to allow best-of-breed tools to be used and
existing investments preserved. Even those vendors that have historically been
closed will become open, because they realize they can't deliver the outcomes
enterprises need while attempting to own the entire stack.
- XDR doesn't have to anchor from EDR as
long as high-efficacy detections are achieved through integration with EDR
products
- XDR platforms will have some built-in
components and others through third-party integration. The more built-in
components, the more value to get up-front without needing to acquire third-party
tools. The more out-of-the-box integrations, the more existing investments can
be preserved and the more choices from among best-of-breed products.
Our definition of XDR is that it's a unified security
incident detection and response platform that:
-
Provides high-efficacy detections across ALL the
data sources: endpoint, network, cloud, application, user, assets, email, etc.
through either built-in EDR, NDR, CDR, TIP or out-of-the-box third-party
integration.
-
Includes automatic alert correlation across all
data sources and security tools to speed up validation and investigation, along
with automation of more advanced workflows with sophisticated attack
correlation.
-
Enables automatic responses across different
security tools through built-in or out-of-the-box integration with SOAR.
-
Incorporates threat hunting across all data
sources by allowing analysts to visualize and store large volumes of data for
long periods of time through a built-in, next-gen SIEM or out-of-the-box
integration with third-party SIEMs.
XDR is about automatic detection and response across the
entire attack surface, and that means anything less than everything is not
enough. XDR ultimately means "Everything Detection and Response."
##
ABOUT THE AUTHOR
Aimei has over 20+ years of experience building successful products and leading teams in data networking and telecommunications. She has extensive working experience for both early stage startups including Nuera, SS8 Networks and Kineto Wireless as well as well-established companies like Nortel, Ciena and Cisco. Prior to founding Stellar Cyber, she was actively developing Software Defined Networks solutions at Cisco. Aimei enjoys building a product from its initial design to its final launch. Aimei has an M.S. in Computer Science from the Queen’s University in Kingston, Canada and an Undergraduate degree in Computer Science from the Tsinghua University of China.