Extended detection and response (XDR) - A next-generation evolution of Endpoint detection and response (EDR)

December 03, 2021


Security teams have been struggling with independent vector data points to triage the alerts. In 2018, the new term XDR appeared, it stands for Extended Detection and Response (XDR). 

The law of diffusion defines adoption through innovative perception making diffusion possible. It sets the stage for the solution to evolve or flop. According to the law of diffusion, only 13.5% are early adopters and 34% are the early majority. By virtue of that, XDR is a vision and function which is over the tipping point between early adopters and the early majority. 

XDR is a next-generation evolution of Endpoint Detection and Response (EDR). By correlating the telemetry data from EDR shared among Network Detection and Response (NDR), Identity and access management (IAM) solution(s) can reduce the mean-time to detect/respond to modern threats. 

This is one of many articles in the Empowering Modern Security Operations Center (SOC) blog series. We will discuss XDR readiness and XDR use cases in this blog post. 

XDR readiness 

As a security leader, you are asked what is the right time to consider an XDR solution? You may have heard about XDR from diverse sources or vendors, but the question remains unanswered about when the right time is to implement an XDR solution. 

Traditional security information and event management (SIEM) are becoming ineffective because the threat landscape has increased with the rise of a remote workforce, adoption of public cloud, and data analysis skill gap in the cybersecurity industry. Security operations centers (SOCs) are saturated with independent [siloed MITRE ATT&CK TID] security solutions with little to no integrations, tracking down the false positives and lack of information to investigate the threats. Analysts have tried to bridge the gaps between individual security solutions manually and it is not effective. 

Security teams have inadequate solutions to counter modern attacks. Streamlined alert tirage is becoming key to identifying security breaches. Traditional security solutions work in silos and have too many blind spots, they are still lacking auto enriched function. Threat intelligence Solutions alerts need to encompass diverse sources and apply them to the context of the organization to reduce false positives. The best approach emphasizes the ability to start wide and digs deep as needed based on the severity and criticality of the alert. 

As you are considering XDR solutions, you may want to explore how many of your current security solutions are over or under-utilized? How many of those solutions provide open integration to share telemetry data to enrich the alerts for additional visibility? How many of those solutions support MITRE ATT&CK TID labels? According to SecurityIntelligence, MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. 

Is XDR a product that overlays on your existing security stack or a method to integrate security solutions to enhance the detection and response of widespread attack across different attack surfaces? And the answer is Both. 

Forrester defines XDR as “The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real-time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity, and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructures to provide security teams with flexibility, scalability, and opportunities for automation.” 


XDR use cases 

  1. Reduce Blind spots: The common XDR use case is reducing the blind spots and the coverage gaps between too many isolated [silo] tools and events. The changing threat landscape and the sophistication of adversaries require a function between security tools to share telemetry data to reduce the dwell time of adversaries in organization networks and systems. 

  1. Reduce Mean time to detect: Another XDR use case is reducing mean time to detect. With the attack surfaces expanded workforce and their endpoints behind corporate firewalls spanned all over the globe. Now, you need near real-time visibility across all your endpoints. This allows security teams to detect adversarial attacks early enough in the cyber-kill chain. The Cyber kill-Chain framework was originally published by Lockheed Martin as part of the Intelligence Driven Defense model for the identification and prevention of cyber intrusions activity. 

  1. Automate remediation: XDR function can also help bridge some of the gaps of Incident Handling. Automating compromised network or system remediation is an outstanding challenge for organizations after the breach. Security Orchestration, Automation, and Response (SOAR) platforms offer some of the capabilities to help with automation. However, SOAR does require a sophisticated and highly skilled security team. For those organizations who cannot implement SOAR that automate actions with customized scripts and integrations. XDR has a function of connecting controls between EDR, NDR, Applications, and identity fit perfectly. As XDR offers a streamlined simple and intuitive solution. 

XDR functions 

What are XDR functions and what do they entail since they are neither a product consolidation nor a vendor consolidation? 

XDR capability 


Telemetry data sharing among endpoints, network, identity, and applications 

Reducing the blind spots and reduce mean time to detect 

An ability to create custom Indicators of Compromise (IOC’s) for alerting 

To triage and prioritize alerts from integrated security solutions such as EDR, NDR, Identity and access management etc. 

Incorporated MITRE ATT&CK Framework 

A common language between all security solutions and security teams for threat hunting 

Tightly coupled integrations to automate remediations 

Reducing the mean time to respond and enabled security teams to respond across multiple vectors 

Ingesting public and private threat intelligence feeds 

Help organizations leverage large scale analytics and prioritize security risks for themselves 

XDR is a function of combining weak signals from isolated security solutions into stronger signals to surface and detect malicious intent faster. It helps to improve the key performance indicator (KPI) of missing alerts due to a lack of correlations and data for further investigations. The integration between security solutions help security teams to tirage an alert quicker and accurately. 

VMware Carbon Black - Endpoint Detection and Response (EDR) can help detect unknown adversarial behavior(s) in real-time by using a behavioral analysis coupled with VMware workspace One and VMware NSX. With this, Carbon Black EDR can prevent, detect, and respond to potentially malicious activities. And, by correlating data such as alerts, timelines, and using advanced algorithms, Carbon Black EDR helps security teams work backward to determine breach points. This is how XDR as a function can help security teams to be proactive instead of reactive. 

Additional Resources

What is Extended Detection and Response (XDR)?

Filter Tags

Blog Announcement