XDR/Open XDR Q&A
What are the most common misconceptions about XDR?
One of the common misconceptions is that XDR is automatically the ideal security solution. Point security solution vendors position XDR as the Holy Grail if you are using their product suite. By default, this positioning has limitations, since customers can’t onboard data sources from other vendors and correlate across all available data sets and across alerts to prioritize incidents in an automated way.
Is XDR overhyped?
XDR is indeed the new magic word, and like all new magic words it is overhyped and can be interpreted in many ways. It is used for all kind of capabilities that go beyond having a single point solution. This can be a real pitfall for less knowledgeable customers. Next to this, there’s a big difference between “Extended” Detection and Response and “Everything” Detection & Response. We strongly believe in being able to include every possible source (“Everything”), and that’s why we offer Open XDR. This approach supports customers much better if they have a best-of-breed strategy or have already signed multi-year license contracts for one or more point solutions.
The biggest advantages of Open XDR are:
- An open architecture (so you can plug in whatever third-party security tools you want)
- AI/advanced machine learning used in every stage of the attack kill chain, with correlation across all data sources and alerts along with automated triage
- Automatically stitching together all related cross-data source/alert/incident information, threat intelligence and other relevant content
- A large library of out-of-the-box detection, investigation and response capabilities across all onboarded data sources and security point solutions
- Plug-and-play onboarding of data sources.
What are the biggest early challenges in implementing Open XDR?
When you can onboard whatever log sources you choose, the visibility of what is happening inside and outside of a company can be overwhelming (and scary) for a customer. This process needs to be managed properly, especially for UBA capabilities, which add a lot of value but are impacted by privacy regulations. Integrating UBA often results in filling in large privacy checklists for validation and a lot of explaining (the value for the company vs. the privacy of one person).
Another challenge is automated responses. Activating automated responses must be done without impacting the business, which is often a challenge since most of the customers don’t have a clear view on what will impact the business.
Once deployed and established, how might security organizations struggle to get value out of their XDR/Open XDR solution?
Customers may not get the value they expect if they choose an XDR solution and then realize after deployment that they can’t onboard the data sources they want and therefore do not have the detection, investigation and response capabilities they’re looking for. Another issue is choosing the right data sources: if you don’t onboard the right sources, you will struggle to get full value out of XDR.
What are the top two or three success factors in using XDR technology?
When you use the right (open) XDR solution, these are:
- Much faster detection, triage, analysis and response across all data sources.
- With automated correlation across data sources and alerts, you can focus on the alert or incident that matters, and you’re not limited to only one point solution or data source.
- You get one pane of glass that shows the security status of your whole IT landscape.
What are the most important things to look for when evaluating XDR technology?
- Open architecture (being able to onboard every possible data source)
- The number and type of available parsers and integrations
- Use of advanced machine learning across the whole kill chain
- Correlation across data sets and across alerts to identify and prioritize incidents
- Automated event normalization enriched with contextual information
- Ability to group and alert and incident information using a timeline and a graphical visualization of the attack or anomaly for better understanding by security analysts
- Use of threat intelligence for vetting security alerts
- Out-of-the box, built-in detections that cover all stages of the kill chain
- Out-of-the box response playbooks and SOAR capabilities
- Automated threat hunting and the ability to do it “on the fly” across all data sources
- A single pane of glass
- A large set of reports and the ability to easily create new ones.
How can organizations overcome integration/data collection issues when using XDR?
If you’re using Open XDR, you won’t have this issue!