What is the X in XDR, and how does it expand existing EDR to protect against cyber-attacks?

Cybercriminals and malicious hackers have been shifting their tactics, techniques, and procedures (TTPs) to improve their ability to infiltrate an organization and stay under the radar of security professionals and solutions.

Moving to more targeted attack methods appears to be a mainstay among threat actors, which requires organizations to improve their visibility into the entire attack lifecycle.

Gone are the days in which these attacks only target the endpoint, and as such, an expanded connected threat defense is paramount.

Many organizations have been adopting EDR (Endpoint Detection and Response) as a way to obtain more data about attacks on the endpoint. But as we’ve seen with even ransomware actors, the endpoint is being targeted less. Rather, attacks are laterally moving within an organization to find critical systems that will allow them to increase their chance of the organization paying the ransom. (See recent webinar on trends in ransomware.)

This means the actors behind many financially motivated and targeted attacks will move across the network, and their tracks will be left in other areas of their network, not just on the endpoint. Expanding EDR to include other areas is the definition of XDR.

The X could be network data, email or web data, data from cloud instances, and others. This would allow an organization to get visibility into the entire attack lifecycle, including infiltration, lateral movement, and exfiltration. This will improve the organization’s ability to prevent critical data exfiltration or the compromise of critical systems within their network.

The ability to do this requires a number of key components:

  1. A security vendor who has solutions across the entire network, including cloud, gateway (email and web), network, server, endpoint (includes mobile), and IoT/IIoT.
  2. Support for threat intelligence and data analytics. This should be as automated as possible and should include 3rd party threat intelligence (i.e. CERT, ISAC, ISAO feeds).
  3. History of expertise in correlating multiple threat vectors and the use of AI and Machine Learning.

This will require a major shift from traditional security practices, as many organizations have supported a best-of-breed approach, utilizing multiple vendors (some say 50-100 security applications on average within a large enterprise). Instead, the future is moving to a more consolidated approach with fewer vendors.

Having multiple vendors for different areas of security results in silos and segmentation due to a lack of integration across the security industry, but XDR could bring a shift in this practice as they include more support for 3rd party intelligence feeds.