Bytes Blog: Translate the Different Versions of XDR into a Practical Deployment

Friday 16th December 2022

Blog Author: Adam McCaig, Cyber Security Evangelist, Bytes

--------------------------------

Extended Detection and Response is potentially the future cornerstone of a cyber defence strategy. This powerful approach to the detection of anomalous behaviour and corrective action has the potential to bring huge benefits to security teams. The automatic and continuous monitoring of user and machine behaviour across all security domains will allow security analysts to have context at their finger types and reduce the time needed to respond to potential security incidents.

One of the biggest obstacles to this dynamic, responsive and automated future is our current understanding of XDR. A common definition still alludes us, solution providers inevitably place their own core capabilities at the centre of their own “XDR approach”. Analysts are yet to agree on a standard definition of XDR. Definitions I have come across in the last 6 months range from “SIEM evolved” to “Extended Endpoint Detection and Response” and a whole host in between.

How do we translate the different versions of XDR into a practical deployment and realise the benefits on offer?

The first decision we need to consider as end users is if we should pursue a “closed” (single supplier) approach to XDR or look to the advantages of an “open” XDR architecture and leverage the benefits of increased bi-directional integration between security solution providers.

An obvious advantage of an open architecture will be in the ability to potentially leverage existing investments that fit the Extended Detections and Response Model; EDR, NDR, SIEM, Next Gen Firewalls, CASB, Web Gateways and Email security tools for example. We can also build a “best of breed” or “best fit” approach to our selection of security controls.  There may be limitations to this approach, the availability and quality of integrations for example, or a delayed time to value.

A single provider (Closed) approach has the benefit of accelerating time to value of additional capabilities, but potentially leaves capability, and therefore context, gaps.

As users, however we eventually choose to pursue XDR. It is apparent that the primary benefits of a faster mean time to detection and a faster mean time to respond are going to be worth the effort for most organisations who are continuing to struggle to resource Security Operations roles because of skills availability and budget constraints.

Investigations are also likely to be accelerated thanks to the increased context we can realise from an XDR deployment. SIEM will continue to have a place in the Security Operations field, thanks to the retention, correlation and investigative benefits of these technologies. A SIEM deployment will probably benefit from being considered as part of the XDR architecture and alongside XDR in our approach to Security Operations.

XDR as a term, approach and collection of technologies is certainly here to stay. Although how we meet these objectives is likely to evolve as the technology providers align around integrations, partnerships, or standalone capabilities.

More Information 

Listen to our recent podcast as Jeremy Edwards, Head of Technology & Solutions Sales at Bytes and Rich Davis, Netskope's Chief Technologist, discuss the true meaning and value behind XDR Security. 

If you do require more details or want to discuss XDR for your cyber security strategy, then please do reach out to us; we are here to help and are happy to have that discussion. Email [email protected] and a member of the team will be in touch.  

--------------------------------

Thank you for reading.   


Want to keep informed? Sign up to our Newsletter

Connect