Driven by the need for richer threat context, the Extended Detection and Response (XDR) solutions category is gaining a lot of “market buzz” so far in 2021. In recent months, the industry analyst community has accelerated its research efforts in this area to help guide the market towards a common understanding of XDR.
Forrester Analyst Allie Mellen recently released Introducing The Forrester New Tech: Extended Detection And Response (XDR) — A Battle Between Precedent And Innovation. The New Tech: Extended Detection and Response (XDR) Providers, Q3 2021 report helps decision makers navigate the XDR “hype” and to clarify and define the capabilities of emerging XDR vendors. In the report, Forrester looks at the market, definitions, and segments 29 vendors by size and capabilities.
What is XDR?
As is typical for an emerging technology category, not all vendors that claim XDR capabilities are delivering on the promise, which is creating confusion for end-users and the industry at large. Mellen was one of the first analysts to take a firm position on the definition of XDR in an April 2021 Forrester Blog post where she defined XDR as, “the evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”
The August 2021 New Tech report further clarified her position where she noted that legitimate XDR solutions are “starting with the endpoint to focus on high-fidelity alerts, contextualized investigation, speed and completeness of response, and threat hunting.” This approach translates into enhancing (existing) endpoint detection and response capabilities with:
- correlations and automated root cause analysis based on the larger context (endpoint and non-endpoint telemetry)
- unified view of telemetry across all sources for deeper investigation
- an expanded set of (automated) response actions
In the New Tech report, Mellen notes vendor offerings that describe capabilities like “gaining more complete visibility into attacks” and “responding to incidents in a single console,” don’t fit the definition of XDR and belong to other categories like security analytics platforms.
Native XDR vs Hybrid XDR
Although many XDR solutions are built on an endpoint detection & response (EDR) foundation, it’s far from a homogeneous category. While the support for endpoints (workstations, servers, cloud workloads) is generally developed natively by each provider, other sources of telemetry (non-endpoint telemetry) might not be. Depending on whether the additional sources of telemetry are part of the same vendor portfolio or not, an XDR solution is classified by Forrester as “Native” or “Hybrid”. By being fully home grown, the Native XDR approach relies on the tight alignment of the vendor’s own portfolio and stronger integration between the elements providing telemetry. On the other hand, Hybrid XDR relies on integrations with third-party vendors to collect non-endpoint telemetry and execute response actions.
Both methods provide customers with their own benefits. Native XDR as the straightforward evolution from EDR with integrations for other (non-endpoint) telemetry sources built in and ready to be consumed. This type of XDR is, therefore, likely faster to purchase and to deploy, and ultimately provides shorter time to value. It is also expected that a Native XDR solution will include a higher degree of automation and will be operationally less complex, demanding fewer and less senior security resources. Forrester suggests in the report that organizations with smaller and less mature security teams will benefit most out of a Native XDR[1]. Alternatively, Hybrid XDR offers higher flexibility and multiple integration options with various third parties, allowing security teams to leverage the tooling of their choice. This makes Hybrid XDR a choice suited for larger and more mature security teams.
Where to start – eXtended EDR (XEDR)
In Forrester’s report, Bitdefender is included as a representative vendor for “Native XDR”. Our goal is to enable customers to enjoy the benefits of XDR while avoiding an increase in complexity and operational expenses. Through what we term eXtended EDR, or XEDR, Bitdefender offers security analytics and security event correlation at the organizational level. This expands the boundaries of security analytics beyond the endpoint itself by correlating events from all endpoints in the organization’s infrastructure. This enhances the solution’s ability to detect sophisticated (and often hidden) threats and to provide a unified view of security incidents affecting multiple endpoints.
A complex attack that leverages multiple parts of the infrastructure might go unnoticed. This is a Bitdefender representation of how the Detection and Response solution is able to connect the dots and present the security analyst with the bigger picture.
To get started with XDR, in the New Tech report, Forrester suggests that the easiest path is “to implement EDR and allow the security team to evolve EDR incrementally by adding additional telemetry as needed.”
Bitdefender XEDR was designed with this approach in mind and enables customers to gradually add non-endpoint telemetry to provide more context for security incidents and detect more complex attacks. The Bitdefender Network Sensor is the first additional telemetry source built into XEDR. It inspects encrypted or un-encrypted network traffic using a combination of machine learning, behavior analytics and threat intelligence to detect cyber-threats affecting all entities from within the environment (including IOT and BYOD).
Check out the Bitdefender EDR webpage for more insights on how eXtended EDR can help you stay on top of today’s advanced attacks and sign up for a trial to test the solution free of charge in your own environment.
What’s next for XDR?
In the New Tech report, Forrester forecasts that “Differentiated XDR technology will supersede endpoint detection and response (EDR) in the short term and usurp SIEM in the long term.”
This is to be expected as the cross-endpoint event correlation engines are replacing the endpoint-by-endpoint analytics of the current generation of EDR solutions. As exhibited by Bitdefender’s XEDR, the new security analytic solutions are also natively supporting additional telemetry from non-endpoint sources.
Endpoint Detection and Response is growing into eXtended Detection and Response, and the New Tech report recommends security professionals should consider the “EDR solution from which it evolved as an indicator of value” when evaluating XDR options.
Forrester Research’s vision is of XDR as an ‘EDR+’ is quickly becoming one of the most acknowledged (and much-needed) clarifications of the term in the industry. Bitdefender applauds Forrester’s significant research investments in XDR to separate the hype from reality, and we appreciate the guidance offered as we define our XDR offering to address pain points for our customers and help them to gain value as they jump into this emerging market.