Socwise logo
Gálffy Emese
12/08/2021

BREAKING DOWN XDR: WHAT DOES IT REALLY MEAN TODAY?

Gálffy Emese
Three-letter acronyms (or TLAs) have long ruled the IT sector, and the area of cybersecurity is no exception. As convenient as it is to shorten terms that would otherwise take much longer to say, there is undoubtedly another upside to resorting to TLAs when referring to solutions areas: a strong marketing aspect. In this article, […]

Three-letter acronyms (or TLAs) have long ruled the IT sector, and the area of cybersecurity is no exception. As convenient as it is to shorten terms that would otherwise take much longer to say, there is undoubtedly another upside to resorting to TLAs when referring to solutions areas: a strong marketing aspect. In this article, we’ll be taking a close look at one of the most trending TLAs of cybersecurity: XDR, i.e. Extended Detection & Response. Read on to find out what it is, where it’s come from, and how it’s defined by leading research companies, as well as one of the biggest players of IT security, NetWitness.

XDR – a trending TLA in cybersecurity

CISO, NIST, SOC, SOAR, TIP… These are only a few of the many abbreviations that cybersecurity professionals understand and use on a daily basis. And while many of these shortened names indicate novelties in the industry, there are numerous examples where a new TLA has been just stuck to a long-existing solution – which has received a few improvements if we’re lucky – to make it relevant again. But what’s the deal with Extended Detection & Response? Does it bring anything new to the table, or is it just an old solution rebranded to make some noise? Let’s examine this solution area from a few aspects.

XDR-related solutions

Although it will probably take another year or two for the industry to fully agree on what XDR actually is, we can already make a few observations if we look at some related technologies and solutions, and the evolution thereof:

  • SIM + SEM = SIEM – Security Information & Event Management comes from the combination of what used to be two separate solutions, Security Information Management and Security Event Management.
  • EDTR → EDR – Endpoint Detection & Response evolved from Endpoint Threat Detection & Response as a rebranding exercise. 
  • DPI → IDS → NTA → NDR – Network Detection & Response went through several transformations before it became the term we know today, originating from Deep Packet Inspection, a core capability of Intrusion Detection System, which is a solution closely related to Network Traffic Analysis
  • MDR – Managed Detection & Response
  • UBA + EBA = UEBA – User & Entity Behavior Analytics came from two formerly separate solutions, User Behavior Analytics and Entity Behavior Analytics
  • SOAR – Security Orchestration, Automation & Response
  • TIP – Threat Intelligence Platform

First and foremost, it’s plain to see that TLAs dominate the industry as we said before, but even more striking is the revelation that not only are there numerous solutions that play in the XDR space, but many of them actually encompass detection and response. So, it’s probably safe to assume that XDR isn’t a ‘new kid on the block’, but is it a significant evolutionary step forward in cybersecurity? Let’s see what leading researchers found.

Extended Detection & Response as defined by researchers

As is the case with any emerging innovation in technology, XDR was also picked up by leading market researchers who all took a close look at the subject matter and created their own definitions. Let’s see how they think of Extended Detection & Response, and the conclusions we can draw from it.

  • Gartner: A unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components for efficiency and productivity.
  • Forrester: The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as NAV, email security, identity and access management, cloud security and more.
  • IDC: Many product vendors have evolved to create their own XDR products just as they did with Endpoint Detection and Response, which was the precursor to MDR. [...] The ‘X’ brings in telemetry such as messaging, network, and cloud. The main consideration to understand is, from a services aspect, there is more telemetry that can be brought in with the ‘X’, but XDR still falls into the same umbrella of MDR.
  • ESG: XDR is a method for bringing controls together to improve security telemetry collection, correlation, contextualization, and analytics. There’s also an operational side of XDR to help coordinate response and remediation across multiple controls simultaneously.
  • Frost & Sullivan: A vendor-agnostic solution that aggregates data from a wide range of security controls (e.g. endpoint, coud, network), enabling security teams to detect, investigate, and respond to threats in a holistic manner.
  • 451 Research: If there’s one data source that could be considered primary for XDR, that must be endpoint data. [...] The network is the substrate that literally connects us all. As such, it can play a key role in XDR offerings. [...] With more organizations adopting cloud-based environments, XDR systems can greatly benefit from ingesting cloud infrastructure telemetry. [...] The broad category of user behavior data covers elements such as browsing histories including access to SaaS applications, insights derived from user entity, and behavior analytics (UEBA) systems.

As you can see, there’s no clear-cut answer to the question: what is XDR? The definitions vary from researcher to researcher, but there are certain aspects that more of them highlighted independently from one another, such as the importance of endpoints, telemetry, and controls. But more importantly, whether subtly or directly, they mostly refer to XDR as an evolution of EDR or MDR (or even both) and view it as closely related to the above-mentioned technologies.

Extended Detection & Response as defined by NetWitness

The concept of XDR has been around for about two years, however, as we established above, it’s closely tied together with several solutions and products that have been around for much longer in the area of cybersecurity. Consequently, to a certain extent, numerous vendors have built their SOC platforms to address the issues XDR was designed to solve for years – even if not in such a well-defined manner as they do now. 

NetWitness, for example, is one of these vendors. Having utilized a solution which they originally labelled as an “evolved SIEM capability” for more than 5 years, NetWitness is undoubtedly one of the most experienced players in what became known as the “XDR space”. So, how do they define XDR? According to them, XDR is about combining ingestions (such as logs, network traffic, and endpoint) with capabilities such as orchestration and response, threat intelligence, traditional correlation-based analytics, and advanced behavioral analytics. But how does that look in practice? Let’s see how exactly NetWitness’s offering is built up.

XDR by NetWitness

NetWitness’s XDR solution set consists of three closely related elements: the XDR platform, which functions as the heart of the NetWitness portfolio, the ingestions, and the actions taken on the ingested data. Let’s examine these one by one.

The platform

The NetWitness XDR Platform has been designed to find solutions for several important use cases that exist in the industry today. Originally developed for a US government project in the late 90s, the technology itself has existed for 20 years with the following use cases built into it:

  • Aligning business context to security context make better and quicker decisions
  • Unparalleled visibility across on-prem, virtualized, and private/public cloud environments
  • Identifying new attacks and attackers
  • Speeding up investigations and shortening the dwell time
  • Understanding the full scope of attacks
  • Ability to scale from the smallest to the largest organizations

In addition, several new use cases have been added to the platform over time to feature core XDR capabilities. These are:

  • Incident management
  • Centralized investigation
  • Threat intelligence
  • Threat Detection
  • Reporting & dashboarding

Ingestions

Moving on from the platform, it’s time to take a look at the ingestions of the solution. NetWitness’s offering operates with the following ingestion modules:

  1. NetWitness for Logs – which lets you know what was targeted
    • Collecting logs – identifying risks that evade signature-based security tools
    • Centralized log management – across cloud, on-prem, and hybrid environments
    • Reducing alert fatigue – identifying high-priority alerts and decreasing false positives using threat intelligence and context analysis
  2. NetWitness for Network – which lets you know how it happened, as well as what assets and users were impacted
    • Advanced threat defense – immediate deep visibility for rapid detection
    • Threat analytics – real-time capture and enrichment of packet data for effective threat hunting and assessment.
    • Centralized investigation – intuitive data visualization, comprehensive automated detection, investigation and forensics
    • Providing a full incident scope – reconstruction capabilities leverage network visibility
  3. NetWitness for Endpoint – which lets you know the severity of endpoint impact and if others were affected
    • Extended visibility all the way to the user – investigate compromised systems to collect incident data for forensic analysis
    • Continuous endpoint monitoring – visibility into all processes, executables, events and behavior on endpoints, including servers, desktops, laptops and virtual machines to manage the full attack lifecycle
    • Reduce attack dwell time – fast root cause analytics and prioritizing threats to improve security analysts efficiency and accelerate time-to-response
  4. NetWitness for IoT (the latest addition to the solution’s module set) – which gives you visibility, insights, and action for the Internet of Things
    • Edge Computing Environments – monitoring of any gateway-connected IoT device at scale
    • Anomaly detection and reporting – detection of compromised IoT devices using ML and AI techniques
    • Integration – works with leading IoT management platforms so you can add advanced security to existing deployments more easily 

It’s important to note that you don’t need all ingestion modules to have a working NetWitness XDR platform. In fact, most companies start with just one, then add more according to their needs – which is exactly why this solution has been built to be completely modular.

Actions

Finally, as soon as NetWitness’s solution has finished ingesting data, it’s ready to act on the data it ingested. Here are the solution’s main action capabilities:

  1. NetWitness Detect AI – which lets you see threats you didn't know existed 
  2. Behavior-based threat detection – data models understand your organization’s normal behavior
  3. Unsupervised machine learning – builds common behavior modelling without the need of human intervention to limit analyst time consumption
  4. Multi-tiered anomaly validation – machine learning algorithms compare anomalies to peer groups to reduce false positives
  5. Innovative risk scoring – dynamic statistical risk scoring mechanism quantifies deviations from normal to help you focus on high-impact risks

On a related note, NetWitness Detect AI is the company’s own UEBA capability, as well as its first ever born-in-the-cloud, SaaS based offering.

  • NetWitness Orchestrator – which lets you coordinate fast resolution
  • Orchestrator for SOAR
  • Case management – organize investigation and resolutions actions across the entire security operations team
  • Automated actions – speed up identification, evidence collections and automate low-level incident resolution
  • Threat intelligence
    • Stay ahead of emerging cyberthreat techniques, tactics, and procedures

And to add an interesting fact about NetWitness Orchestrator – the capability revolved so much around threat intelligence in the beginning that it was actually seen as a threat intelligence platform (TIP) initially, which later grew into the SOAR space.

In conclusion

And with that, we thoroughly examined the XDR offering of one of the greatest and most experienced cybersecurity vendors of the world, and reached the end of this article. As you could see, the foundations of Extended Detection & Response have been with us for a long time, which doesn’t make it easy for anyone to define what it actually is – and the industry will have to spend a lot of time studying it before it can reach a full consensus. However, one thing’s for certain: XDR is a significant step forward in the area of cybersecurity, and it holds great potential for the future.

Get an idea from SOCWISE to build or develop your SOC!

Some CISOs have built their SOCs over time with a mix of internal and external resources. But, given the ongoing evolution of cybersecurity techniques and the need to constantly adopt new skills and tools, managing this mix is becoming increasingly complicated.

Benchmarking : The Key to Creating an Efficient Security Operations Center (SOC)

See how we built it, how it works, and what technologies we use!

crossmenu