XDR: Still confusing after all these years

We’ve been discussing extended detection and response (XDR) for years now, but a fundamental question remains: Just what the heck are we talking about, anyway?

Alarmingly, this continues to be a pertinent question. According to ESG research, 62% of security professionals claim to be “very familiar” with the term XDR, up from just 24% in 2020. An improvement, but still 29% are only somewhat familiar, not very familiar, or not at all familiar with XDR. So, despite industry hyperbole, arm waving at the RSA conference, and cacophony of XDR talking heads, nearly one in five security professionals haven’t received the message.

No common definition of XDR

Now what do infosec pros think XDR is? Here’s where it gets interesting. A majority (62%) of those claiming to be “very familiar” with XDR say that XDR is an extension of endpoint detection and response (EDR) technology, 21% think XDR is a product suite from a single technology vendor, and 16% claim that XDR is an integrated and heterogeneous security technology architecture. (It is humorous that 1% of those “very familiar” with XDR responded, “don’t know.”) This means that “very familiar” is relative; security pros are “very familiar” with the XDR definition they adhere to.

When we examine potential deployment models, the waters get muddier. Of those claiming to be “very familiar” with XDR, 61% believe that XDR will supplement existing security technologies while 37% say that XDR will help consolidate security technologies into a common platform. When we looked at security professionals who are only “somewhat familiar” with XDR, you see a different picture: 58% of this group think that XDR will supplement existing security technologies while 37% say that XDR will help consolidate security technologies into a common platform. One could then conclude that XDR will supplement and consolidate current technologies, but questions remain about which will be supplemented, which will be consolidated, and in what timeframe.

As if XDR wasn’t confusing enough, ESG also found that XDR definitions and opinions also varied as a function of company/organizational size. When security professionals working at organizations with over 10,000 employees were asked to define XDR, 34% say that XDR is an extension on EDR technology, 24% think XDR is a product suite from a single technology vendor, and 41% claim that XDR is an integrated and heterogeneous security technology architecture. Perhaps larger firms think of XDR as an architecture because they already have a plethora of tools and technologies and aren’t looking to “rip and replace” existing investments. They want glue, not dissolvent.

Focus on the security process, not XDR definition

As an industry analyst, allow me to elaborate on this data. In my humble opinion:

• There is no rigid definition of XDR. As they said in the 1970s, “different strokes for different folks.” Some XDR offerings collect data from email security technologies, some contain cyber-risk telemetry from tools like attack surface management (ASM), some are built around EDR technologies, some are an outgrowth of SIEM. Despite industry debates and dogma (of which I’ve played a part), it is starting to feel like XDR is anything you say it is or want it to be. Yes, this is confusing and will remain so. As always, security pros must approach XDR by defining their requirements, doing their homework, and following the age-old advice, caveat emptor.
• The definition doesn’t really matter. As Bruce Schneier wrote years ago, “Security is a process, not a product.” If you believe this (and I do), arguments around the definition of XDR are counterproductive. Instead of figuring out which box XDR belongs in, let’s talk about the outcomes organizations seek to achieve. ESG research indicates that 36% want XDR to extend and enhance threat detection across hybrid IT, 33% of organizations want XDR to improve the fidelity and prioritization of security alerts, 29% want XDR to act as a central security operations hub, and 25% want XDR to help detect unknown threats. XDR conversations should begin and end with how to address these requirements.
• XDR exposes a deeper issue. A whopping 85% of organizations plan to increase their spending on threat detection and response technology over the next 12 to 18 months. To me, this means that the tools and technologies we are using today are inadequate. Maybe they are too difficult to use, maybe they can’t scale, maybe they are too noisy – whatever. XDR will either add to this morass or it will help address the problems. Again, vendors and users should base XDR discussions on this reality.

While the industry remains gaga over XDR, CISOs sing a different tune. When I talk to CISOs about threat detection and response, they steer the conversation to security operations center (SOC) modernization. Can XDR play a role here? Yes, if we drop the academic XDR doctrine and figure out how it can add scale, intelligence, analytics, and automation to the SOC.