The ABCs of XDR

Shani Mahler, director of product management at Barracuda MSP

As cyberattacks’ frequency, variety, and complexity have increased over the years, the number of different types of security solutions has also expanded. MSPs, resellers, and end users now have a wide array of potential systems to select from, most represented by a dizzying number of acronyms and initialisms – EDR, SOAR, and MDR, to name a few.

One of the more recent ones is XDR – extended detection and response. Unlike siloed security solutions, XDR provides a holistic approach to addressing cybersecurity threats and enables faster and more effective threat detection and response capabilities. 

XDR provides visibility across a business’ digital estate with context into any threat activities.  Additionally, instead of receiving incident alerts from disparate security solutions, even the false positive ones, XDR   incidents that would not otherwise have been addressed before will surface to a higher level of awareness, allowing security teams to remediate and reduce any further impact and minimize the scope of the attack. XDR can reduce mean time to detection, investigation, and response and improve visibility across the entire network. Because XDR includes artificial intelligence and automation, it can also help relieve MSPs and internal security teams of much manual work.

But XDR does not exist in a vacuum, and while it does replace some existing security functions, it works alongside others as part of a comprehensive approach. Below is a quick explanation of some common security acronyms and how these systems relate to XDR. As we head into the back-to-school season, consider this a refresher course on the security alphabet.

XDR: As described above, XDR is an expansion of endpoint detection and response (EDR), broadening data collection beyond endpoints to include networks, servers, cloud systems, and more. XDR also provides a single view across multiple tools and vectors and automatically correlates data across those views/vectors. This makes it easier to detect threats earlier, thanks to integration across different systems. 

TDIR: Threat detection and incident response is a top priority of security teams. As the cybersecurity landscape continues to evolve in complexity and frequency, security requirements must evolve as well. The TDIR solution is a by-product of this evolution, and it comes in different shapes and sizes. Organizations can choose from a range of different forms of TDIR solutions available in the market. TDIR solutions can be considered an XDR and vice versa.

According to Gartner, TDIR platforms often include security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities. Organizations can also use these tools for security-adjacent requirements such as log management and compliance reporting.

EDR: These solutions monitor endpoints for suspicious activity, then correlate that information to detect threats and run automated responses. While EDR can provide rapid detection and response capabilities, these systems are limited to endpoint monitoring. Inevitably, they will miss potential attacks elsewhere on the network (e.g., email, the cloud). 

SIEM: Security information and event management (SIEM) solutions collect, analyze, and store large volumes of data across enterprise systems. While SIEM does log threat alerts, these systems also monitor for governance, compliance, rule-based pattern matching, and other applications. These tools can be expensive and complex to manage and issue voluminous alerts. 

The wide net that SIEM casts makes it sound like XDR, but there are key differences. Primarily, SIEM is strictly analytical, while XDR includes detection and automated response activities. XDR also reduces alert fatigue by providing context and higher-fidelity detection capabilities so staff can focus on critical threats. 

SOAR: Security orchestration and automated response (SOAR) systems allow security teams to design and run complex playbooks to automate actions across different security systems. SOAR enables security teams to monitor security information (including data from a SIEM solution), collect threat-related data, and support automated threat response. While SOAR and SIEM are often used in concert, they do not provide comprehensive security analytics and lack data and application protection.

Like SIEM, SOAR can also be complicated and expensive to support internally. XDR can be viewed as a less complex approach for detection and response compared to SOAR, providing data/app protection and rapid response capabilities.

MDR/MEDR/MXDR: These are managed versions of EDR and XDR provided via an MSP. These managed security services rely on an outsourced security operations center (SOC) for continuous monitoring, detection, and response. Since many small- and medium-sized businesses lack the resources to set up their SOC (or to implement and support solutions like SIEM, EDR, or XDR), a managed solution provides comprehensive security without the expense of hiring additional staff and resources required to support those solutions internally.

There are plenty of security platforms available for MSPs and their clients. There is also no one-size-fits-all security solution; every company has slightly different requirements and risk tolerance. An XDR approach (with other solutions like SOAR or SIEM) can provide 24/7 protection, better visibility, and faster response times to meet various security requirements while reducing costs and complexity.

Shani Mahler is Director of Product Management for Barracuda, a trusted partner and leading provider of cloud-first security solutions.