The term “extended detection and response” (or XDR) was coined back in 2018, but definitions continue to vary significantly (see onetwo, or three, and tell me what XDR actually is 😊). There was no reliable, unbiased explanation for what XDR is and how it differs from a security analytics platform, which has led to confusion and disregard from clients who dismiss it as nothing more than yet another cybersecurity marketing buzzword.

To help clarify this, I am thrilled to release research today on what XDR is, what XDR isn’t, and what clients need to look for when evaluating XDR solutions. This research is a rigorous breakdown of what to expect from XDR solutions based on interviews and survey results from XDR end users, over 40 security vendors, and exhausting but fruitful debate with my colleagues Joseph BlankenshipJeff PollardSteve TurnerAndras Cser, and Alexis Bouffard.

Below is an adaptation of a short excerpt of the report that defines XDR and explains its origins. The complete report goes into significantly more depth and includes helpful recommendations for Forrester clients. For the complete report, please follow this link.

What Is Extended Detection And Response (XDR)?

XDR is emerging due to the value that endpoint detection and response (EDR) brings to incident response and the appetite to pair EDR data with additional telemetry that can’t be captured from endpoints alone. Forrester defines XDR as:

The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.

XDR’s value is driven by its security analytics capabilities, third-party integrations, and response actions.

Why Does XDR Come From EDR?

EDR was the proof of concept for XDR. EDR’s remarkable success served as validation that its detection and response capabilities allow security analysts to detect threats, perform investigations, and respond in real time. While EDR provides effective endpoint detection and response, security teams require more telemetry than just the endpoint. Security teams have used security analytics platforms, security information and event management (SIEM) solutions, NAV, and homegrown data lakes to match endpoint telemetry with security data from other parts of the environment. These efforts had varying degrees of success but suffered from extreme resource consumption, a high rate of false positives, and sizable data volumes.

How Is XDR Brought To Market?

XDR is often categorized as open or closed, which is confusing, as open implies “open source,” which is very different than what is meant by “open XDR.” Thus, Forrester describes XDR as “native” or “hybrid.”

Forrester defines hybrid XDR as:

An XDR platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry.

Forrester defines native XDR as:

An XDR suite that integrates with other security tools from their portfolio for the collection of other forms of telemetry and execution of response actions related to that telemetry.

Is XDR The Same As SIEM?

XDR is on a collision course with security analytics and security orchestration, automation, and response (SOAR). I’ll say it again to make sure it’s clear: XDR and SIEM are not converging but colliding.

XDR will compete head to head with security analytics platforms (and SIEMs) for threat detection, investigation, response, and hunting. Security analytics platforms have over a decade of experience in data aggregation they apply to these challenges but have yet to provide incident response capabilities that are sufficient at enterprise scale, forcing enterprises to prioritize alternate solutions. XDR is rising to fill that void through a distinctly different approach anchored in endpoint and optimization.

The core difference between XDR and the SIEM is that XDR detections remain anchored in endpoint detections, as opposed to taking the nebulous approach of applying security analytics to a large set of data. As XDR evolves, expect the vendor definition of endpoint to evolve as well based on where the attacker target is, regardless of if it takes the form of a laptop, workstation, mobile device, or the cloud.

As I mentioned above, the complete report goes into significantly more depth and additional areas, providing visualizations and giving helpful recommendations for clients considering XDR adoption. Read the complete report here, and please do send me a note if you have any questions about this research.