Three Approaches to an XDR Architecture
Extended Detection and Response (XDR) can be confusing based on so many different definitions and approaches
In 2020, Extended Detection and Response (XDR) solutions started being touted as the number one trend CISOs should understand to increase detection accuracy and improve security operations efficiency and productivity. Since then, XDR has gained a lot of traction and security vendors are quickly jumping on the bandwagon, recasting their products as XDR solutions.
As Security Operations Centers (SOCs) transition to become more of a detection and response organization they are beginning to look to XDR as a way to reach that destination. If you’re considering XDR, it can be confusing based on so many different definitions and approaches. In attempt to simplify what is out there, here are three main types of XDR architectures that are emerging.
1. Vendor-locked ecosystem. Often touted by large security vendors as the best path forward, this approach promotes the use of an integrated suite of security products (often cloud based) from a single vendor. Emphasizing simplicity and comprehensive coverage, this approach sounds appealing. But the challenge is that organizations typically protect themselves using many different technologies, including firewalls, IPS/IDS, routers, web and email security, and endpoint detection and response solutions, that are from different vendors. They also have SIEMs and other tools that house internal threat and event data – ticketing systems, log management repositories, case management systems. They may rely on a few “large vendors” to handle the bulk of their security tasks, but usually they also use best-of-breed vendors for controls the larger vendors do not have or do not excel in. A recent study finds that on average organizations have more than 45 different security tools that for the most part don’t talk to one another. This happens naturally over time with different teams, budgets and departments making independent decisions.
Vendors must be able to accommodate the reality that not every organization will have all their tools from a single provider out of the gate, and the appetite to rip and replace is low in the near-term. Not to mention the fact that new vendors and solutions will continue to emerge given the ongoing innovation required to keep up with new use cases, threats and threat vectors.
2. Land and expand. This approach starts from a specific surface area of attack where the vendor is focused, such as Endpoint Detection and Response (EDR) or Network Detection and Response (NDR), with the vendor then planning to add additional XDR capabilities through integration with other security tools. While this approach provides the opportunity to select a leader in a foundational detection and response technology, it also presents a few challenges. Integrations are key to creating an XDR architecture. However, the vendor is likely to focus on ongoing innovation of their core technology offering, to the detriment of integrations. Not to mention the significant amount of time it will take to identify the tools to interoperate with and execute deep integrations to deliver on the promise of XDR, if integration is not a core competency.
3. Open platform. Vendors that pursue this strategy offer a platform focused on integration, tying together tools across the different surface areas of attack and well as other security infrastructure. Serving as a conduit between existing security technologies, including vendors claiming XDR solutions, this approach powers a more agnostic approach to XDR. This requires a vendor’s core competency and focus to be on integration and the data flow between systems. Organizations that are not starting with a clean slate and have a variety of best-of-breed solutions across departments and teams, have a flexible path forward with an open, extensible architecture that allows for strong integration and interoperability with existing tools – including that one product the XDR vendor may not be familiar with. Standard interfaces are used for ingestion and exporting, and custom connectors can be written and deployed within hours to connect with new security controls to address emerging threats, as well as with on-premises legacy tools.
There are pros and cons to each of these approaches. But if you view XDR as a destination and not a solution, regardless of the path you take, you will need to understand the focus and core competencies of each vendor, the level of effort involved to transition to XDR, and where there may be distractions. Only then can you have confidence that the vendor you select can deliver on the promise of XDR so you can reach the goal of detection and response across the infrastructure and across all attack vectors.