Considerations when choosing an XDR solution

September 28, 2021 | Rich Langston

Introduction

Cybersecurity is a fast-moving space.  In fact, it’s hard to think of a time that security has been moving more quickly. As we continue to move into the cloud, work from home, and otherwise continue the digital transformation of our businesses, additional capabilities are needed as new threats are discovered.

One of these needs is greater integration of our existing sets of security tools.  While the security industry has done a good job of addressing threats, we have often done so with point solutions.  These silos are now making it harder to solve our problems.  How do we combine the visibility provided by our endpoint detection and response tool with that provided by our network intrusion detection tool?  How do we use our firewall to mitigate a threat discovered by our DNS security tool? 

This is the idea behind XDR.

What is XDR?

Extended Detection and Response (XDR) is one of the latest security industry buzz words and, like most emerging product spaces, it means different things to different organizations.  Frankly, it is evolving very much like SASE, with vendors using the term as a way to explain how their particular collection of security technologies could fit together.

For example, for many network-focused SIEM vendors, adding an endpoint detection and response agent extends their ability to detect and respond to malware.  Endpoint detection and response vendors adding network discovery and network intrusion abilities are similarly expanding their capabilities to detect threats before they get on endpoints.

Both of these product expansions can be helpful to customers.  But many, or even most, companies have already deployed multiple solutions from multiple different vendors to solve these problems.  In our role advising companies and managing their security programs, our customers are beginning to ask how XDR should change their plans.  Let’s take a look at the current state of XDR and some things to consider before you take the leap.

A survey of XDR capabilities

What’s in a name?  In the case of XDR, we’d expect it to be an extension of “Detection and Response.”  What an extension means, of course, varies from vendor to vendor based on that vendor’s inherent technology strengths.  Most vendors claiming to have an “XDR” solution are either network or endpoint vendors that are expanding their product line in some way.  Here in table 1 is a survey of common XDR capabilities:

Table 1

table 1

In addition to these capabilities, we are also seeing vendors assert that other security tools must be part of an XDR solution.  These pieces vary by vendor but include cloud firewall/secure web gateway, email security, DDoS response, and more.

The “best” XDR solution for a given customer depends on the needs of that customer, the security products that are already deployed there, and the threats the customer is most concerned about.  Instead of shopping for an “XDR” solution, it’s best to enumerate your individual protection and detection needs. In general, vendors that are just expanding into a market aren’t the strongest players in that market.  So, if endpoint is the area you are most worried about, it’s probably best to look at XDR solutions from endpoint vendors, knowing that the network discovery and response features may not be as complete.  Better yet, shopping for hybrid solutions (we’ll get to that in a second) may be your best bet.

Platform and “location” coverage

The types of devices on your network and where they live also play a key role in the selection of an XDR solution.  Most XDR solutions that have evolved out of an endpoint detection and response solution have this well covered, but network-focused vendors may face more challenges here.  Does the solution do a good job protecting and remediating Windows, Mac, and Linux assets?  Does that include the versions of Linux that your organization has standardized on?

In addition to platform coverage, the “locations” that are protected are equally important.  Can the solution protect systems in public clouds?  One area to look at is how the products collect and use cloud data.  This is where network security vendors may do a better job by directly collecting cloud data using APIs. 

How about your own private cloud?  Can the solution support VMWare or your chosen virtualization vendor?  Don’t forget about workloads that run in containers, too.

“Native vs. hybrid” XDR - Avoiding vendor lock-in

One of the more confusing concepts in XDR is “native” vs. “hybrid.”  Not to be confused with any of the other uses we have for these terms in IT security, in the XDR world, “native” refers to a single vendor solution.  As you might have guessed, “hybrid” then must refer to a multi-vendor solution. 

We’ve generally used the term “best of breed” or “vendor agnostic” to describe this hybrid solution, and this is probably the single most important axis of any decision around XDR: Do you love your preferred security vendor enough to repurchase all XDR solution components from them?  Or would you prefer a solution that works with your existing security tools?

Managed service vs. product

Another big decision point in looking at XDR is: do I want to completely manage my own detection and response program, or do I want the help of a managed Security Operations Center (SOC) service ?  

Modern detection and response tools are much easier to use than traditional SIEMs.  Products like AT&T’s USM Anywhere and SentinelOne’s Endpoint Detection and Response come equipped with threat intelligence designed to quickly surface both new and old threats.  However, there will still be a need for subject matter expertise, and manning a SOC 24x7 requires a certain number of staff regardless.  So if you haven’t already staffed up for a SOC, or if you need additional expertise to help your current SOC,  using a managed service like AT&T’s Managed Extended Detection and Response can save time and money vs. trying to do everything in house.

The bottom line

AT&T believes that security should work for you, not the other way around. Our XDR solution combines our own Managed Threat Detection and Response service, powered by our home-grown USM Anywhere platform, with the industry-leading EDR solution from SentinelOne through our AT&T Managed Endpoint Security with SentinelOne.  This tight integration across both technology and management capabilities gives complete visibility into network and endpoint threats and one of the most complete sets of response capabilities.  This means AT&T can leverage your existing security controls to make better, faster detections and use the capabilities of these security products to respond to threats.  See table 2 for details.

We also believe that XDR will be an important part of every company’s security journey.  Attacks have become so sophisticated that we need to be able to use all our intelligence to detect them, and all the tools at our disposal to respond to them.  The combination of USM’s single pane of glass for detection and response, combined with the protection and remediation capabilities of Sentinel One and our other partners, backed by the AT&T world-class SOC team and AT&T Alien Labs threat intelligence represent the best defense for your business.

Contact us to learn more about how we can help your organization drive more efficient security operations through improved threat detection and response.

 Table 2

Security Capability

MXDR Compatibility

Endpoint protection

Sentinel One (built-in), Carbon Black, Cisco Secure Endpoint, McAfee EPO, Microsoft Defender, Sophos

Firewalls, Secure Web Gateways, SASE

AT&T SWG, Palo Alto Networks, Fortinet, Zscaler, Cisco, Checkpoint

Vulnerability Scanning

Built-in, Qualys, and DDI Frontline

Mobile Security

MobileIron (Ivanti)

DNS Security

Akamai ETP, Cisco Umbrella

Other security controls

SpyCloud, Cloudflare, 

Workflow, ticketing, and automation solutions

Jira, Box Notes, Salesforce, Service Now

Zero Trust

Okta

Rich Langston

About the Author: Rich Langston

Rich Langston is a lifelong veteran of the information security wars. His initial introduction came in the late 1980's when the ARPANET network he was responsible for at his part-time college job was completely down because of an insecure default configuration (/.rhost anyone?). Since then, he has helped create security products as diverse as Network Access Control, Full Disk Encryption, and network security at companies such as Cisco, Extreme Networks, Symantec, and Aruba Networks. When not trying to save the world, or blogging about it, he's an avid road cyclist

Read more posts from Rich Langston ›

TAGS: siem, sase, xdr

‹ BACK TO ALL BLOGS

Get price Free trial