With the advent of extended detection and response (XDR), the security analyst’s need for one complete, contextualized view into threats across the enterprise is becoming less fantasy and more reality.
XDR promises a faster and more efficient way to bring together data from a range of security tools, spot sophisticated attacks, and automate response actions to protect a growing number of assets within the traditional network perimeter and beyond.
And vendors are working to bolster their threat detection and response offerings to deliver on this promise. They’re doing so either by acquiring other vendors or technologies to add capabilities and drive toward single-vendor, or native, XDR platforms, or by offering open platforms and partnering for their integrations.
We’ve seen—and likely will continue to see—considerable M&A activity as vendors work to create native XDR solutions. In 2021, multiple mergers and acquisitions were driven by XDR. Notable deals include Cybereason’s July purchase of security analytics firm empow; Logpoint’s third-quarter acquisition of SecBI for its security orchestration and automated response (SOAR) and XDR technologies; and most recently, IBM’s announcement of its plans to acquire endpoint security vendor ReaQta.
However, as I mentioned earlier, not all vendors are opting to acquire their XDR capabilities. Many are choosing a vendor-agnostic approach and relying on integrations with security tools from different vendors to deliver their solutions. Let’s take a look at both approaches.
Native XDR solutions offer a unified suite of security tools from one vendor on a centralized management platform, which, in theory, means security teams don’t have to implement and manage integrations with technologies from other vendors. This vendor-specific approach has its advantages:
- One centralized management platform to handle all threat detection and analytics processes
- No need to purchase, integrate, and update technology from other providers
- Redundant tools can be removed
- Turnkey platform with off-the-shelf integration for faster deployment and security results
But some gotchas accompany these advantages; most notably, the requirement for significant dependence on one vendor. The customer that chooses to go with a native XDR solution will have to replace their existing tools with tools from the provider’s suite, typically a costly and complex undertaking. Additionally, the customer that favors the simplicity of an all-in-one approach may experience gaps in their threat detection and response since a single provider is unlikely to have deep security capabilities across all areas. Choosing this approach may require sacrificing efficacy if not all products in the vendor’s suite are best-of-breed. Note also that any acquisition for XDR capabilities requires that platforms be fully integrated, which takes time, and in some cases may never happen.
- Vendor lock-in
- The need to rip-and-replace existing security tools
- Lack of third-party integration capabilities
- Non-customizable solution
- Incomplete integrations
- Potential for gaps in protection
Whereas native XDR solutions require customers to purchase all components of their XDR offering from them, open solutions are designed to work with security products from other vendors. The core XDR platform provides a central management console that leverages third-party integrations, which means customers can keep the tools they have in place, and they have the flexibility to add or remove tools as their future needs dictate.
Advantages of this vendor-agnostic approach include:
- Avoid vendor lock-in
- Integrations with best-of-breed tools
- No need to rip and replace
- Flexibility to swap in or out technologies
Customers considering an open XDR solution should bear in mind that some solutions will offer more third-party integrations than others, and even the most comprehensive open solutions cannot integrate all the tools available in the market. Additionally, integration can be complex.
- Vendor may not have large ecosystem for integration
- Integrations can be complex to build
- Integrations are not always smooth
The best approach for your business
Which approach will work best for your business? If you deploy tools from multiple vendors, you’re probably better off choosing an open platform or working with a managed security service provider to leverage those investments. If you’re leaning toward the native approach, are you willing to rip and replace what you have in your technology stack in order to lock in with a single preferred security provider? While the simplicity of this approach is attractive, it may preclude you from deploying more innovative solutions as they emerge in the market.
Understanding how an XDR vendor’s background can help you meet your organizational objectives is also important. If, for example, your organization is in a highly regulated industry with strict reporting and compliance requirements, such as healthcare or financial services, then an XDR vendor with a security information and event management (SIEM) platform will have the deep analytics capabilities and better data log collection and long-term data retention capabilities you require.
On the other hand, XDR vendors coming from the endpoint detection and response (EDR) space are likely to be weaker on analytics but stronger at providing actionable response on the endpoint. Organizations with large numbers of endpoints that need to be monitored—and potentially restored in the event of an attack—will want to partner with these vendors.
Take care to review vendor roadmaps for integration, including scale and scope. Whether a vendor is making its XDR play through acquisition or through partnerships, integration is key. If integrations are being planned, how does the vendor intend to achieve them? As I noted earlier, even if a vendor has acquired other technologies and is now positioning its platform as native, the platform will not be truly native until the vendor’s engineers have fully integrated the new technology into the platform—and stitching together different technologies is not a trivial task.
Managing a complex solution
Gartner has identified XDR as a leading security trend, noting in its 2021 Market Guide for Extended Detection and Response that by the end of 2027, the technology will be used by up to 40% of end-user organizations. And a 2021 researchandmarkets.com report predicts that by 2028, the global XDR market size will reach USD 2.06 billion, expanding at a CAGR of 19.9% from 2021 to 2028.
XDR is the future of threat detection and response, but these solutions are also complex and can be challenging to roll out. Whether you choose to go with a single vendor solution or an open platform, you will need security professionals with training, knowledge, and experience to deploy and manage the solution. If these are not in-house capabilities, you may need a partner to help you.
As you evaluate the different approaches, consider whether there is value for your organization in working with a managed security services provider (MSSP) or managed detection and response (MDR) provider. An MSSP can help you ask the right questions, identify your security gaps, and work through how you’re going to roadmap from your existing technology stack to an XDR implementation.
If your organization has the capabilities to handle day-to-day management of the solution in-house, and therefore does not plan to work with an MSSP or MDR provider, consider leveraging the expertise of a consultant or investing in a product support services retainer, so your security team has access to on-call support when troubleshooting issues, such as for example, deployment or tuning.
World-class managed services
As one of the world’s top providers of security services, including professional services, consulting, and managed services, AT&T Cybersecurity employs highly experienced and industry-certified individuals to deliver high-touch service that includes platform onboarding, initial policy tuning, training, and troubleshooting as needed. AT&T Managed XDR leverages these services to help organizations detect and respond to threats faster.