What Is XDR security?

Extended Detection and Response (XDR) provides detection and response of security incidents across multiple layers of the IT environment. XDR collects and automatically correlates data from email, endpoints, servers, cloud workloads and networks, to detect evasive threats and enable security analysts to investigate and respond to them faster.

XDR is an alternative to traditional, reactive approaches that provide visibility into attacks in each layer separately—using tools like endpoint detection and response (EDR), network traffic analysis (NTA) or security information and event management (SIEM).

XDR security

Discover More

XDR security

How XDR Addresses Incident Response Challenges

Security threats are becoming more complex and more difficult to detect and block using traditional security approaches. Security teams suffer from alert fatigue, and can easily overlook unusual behavior.

XDR unifies the incident response process into one platform. It leverages automation and artificial intelligence (AI) capabilities to simplify analyst workflows, achieve rapid incident response, and eliminate simple or repetitive tasks to reduce analyst workload.

Benefits of XDR for SOC

XDR improves security operations center (SOC) capabilities, which are very important in timely response to attacks:

  • Detection—XDR combines endpoint telemetry with data from many other security controls to identify real threats.
  • Investigation—XDR supports human-machine collaboration, letting incident responders correlate all relevant threat information and apply the relevant security context, to reduce noise signals and identify root causes.
  • Mitigation—XDR provides specific recommendations to analysts to further investigate an incident through queries, and suggests the most effective countermeasures to eradicate detected threats.
  • Threat hunting—XDR provides universal query capabilities across data repositories, including multi-vendor telemetry, looking for suspicious threat behavior. This allows threat hunters to quickly identify threats or vulnerabilities and take action to remediate them.

XDR Security

XDR: A Focus on Response

The XDR response process includes three phases:

  1. AI-driven analytics—XDR analyzes security data using AI/ML algorithms and puts together an attack story.
  2. Human-led analysis—human analysts quickly review attacks and identify the severity and impact of the threat.
  3. Response recommendations—XDR provides actionable steps that security teams can take to contain and eradicate the threat. These can include automated responses, with orchestration of several security tools, or manual steps. Analysts can quickly decide which steps are the most effective and push the button to execute them.

XDR: Types of Responses

XDR enables several types of responses:

  • Alerting—XDR can help organizations define who should participate in a particular response, from security to IT, legal teams, or senior management. XDR tools generate alerts based on security incidents, but these alerts are not sent within the XDR system. XDR systems can integrate with incident alerting tools like OnPage, to send out critical notifications via audible push, emails, SMS, Slack and more.
  • Network reconfiguration—XDR integrates with EDR, intrusion detection/prevention systems (IDS/IPS) and network devices to change network segmentation and access control on the fly in response to attacks.
  • Remediation—XDR can automatically remediate many security issues, for example by wiping and re-imaging endpoints, changing firewall security rules or activating cloud security measures.