What is XDR?

A Fundamental Guide to XDR (Extended Detection and Response)

XDR: The Next Big Thing in Security

From being listed as one of Gartner’s Top 10[1] Security Projects for 2020-2021 to countless thought leaders labeling it “the latest evolution,” XDR (extended detection and response) has emerged as an exciting new holistic approach to proactive protection against today’s sophisticated cyberattacks. Beyond the buzz, the solution has also shown promise to transform the scale and efficiency of the SOC. As interest and adoption for XDR continues to rise rapidly, it’s important that security leaders look past industry hype to understand how XDR can be used to impact their organization.

1 Gartner Top Security Projects for 2020-2021

Young coworkers working and discussing work at office

Putting the "X" in XDR

While you’re likely quite familiar with the “D” and the “R”, it’s the “X” that has introduced a new development in detection and response. That X represents the integration and extension of protection across the entire enterprise. The predecessor to XDR, EDR (endpoint detection and response) focused on monitoring and protecting organizations from threats at the endpoints. With data moving beyond the perimeter, XDR was necessary to extend the range of protection to the network, servers, and cloud as well as endpoints. Analyst firm ESG defines XDR as:

An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.

Simply put, XDR offers a single platform for prevention, detection, and response to identify and stop threats across multiple attack vectors. With enhanced visibility into a quickly changing threat landscape, the primary value behind XDR solutions includes:

  • Maximizing security effectiveness and accelerating the time to detect (MTTD) and respond (MTTR) to threats by applying machine learning and other analytical techniques to telemetry, logs, and other data coming from across the attack surface
  • Boosting the efficiency of security operations by unburdening security teams from manual tasks, providing a single tool to view data, conduct investigations, and perform response actions.
A Deeper Look Into How XDR Powers Rapid Attack Detection and Response

What problems does XDR solve?

As modern threats continue to grow in complexity, many cybersecurity solutions have been slow to evolve. Sophisticated threats, such as ransomware and zero-day attacks, continue to increase in volume and have proven to be very costly for many organizations. To address these, organizations must implement a proactive approach that includes prevention, detection, and response.

Unify prevention, detection, and response

Endpoint protection is often the first line of defense for many organizations. Identifying and stopping threats on the endpoint instantly and automatically, saves time and prevents lateral movement. After all, if a security analyst team can’t readily see which threats have been prevented, they’ll spend the majority of their daily effort correlating and validating low-value attacks. Combining extended detection and response capabilities with next-generation endpoint prevention enables security operations to focus on high-priority and critical threats.

Siloed defense is time-consuming

Security analysts spend approximately 24 to 30 minutes investigating each alert. With disparate security tools, analysts have to manually stitch data or bounce between tools. XDR centralizes security events across multiple security controls to provide a holistic approach into how complex attacks progress across a kill chain. XDR combines weak security signals from multiple sources into stronger signals to identify known and unknown threats.

Alert fatigue impacts productivity

Data without context is nothing more than meaningless noise. Without an integrated platform to correlate data, it won’t take long before security analysts are buried in an overwhelming volume of alerts too much cybersecurity noise. With greater context, XDR dismisses false positives to enable security operations to focus on incidents that matter. Without integration and correlation, security teams can easily get lost in the "noise" of abundant alerts and have trouble prioritizing which ones to investigate.

The Numbers Tell the Story

In a recent study, ESG surveyed 388 IT/InfoSec professionals to understand then impact of XDR in the modern SOC. The results reflect why Extended Detection and Response has been gaining so much momentum in the security arena:

Advanced threat detection is in high demand.

83% of IT pros are increasing their budgets on threat detection and response technologies.

Woman and Man Talking in Office Desk

IT pros view XDR as a viable approach to improve detection

Threat detection represents 3 of the top 4 most appealing XDR capabilities to IT pros:

  • Visualization of Complex Attacks: 42%
  • Analytics that detect modern attacks: 38%
  • Improved mean time to detect: 31%

Black businessman using computer in server room

XDR uplevels SecOps effectiveness

Nearly 60% of IT pros believe XDR could improve the capabilities of security analysts.

Abstract Projected Interface

Approaches to XDR

Proprietary XDR

Proprietary or Native XDR is offered by vendors that have unified their own suite of security solutions on a centralized XDR management platform. A primary advantage to Proprietary XDR is a faster time to value due to off-the-shelf integration and pre-tuned detection mechanisms across the portfolio. On the other side of the coin, this approach requires considerable dependence on a single provider through vendor lock-in. Further, customers may be forced to “rip and replace” existing security controls as well as sacrifice efficacy where vendors have gaps in their product portfolio.

Open XDR

Open or Hybrid XDR integrates best-of-breed security products, as opposed to single vendor solutions, into a coordinated approach to reduce meaningless security alerts and increase threat visibility. Many security leaders prefer Open XDR because it allows them to leverage their investment in existing security tools and ensures flexibility to add solutions that organizations may require in the future. Built on a cloud-native architecture, Open XDR leverages big data to normalize and correlate more effectively in addition to meeting SecOps needs for scalability.

What is Open XDR?

See What Taegis XDR Can Do

XDR Benefits

Centralization & Correlation Capabilities Reduce Alert Fatigue

Gartner lists centralization and correlation capabilities as critical requirements for an XDR solution. Centralization is the consolidation of historic and real-time event data into common data formats within a central repository. With a complete picture of threat activity, correlation combines related signals from multiple security components to identify malicious activity and validate alerts.

Detect Threats Faster and More Accurately

Threat actors often exploit gaps created by siloed point solutions. Without a fully integrated platform, many security teams struggle to identify the blinds spots and rapidly detect and respond to advanced and evasive threats within their attack surface. XDR enables security operations teams to detect sophisticated attacks anywhere in their environment, while spending less time dealing with false positives and getting to real threats sooner with validated and prioritized alerts. The use of disconnected security tools reduces the ability to detect complex attacks. With holistic visibility, XDR enables faster detection, reduced dwell time, and quicker mitigation.

Greater Efficiency Improves SecOps Productivity

Sifting through an overwhelming amount of data to find high-fidelity alerts can be time-consuming, often leaving security analysts spending less of their time on investigations and responding to critical threats. Leveraging the power of machine-learning, next-generation endpoint prevention automatically blocks threats to reduce the risk of a breach while decreasing the volume of threats that must be investigated. XDR provides an integrated incident response capability that delivers high-fidelity alerts with greater context. With a centralized management hub that enhances visibility across all environments and workflow-automation capabilities, security analysts become more efficient and productive..

Prefer a Managed Solution?


Discover how XDR stacks up against a SIEM solution

You may be wondering how XDR (Extended Detection and Response) differs from a traditional SIEM (Security Information and Event Management) solution. The biggest difference between XDR and SIEM can be seen in how alerts get created. XDR alerts are the curated opinion of the XDR system, taking into account all ingested data, applied intelligence, and optimizations provided by the XDR vendor. On the other hand, SIEM alerts primarily involve the automation of log processing rules and watchlists that the SIEM owner set up. SIEMs are general-purpose bit-buckets, meaning they are only as good as their owner’s knowledge, visibility, and experience with the threat landscape. An organization’s ability to dedicate resources for maintenance and continuous improvement of the SIEM will dramatically affect their security outcome. In contrast, XDR systems are as good as their creators. They are purpose-built for security analysis and threat hunting. True XDR solutions can ingest all types of data, apply advanced analytics created by the designers, and bring to light situations that the system's owners might have never known about otherwise.

With expertise in so many security domains, along with world-class threat research capabilities and mountains of real-world data, Secureworks® is well equipped to make Taegis™ the best XDR solution in the market.

Taegis XDR

What do organizations want out of XDR?

ESG surveyed cybersecurity professionals across multiple industry verticals to better understand the market perception of XDR, as well as value points and challenges that come with an XDR solution. Read the eBook to learn more about what ESG research revealed about the state of XDR and how it may meet the needs of your future security program.


XDR Frequently Asked Questions

What is the difference between XDR and EDR?

Endpoint Detection and Response (EDR) helps you detect and respond to threats on your organization's endpoints. An endpoint is any device that connects to your organization's network including mobile devices, desktop computers, and more. Extended Detection and Response (XDR) goes beyond EDR — and is thus “extended” — by collecting data from more diverse sources including endpoint, cloud, network, identity, and more. EDR security is important, but it is only one piece of a holistic cybersecurity portfolio. With XDR, you can extend visibility beyond the endpoint and block more sophisticated threats that are able to bypass the endpoint.

Will XDR replace SIEM?

For organizations that do not have significant investments in SIEM—or are prepared to retire those investments as part of their strategy to realign/reoptimize allocation of their cybersecurity budgets—XDR can potentially serve double-duty as both the core operational platform for SecOps and the central data repository for compliance/audit reporting without the ongoing investment of maintaining a legacy SIEM platform. But some organizations may still choose to use SIEM for compliance and auditing purposes. XDR, on the other hand, is a more powerful platform for mitigating cybersecurity risk in a new era of expanded attack surfaces and diminished security perimeters.

Does XDR use AI?

Yes, XDR uses artificial intelligence (AI) and machine learning (ML) throughout the threat detection process, from normalizing and correlating ingested data to validating and prioritizing true positive alerts. ML algorithms power detectors that constantly search your data to identify malicious activity in your environment, including subtle behavioral clues. XDR uses AI-powered analytics to detect the most advanced and emerging threats.

What is an XDR solution?

XDR (extended detection and response) has emerged as a new holistic approach against today's sophisticated cyberattacks. With data moving beyond the perimeter, XDR was necessary to extend the range of protection to the network, servers, and cloud as well as endpoints. Simply put, XDR offers a single platform for prevention, detection, and response to identify and stop threats across multiple attack vectors.

Why do enterprises need XDR security?

As modern threats continue to grow in complexity, other cybersecurity solutions have been slow to evolve. Sophisticated threats such as ransomware and zero-day attacks continue to increase in volume and have proven to be very costly for many organizations. To address these, organizations are implementing XDR to unify prevention, detection, and response. XDR detects threats faster and more accurately, reduces risk, optimizes existing investments, and boosts SecOps efficiency.

Taegis XDR

Adversary Software Coverage Tool

Secureworks Taegis™ XDR maps covers over 90% of the MITRE tactics and techniques