XDR Defined

VMware XDR Explained

The endpoint detection & response (EDR) market is going through the biggest period of change and innovation now.

Historically, EDR was created to provide borderline protection for a system. It provides coverage for endpoints in an attack, and the result is an endpoint security that covers many security gaps and blind spots.

However, EDR cannot protect nor provide full visibility into your environment on its own. But it can provide visibility into actions attackers are taking on your endpoints, and control over what they’re able to carry out from there. An effective use of EDR requires collaboration with other monitoring and detection tools and deep integrations with other endpoint protection solutions, such as NGAV.

The next wave is about extending EDR beyond the endpoint and sewing it into the fabric of other control points such as the application, the network, and the user. And with this change comes a new approach: XDR.

What is XDR?

Extended detection and response (XDR) is the evolution of security incident detection, investigation, and response. It goes beyond EDR security for both telemetry and enforcement by providing full visibility of data across network, endpoints and other systems. Extended EDR (or XDR) was designed to fill this information gap. It provides the same level of visibility and control to your entire security landscape across your IT infrastructure as EDR does for endpoints.

XDR is devised to help security teams be more effective and efficient in:

  • Identifying hidden or highly sophisticated threats
  • Facilitating more automation
  • Detection and response speed
  • Tracking threats across multiple systems

The difference between XDR and other security solutions

XDR is different from other security tools in that it focuses on threat detection and incident response use cases. It centralizes, collects, and analyzes data from multiple sources, and enables complete visibility. These solutions validate alerts better, which in turn helps reduce the amount of time security teams spend on redundant or inaccurate alerts.

A combination of EDR and security incident and event management (SIEM) can achieve similar results. However, XDR collects deep-rooted data from targeted sources, while SIEM solutions collect generic data from many sources.

Problems XDR solves

XDR aims to solve the primary challenges modern SOC teams are facing. These include: outdated products, ineffective detection and response to targeted attacks, including native support for behavioral analysis, threat intelligence, behavior profiling, and analytics.

In order to understand what exactly XDR is solving, consider the following challenges of the SOC:

Detection

The SOC needs some mechanism to alert them when and where to pay attention. A traditional SIEM collects alerts and events from third party security products and does some level of correlation to filter alerts. But a SIEM has no raw data or analytics to understand what’s really happening on the infrastructure. It’s also not architected to collect and analyze that scale of data. Therefore, it has limited ability to alert on suspicious activity or attacks that leverage legitimate software. XDR has this capability, and extends this type of analysis beyond endpoint and workload telemetry.

Investigation

The SOC needs a list of infected machines, and needs to understand the attack “campaign” (all the machines, how the attacker got in, what they changed, where they left persistence mechanisms, etc.) In order to accomplish this, you need to be able to:

  • Search across the environment (e.g. show me everywhere we’ve seen this kind of activity, etc.)
  • Search backwards and forwards in time (e.g. rewind the cameras and show me what led up to that activity, and what’s happened since)

Organizations are looking to extend that model into more user, network, and app telemetry.  SIEM products traditionally do not natively collect this kind of data, instead they collect alerts and events from security controls. Extending SIEM products to support these capabilities requires a fundamentally different architecture to accommodate this scale of data and analytics.

Response

XDR extends the response actions available in EDR to be more coordinated and integrated into other control points. Once the full campaign is understood, it needs to be:

  • Contained: Obstruct the attacker from moving into any other systems, cleaning the track or exfiltrating any data
  • Cleaned: Remove any command and control systems
  • Inoculated: Alter our hardening or prevention policies so this doesn’t happen again. It would be pointless to hunt the same thing twice

And this is exactly what EDR does today on endpoints and workloads. But being able to respond across domains is a big advantage.

Five attributes

Beyond the SOC challenges listed above, there are five other important attributes that will be increasingly critical to XDR in the future:

  • Analytics: Behavioral Analytics and Horizontal/Timeline Search—to be able to identify “good” applications or processes being used by “bad” actors.
  • Data: Enable the creation of baselines for normal activity in your environment so that abnormal activity can be identified more quickly and confidently.
  • Domains: Factor in endpoint, workload, network, user, and app—all the camera angles.
  • Automation: Improves speed, reduce dwell time, and to improve efficiency by leveraging automation to complete more complex processes.
  • Cloud: Addresses the distributed enterprise and scale compute for expanded data sets and analytics.

The future of EDR

Organizations need changes to their detection and response processes and technologies. Traditional solutions are limited. They fail to provide the flexibility and scale to keep up with today’s enterprises and their adversaries.

EDR, as it stands today, is one reactive solution, but it provides a single point of view into attacks. XDR offers broader visibility across endpoints, networks, and the cloud. Combined with more effective machine learning analytics and integration, XDR can potentially change the threat hunting, investigation, detection, and response landscape.

Interested to learn more? Join our VMworld 2020 XDR session, where our security experts, Tom Corn, SVP of Product Marketing and Strategy, and Brad Doctor, Senior Director of Information Security will discuss how VMware is extending EDR capabilities in the Carbon Black Cloud to take advantage of new sources of telemetry and enhance response capabilities to deliver Native XDR.

Sign up now and save your seat!