Endpoint detection and response (EDR) and extended detection and response (XDR) have been topics of conversation for a while in the world of IT security and have been a point of contention – with some wondering what their differences are as many of the features and benefits can be viewed as the same. Thus, it can be confusing. With such confusing beginnings, XDR still sits in a nebulous middle-ground, with some analysts like Gartner, defining it one way, and Forrester defining it another. So what is the difference between the two? If you already have EDR, why invest in upgrading to XDR if they are such similar solutions? First, let’s discuss exactly what XDR is and what EDR is, EDR and XDR’s similarities and differences, the origins of XDR, and what benefits XDR provides security-minded companies.
What is EDR?
Endpoint Detection and Response, otherwise known as EDR, was once the benchmark for endpoint protection, focusing on threat detection by tracking and recording endpoint behaviours in search of malware or malicious activity. EDR solutions use this data to identify suspicious behaviour within the network and block it, followed by remediation functions to restore any systems which have been infected.
What is XDR?
As XDR is still a developing and emerging approach to threat detection and response, we need to dive into its origins and differing definitions from sources to fully understand what it is.
Where did XDR come from?
The original concept for XDR was created by Palo Alto to showcase their NGFW and their endpoint product, Traps working together. Soon it became the marketing buzzword du jour and analysts had to start taking it seriously. Many believe XDR to be the evolution of EDR. The reason Palo Alto created it was because the organization recognized that existing detection and response tools on the market were too narrowly focused at the time to serve a security team’s ever-evolving needs.
How does Gartner define XDR?
Gartner defines Extended Detection and Response as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
In other words, XDR pulls data from different security devices together from a single vendor (like Palo Alto) under a single (preferably cloud-based) management function that provides consolidated status, views, operations, and response for an environment.
How does Forrester define XDR?
Forrester describes: “while EDR was once relied upon to perform the most cutting-edge endpoint detection and response, XDR goes further, unifying endpoint security investigation with network security analysis, visibility, identity access management and cloud security. By going cloud-native, extended detection and response provides a platform that is easily scalable, flexible, and automated.”
In other words, start with EDR, add network (L2/L3) detection & response (NDR), ID management and integrate with (hybrid) cloud environments as well. Putting the management in the cloud will make it very scalable.
How do Gartner & Forrester XDR Definitions Differ?
As with any relatively new technology, the definition and preferences differ from analyst to analyst. Gartner believes that XDR is cloud-based integrating different products from a single vendor but not limited to EDR and Next-generation Firewall (NGFW), all under a single management structure with some type of response mechanism. Forrester believes any XDR must have EDR at the core, but extends that functionality with ND, other security tools, and is hybrid with cloud devices. Believing in the idea that XDR is an evolution of EDR.
Why XDR over EDR?
Both solutions provide threat detection and even some response, as they draw information from endpoints, in addition to real-time monitoring and analytics to seek out threats. Both provide the same proactive approach to network security thus far. Where XDR goes the extra mile is its ability to provide total visibility into data, mobile devices, cloud and network – in short, everything that’s connected to the infrastructure. You can see how this multi-dimensional protection goes beyond the capabilities of EDR; you need network analysis as well as application or server data (think SIEM). Does XDR require EDR? Gartner thinks it can be a key component but not limited to it, while Forrester believes in starting with EDR and then adding to it.
How does XDR work?
XDR provides advanced threat detection and response through the following:
- Unifying visibility and control across endpoints, networks and clouds
- Analyzes TTPs and other threats
- Detections and response to targeted attacks that allow teams to move quickly to a response
- Provides end-to-end network protection
- Able to identify hidden, stealthy and sophisticated threats proactively
- Track threats across sources or locations within a company
- Conclude investigations quickly by reducing the need to chase false positives and confirm alerts automatically
What benefits does XDR provide?
Endpoints are often at risk and their security is vital, so why isn’t EDR the solution of choice for more security-minded enterprises? EDR is a great option for smaller organizations with low-level security concerns, but XDR provides larger enterprises with a more comprehensive view of network, cloud, mobile and data, by collecting information from more than just the endpoints. A few of the benefits XDR provides are:
- Total visibility of the entire network (endpoints, network and cloud)
- Threat hunting and remediation
- Automated response
- Single solution = 360° protection
- Productivity boost
- Total Cost of Ownership (TCO) Reduction
Why do organizations need XDR?
Unfortunately, in many cases, budgets and resources are always key areas of concern for organizations. This is especially true for those with limited or smaller security teams, which have historically been under immense pressure to oversee an entire organization’s security operations. The strain on resources has meant that the tools and platforms of a modern organization need to be more advanced and all-encompassing.
Further coupled with the rise and continued advancements of threat actors and malicious threats, security staff are struggling to keep up with disconnected security tools and data sets. The XDR solution provides organizations with advanced security advantages to having more visibility in their operations, thus increasing the productivity and success rate of security teams.
Going beyond XDR with Cyber Command
Much in the way XDR gives a 360° panorama of the network, Sangfor Cyber Command threat hunting platform provides access to a broad range of security data including endpoint data, network traffic data, and application and system data and logs. Sangfor Cyber Command is linked with Sangfor Endpoint Secure and Network Secure (on-premises or in the cloud), providing flexible and effective mitigation of threats in a timely manner, and offering recommendations for new rules, policies, or patching. This immediately meets the Forrester definition.
Cyber Command seeks out potential threats and responds to them in real time. Sangfor Cyber Command can integrate multiple security products and then use AI analysis and threat intelligence to give the user the ability to defend and respond against exploitation, brute force attacks, C&C, lateral movement, P2P traffic, data theft and even phishing. Cyber Command can be hosted in the cloud thus meeting the Gartner definition of XDR.
Sangfor has long been able to do not only what both Gartner and Forrester have defined, but beyond both definitions as well. Cyber Command makes threat hunting easier and faster by performing a comprehensive analysis of all breaches and using that to trace the breach back to its root. Cyber Command then takes this information and uses it to strengthen assets that need strengthening, thereby fortifying the entire network on an ongoing basis. Sangfor has always called this XDDR for extended detection, defense, and response; somewhere XDR forgot you need to defend as much as respond. Sangfor security, infrastructure, virtualization, and cloud technologies all support XDDR by working together to provide true 360° view and protection for your network environment.
Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure and security solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s Security solutions and ransomware protection, and let Sangfor make your digital transformation simpler and secure.