Endpoint detection and response (EDR) and extended detection and response (XDR) have been topics of conversation for a while in the world of IT security and have been a point of contention – with some wondering what their differences really are. Many of the features and benefits are the same??…it can be confusing.
With such confusing beginnings, XDR still sits in a nebulous middle-ground, with some analysts like Gartner, defining it one way, and Forrester defining it another. So what is the difference between the two? If you already have EDR, why invest in upgrading to XDR if they are such similar solutions? First, let’s discuss exactly how endpoint detection and response (EDR) and extended detection and response (XDR) are defined, the origins of XDR, and what benefits XDR provides security-minded companies.
What is EDR?
Endpoint Detection and Response, otherwise known as EDR, was once the benchmark for endpoint protection, focusing on threat detection by tracking and recording endpoint behaviours in search of malware or malicious activity. EDR solutions use this data to identify suspicious behaviour within the network and block it, followed by remediation functions to restore any systems which have been infected.
Where did XDR come from?
The original concept for XDR was created by Palo Alto to showcase their NGFW and their endpoint product, Traps working together. Soon it became the marketing buzzword du jour and analysts had to start taking it seriously.
How does Gartner define XDR?
Gartner defines Extended Detection and Response or XDR as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
In other words, XDR pulls data from different security devices together from a single vendor (like Palo Alto) under a single (preferably cloud-based) management function that provides consolidated status, views, operations, and response for an environment.
How does Forrester define XDR?
Forrester describes XDR as “while EDR was once relied upon to perform the most cutting-edge endpoint detection and response, XDR goes farther, unifying endpoint security investigation with network security analysis, visibility, identity access management and cloud security. By going cloud-native, extended detection and response provides a platform which is easily scalable, flexible, and automated.
In other words, start with EDR, add network (L2/L3) detection & response (NDR), ID management and integrate with (hybrid) cloud environments as well. Putting the management in the cloud will make it very scalable.
How do Gartner & Forrester XDR Definitions Differ?
As with any relatively new technology, the definition and preferences differ from analyst to analyst. Gartner believes that XDR is cloud based integrating different products from a single vendor but not limited to EDR and NGFW, all under a single management structure with some type of response mechanism. Forrester believes any XDR must have EDR at the core, but extends that functionality with ND, other security tools, and is hybrid with cloud devices.
Why XDR over EDR?
Both solutions provide threat detection and even some response, as they draw information from endpoints, in addition to real-time monitoring and analytics to seek out threats. Both provide the same proactive approach to network security thus far. Where XDR goes the extra mile is its ability to provide total visibility into data, mobile devices, cloud and network – in short, everything that’s connected to the infrastructure. You can see how this multi-dimensional protection goes beyond the capabilities of EDR; you need network analysis as well as application or server data (think SIEM). Does XDR require EDR? Gartner thinks it can be a key component but not limited to it, while Forrester believes starting with EDR and then adding to it.
What benefits does XDR provide?
Endpoints are often at risk and their security is vital, so why isn’t EDR the solution of choice for more security-minded enterprises? EDR is a great option for smaller organizations with low-level security concerns, but XDR provides larger enterprises with a more comprehensive view of network, cloud, mobile and data, by collecting information from more than just the endpoints. A few of the benefits XDR provides are:
- Total visibility of the entire network (endpoints, network and cloud)
- Threat hunting and remediation
- Automated response
- Single solution = 360° protection
- Productivity boost
- Total Cost of Ownership (TCO) Reduction
Going beyond XDR with Cyber Command
Much in the way XDR gives a 360° panorama of the network, Sangfor Cyber Command threat hunting platform provides access to a broad range of security data including endpoint data, network traffic data, and application and system data and logs. Sangfor Cyber Command is linked with Sangfor Endpoint Secure and NGAF (on-premises or in the cloud), providing flexible and effective mitigation of threats in a timely manner, and offering recommendations for new rules, policies, or patching. This immediately meets the Forrester definition of XDR.
Cyber Command seeks out potential threats and responds to them in real-time. Sangfor Cyber Command can integrate multiple security products and then use AI analysis and threat intelligence to give the user the ability to defend and respond against exploitation, brute force attacks, C&C, lateral movement, P2P traffic, data theft and even phishing. Cyber Command can be hosted in the cloud thus meeting the Gartner definition of XDR.
Sangfor has long been able to do not only what both Gartner and Forrester have defined, but beyond both definitions as well. Cyber Command makes threat hunting easier and faster by performing a comprehensive analysis of all breaches and using that to trace the breach back to its root. Cyber Command then takes this information and uses it to strengthen assets that need strengthening, thereby fortifying the entire network on an ongoing basis. Sangfor has always called this XDDR for extended detection, defence, and response; somewhere XDR forgot you need to defend as much as respond. Sangfor security, infrastructure, virtualization, and cloud technologies all support XDDR by working together to provide true 360° view and protection for your network environment.
Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure and security solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s Security solutions and ransomware protection, and let Sangfor make your IT simpler, more secure and valuable.