SOPHOS – XDR

Extended Detection and Response

Security teams are increasingly interested in adding Extended Detection and Response (XDR) tools to their defensive arsenals. Sophos, one company providing XDR solutions, has just released a beginner’s guide to help security practitioners better understand the technology and how to make use of it.

What is XDR?

Let’s start by looking at the definition of XDR, as depending on who you ask the exact wording can vary:

  • Extended Detection and Response is the most commonly used definition, being adopted by many analyst firms and cybersecurity vendors. “Extended” refers to going beyond the endpoint and server, bringing in additional data sources such as firewall, email, cloud, mobile, and others.
  • Cross-product Detection and Response is another wording, referring to data being combined from multiple products and security layers.
  • The third interpretation uses the ‘X’ in XDR as a mathematical variable that stands in for whichever data sources are being leveraged as part of the solution. Whichever definition you use for XDR they all reference and make use of the same core components. The ability to access and query a range of data sources to give your organization greater visibility and context.

What does XDR do?

XDR is designed to give organizations a holistic view of their cybersecurity posture and IT environment with the ability to quickly pivot to deep investigation when further investigation is required.

Gartner states: “The primary value propositions of an XDR product are to improve security operations productivity and enhance detection and response capabilities by including more security components into a unified whole that offers multiple streams of telemetry, presenting options for multiple forms of detection and concurrently enabling multiple methods of response.”

A commonly asked question is, “how is that different from EDR?” Indeed, XDR solutions should include the business-critical question-answering capabilities of EDR (Endpoint Detection and Response). That is, being able to get live data directly from an endpoint or server, as well as access to cloud data if a device is offline.

XDR builds upon that solid foundation by adding even more data and context that both increases visibility and gives the user even more insight during an investigation. This results in faster and more accurate incident detection and response.

Additional data sources can include firewall, email, cloud, and mobile information. For example, adding in firewall data makes it simple to correlate a malicious traffic detection by the firewall with a compromised endpoint, or to see which application is causing the office network connection to run slowly.

One of the most valuable ways to use XDR is, to begin with the ‘macro’ spotlight that gives you the tools to quickly scan across your entire environment and highlight suspicious activity, anomalous behavior, and other IT issues.

When an issue is identified you can then hone in on a device of interest, pulling live data or remotely accessing the device in order to dig deeper and take remedial action.

XDR use cases

The best way to explain the real-world benefits of XDR is to look at how the functionality can help organizations in their day-to-day IT operations and threat-hunting capabilities. Note that we have included EDR examples as your XDR solution should also cover those use cases.