What’s an XDR Engine and How is It Different?
What is XDR?
XDR is a relatively new term in the security tools landscape. XDR stands for Extended Detection and Response. The term has its roots in a category of products that is adding a great deal of value to cybersecurity recently, the Endpoint Detection and Response (EDR) solutions. These tools promise to create a comprehensive record of activities taking place on endpoint devices, enhancing security analysts’ visibility to discover malicious activities.
EDR brings several key benefits, but security teams understand that just knowing about the endpoint is not enough. You need to extend the detection and response to be inclusive of other valuable tools in the security environment. That’s the core of what XDR security is meant to do – extend visibility and analysis to include threat intelligence, telemetries, vulnerabilities, and other relevant IT information. To paraphrase Jon Oltsik from the research group ESG, “XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.”
Ok, so what does an XDR Engine do?
An XDR Engine performs the unification of data that Jon described above and determines (1) the likelihood that events are malicious and actionable; (2) groups those that are related and (3) establishes a priority given the severity and impact of the potential incident.
I’ve started to use a simple analogy to explain this category of automation – a criminal investigation’s evidence board as popularized by TV and movie dramas. You all know the scene – a wall filled with seemingly unrelated bits of evidence all over the place. A detective’s job is to figure out the connections – those strings linking people to places to events – to make a case stronger or clear someone of suspicion. What detectives do with physical evidence on an evidence board, an XDR Engine does with cybersecurity data – but at machine speed and scale. It handles voluminous and rapid-fire data while automating the 3 steps described above with consistency, depth, and speed. It connects the dots and only presents investigation results that truly matter. All other evidence falls away…no sense in investigating false positives or benign events. Like a detective’s evidence board, the proverbial forest gets seen through the trees.