How to evaluate and deploy an XDR platform

What is XDR?

XDR is a SaaS-based security monitoring platform that sources and analyzes relevant endpoint, server, network and cloud workload data to identify advanced threats. An extension of endpoint detection and response, the hope is that an XDR platform collects more threat data than its EDR predecessors to provide a more complete picture of threats.

XDR systems perform the following tasks:

• Collect threat telemetry data from at least two -- and usually more -- sources. This includes data sourced from endpoints, servers, network firewalls and third-party global threat detection services.
• Analyze data and use machine learning engines to develop a baseline for "normal" behavior. Once completed, data is continuously monitored and analyzed to identify anomalies in user, device and service behavior that could indicate a cybersecurity threat.
• Conduct actions if an anomaly is detected. Using AI, an XDR platform can help do the following:
  • formulate the impact of the security event across the entire corporate network;
  • calculate a specific threat level;
  • conduct AI-backed root cause analysis; and
  • provide threat remediation steps.

Differences to consider when assessing XDR platforms

While commercially available XDR platforms use similar architectures and processes, there are distinct differences to know before making a purchase decision. For one, not all XDR products collect data from the same devices or components at the same level. One XDR platform may rely more heavily on endpoint detection data, for example, while another may put more stock into collecting data as it traverses the network.

Choosing which XDR product best fits an organization's need depends on several factors, including the following:

• the extent that users are geographically distributed;
• where applications, data and servers reside, such as on premises or in the cloud; and
• whether sensitive corporate data traverses untrusted networks, such as the internet.

The next aspect to consider is who at the XDR vendor handles threat intelligence and hunting using external threat data and if they are proactive enough. Most enterprise-grade XDR platforms use their own in-house threat detection teams to identify new or emerging threats. For example, Cisco relies on its Talos Intelligence Group to identify global emerging threats, while VMware uses its Carbon Black Threat Analysis Unit.

Threat intelligence information gathered by these groups can be used to automatically create security policies that are then pushed to customer security tools. The ability for these teams to rapidly identify threats and create a policy is a critical factor for zero-day exploits.

The AI capabilities integrated into an XDR platform can also vary significantly from one product to the next. Some XDR platforms relegate AI for threat identification and the overall reduction of false positives. Others use AI for root cause analysis and remediation information to reduce the time spent investigating, containing and eliminating an existing threat.

XDR platform deployment and operation tips

Careful consideration must also be made when planning an XDR rollout. For example, it's important to quantify how much log and telemetry data will be collected and how long data must be stored. This will help determine the amount of storage space the XDR platform needs, as well as the bandwidth that will be consumed across LANs, WANs and cloud connections to send data to an XDR data collection agent.

XDR projects should use a phased rollout approach. Instead of deploying XDR data collection services across all endpoints, servers and clouds, start with a subset of one of these categories. Learn the ins and outs of the platform prior to rolling out to other device and network types. This helps ensure the integration does not accidently affect business operations.

An XDR platform must have sufficient time to baseline data flow behavior to accurately detect security anomalies. Cutting this baseline time short often leads to a slew of false positive and misdiagnosed events -- be patient.