Word Notes 10.17.23
Ep 160 | 10.17.23

extended detection response (XDR) (noun)


Rick Howard: The word is: XDR

Rick Howard: Spelled: X for extended, D for detection, and R for response. 

Rick Howard: Definition: A unified security incident detection and response platform that connects to multiple tools in the security stack via APIs, collects telemetry from each, and attempts to correlate that telemetry into a coherent threat picture.

Rick Howard: Example sentence: The theory is that XDR collects and processes telemetry from individual tools and somehow munges all this data together to come up with more timely, accurate, and comprehensive threat detection. 

Rick Howard: Origin and Context: Palo Alto Networks released the first XDR tool in 2018. Back then, it was mostly a behavioral analytics product that used machine learning algorithms on endpoint and networking data, but their competitors quickly caught up. In the 2021 Forrester New Wave XDR evaluation, almost 15 vendors cooperated with the study. is an extension of two ideas. EDR, endpoint detection and response and NDR, network detection and response because XDR combines the two into one capability.

Rick Howard: It's the convergence of a collection of technical strategies that have been bouncing around the security industry for years. Before, each tool in the security stack was a stovepipe and operated on different data islands. If you wanted intrusion kill chain prevention in the cloud and in your data center, you were likely using two different tool sets to do it. If you wanted zero trust on your endpoints and your SaaS applications, there was a good chance that you were using two different identity systems to get that done. If you wanted to coordinate and correlate all of that activity, you were doing that on your own too, manually, or with code that you wrote yourself. XDR in general will reduce that complexity. It has the potential to take the security community one step closer to collapsing all of that functionality into a meta layer of visibility, alerting, and remediation.

Rick Howard: The promise of XDR is really the next step in security orchestration. It's a big swing. The general architectural model that most XDR vendors are using is a subscription SAS service that uses APIs to hook into all of your security tools and IT infrastructure. It collects essential telemetry for future processing and investigation but instead of collecting logs like a SIEM or a SOAR tool, it connects directly via APIs. 

Rick Howard: Nerd Reference: In the 1998 movie, Enemy of the State, starring Will Smith and Gene Hackman, Hackman plays a reformed NSA communications analyst, and Smith plays a lawyer who was in the wrong place at the wrong time. In this scene, Hackman explains to Smith about all the intelligence collection tools in the stack that the NSA uses. Kind of an early version of what XDR became, hackman speaks first.

Gene Hackman: I call it the jar. No phone or utility lines coming in, self contained, unplugged from the world. Nothing for a wired bug to piggy back in on, that leaves only transmitters. It's easy enough to signal sweep for those. 

Will Smith: Signal sweeping for transmitters? You're just a party animal. 

Gene Hackman: See, the government's been in bed with the entire telecommunications industry since the 40s. They've infected everything. They get into your bank statements, your computer files, your email, listen to your phone calls.

Will Smith: My wife's been saying that for years. 

Gene Hackman: Every wire, every airway. The more technology you use, the easier it is for them to keep tabs on you. It's a brave new world out there, at least it better be. There it goes, some kind of simple encryption. 

Will Smith: Oh, conspiracy theorists of the world unite. 

Gene Hackman: It's more than a theory with me. I'm a former conspirer. Yeah, I used to work for the NSA. I was a communication analyst. Listened to international calls, calls from foreign nationals. A GPS tracking device we found in your cellular telephone. I designed one of the first models in that series. Fort Meade has 18 acres of mainframe computers underground. You're talking to your wife on the phone, you use the word bomb, president, Allah, any of a hundred key words. Computer recognizes it, automatically records it, red flags it for analysis. That was 20 years ago. You know the Hubble Telescope looks up at the stars? They've got over a hundred spy satellites looking down at us. That's classified, in the old days, we actually had to tap a wire into your phone line. Now, if a call's bouncing off satellites, they snatch them right out of the air.

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. We're privileged that N2K and podcasts like WordNotes are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team, supporting the fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at N2K.Com and thanks for listening.