XDR: from the Rick the Toolman Series.
N2K logoNov 29, 2021

CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.

XDR: from the Rick the Toolman Series.

Listen to the audio version of this story.

I'm going to try my hand at a sports metaphor. Hold onto your butts. This past summer, the coach of my local high school football team, the mighty West Springfield Spartans, put a call out to the local fans. He needed volunteers to film his opponent’s teams in the upcoming season. I enlisted with a cackle of tech dads to film one of the competitors. By tech dads, I mean we all came from the tech sector and didn’t necessarily know anything specific about the sport of football. And yes, I realize that “cackle” is normally reserved for a group of hyenas, but I thought it was appropriate for this group of wise-cracking dads. Anyway, we attended a South County Stallion game and filmed what plays we thought were pertinent. Later, we got a slightly miffed email from the coach wondering where the rest of the film was. It turns out that he wanted both sides of the game filmed; the Stallion’s offense and defense whereas our cackle thought the important stuff was just the Stallion’s offense. It might’ve had something to do with the amount of beer consumed, but I’m pleading the 5th on that one.

At this point, you should be asking yourself, what exactly does Rick’s cackle adventure have to do with XDR? Well, sports and infosec are similar in at least one respect. Collecting all the data available, as opposed to collecting the most obvious data, will improve your chances of defeating the adversary. In football, you want film on your opponent’s offense and defense. In infosec, you want film on wherever your opponent operates. I call these our data islands. We want telemetry from our endpoints for sure, but also from our networks, from our data centers, from our cloud deployments, and from our SaaS applications. We really want visibility across the entire intrusion kill chain. The “film” in this metaphor is the telemetry from the networking equipment/software we use and any security technology that we deploy. XDR is a tool that attempts to corral all of that telemetry in order to simplify visibility on all data islands, centralized alerting, and automate the response. 

In this “Rick the Toolman” essay, with my sports metaphor firmly in the rear view mirror, let’s break down XDR in terms that busy security executives can understand and apply to their first principle security strategy.

XDR evolution.

XDR stands for “eXtended Detection and Response” but the security community’s understanding of it is a bit fuzzy. The name has gone through the marketing meat grinder with every vendor putting their spin on it and adding features that benefit their specific suite of tools. Microsoft’s XDR product is not the same as Trend Micro’s XDR product. And the technology idea is relatively new. 

Palo Alto Networks released the first XDR tool in 2018. Back then, it was mostly a behavioral analytics product that used machine learning algorithms on endpoint and networking data. But their competitors quickly caught up. In the recent Forrester New Wave XDR evaluation in 2021, almost 15 vendors cooperated with the study.

Gartner defines XDR as “a unified security incident detection and response platform that automatically centralizes and correlates data from many proprietary security elements”. For a definition, I think that’s close, but that same definition could also easily apply to any SIEM on the market. The Gartner definition is missing a bunch of promised functionality, promised because not all XDR platforms are equal.

Pundits, including me, have made the obvious point that XDR is an extension of EDR (Endpoint Detection and Response) and NDR (Network Detection and Response) because XDR combines the two into one capability. That’s the right idea, but XDR is much more than that, or could be, depending on the vendor.

The current state of the XDR idea is the convergence of a cackle of technical strategies (see what I did there) that have been bouncing around the security industry for years. Before now, each tool in the security stack was a stove pipe and operated on different data islands. If you wanted intrusion kill chain prevention in the cloud and in your data center, you were probably using two different tool sets to do it. If you wanted zero trust on your endpoints and in your SaaS applications, there was a good chance that you were using two different identity systems to get that done. If you wanted to coordinate and correlate all of that activity, you were doing that on your own too, manually, or with code that you wrote. XDR, in general, will reduce that complexity. It has the potential to take the security community one step closer to collapsing all of that functionality into a meta layer of visibility, alerting, and remediation. The promise of XDR is really the next step in security orchestration. 

XDR architecture.

It’s a big swing. 

The general architectural model that most XDR vendors are using is a subscription SaaS service. In its most mature form, XDR could use APIs to hook into all of your security tools and IT infrastructure. In that way, it’s similar to an asset discovery and management platform.

But, like a SIEM, it might also collect essential telemetry for future processing and investigation. If the customer doesn’t have a SIEM, it might act as one for them. In addition though, it could also collect raw log data from customer endpoints and networking infrastructure into big data lakes and use machine learning techniques for behavioral analysis across the intrusion kill chain. In other words, train the machine to find bad guys. Don’t tell the machine specifically what to look for. This is where the X in XDR comes into play; extended as in endpoint and networking data combined. With this approach, an XDR platform could become an essential tool for your intelligence teams, your blue teams, and your threat hunting teams.

In a more traditional approach, like an intrusion prevention system, an XDR platform might also allow users to craft their own alerting rules on the data in the SIEM and in the data lake. This would be on a grander scale, though, since its visibility across the entire intrusion kill chain wouldn’t be limited to just the networking data most intrusion detection systems use today. 

Like a SOAR platform, an XDR service might then allow the customer to send configuration updates to the technology stack. In other words, it could provide an automatic remediation capability, a DevOps or DevSecOps capability. For example, if the system notices that a hundred laptops don’t have the latest Apple patch that hackers are exploiting in the wild, the XDR SOC operator might be able to push a button to immediately and automatically send the patch updates to the afflicted systems. If the intel team discovers a new tactic used by APT29, they can mass distribute the countermeasures to every applicable device on every data island.

With all of that capability in a single service, XDR is a modern day orchestration platform.

Pick one and commit.

Parts of all of that functionality exist today. They are highlighted in the current vendor offerings from the 2021 Forrester XDR report. That’s the good news. The bad news is that no XDR vendor offers a complete solution today that works flawlessly for every device/application in the technology stack and protects all of our data islands. And that’s to be expected. I mean, the idea is only three years old. It’s going to take time to build the connectors to all the devices in the IT and security stacks. 

The 2020 Gartner hype cycle puts XDR at the very beginning of the journey. It still has the steep climb up the innovation trigger in front of it. In the future, it has to hit the peak of inflated expectations, slide down the trough of disillusionment, hit bottom, and start the slow climb through the slope of enlightenment and finally reach the plateau of productivity. Gartner says it's at least 5-10 years out. I don’t disagree.

That said, if you’re a certain kind of user, XDR could probably be very useful to you right now. Back in season four, I did a deep dive into the security tools for the three major cloud providers: Amazon, Google, and Microsoft. I came to the conclusion that the security stack from each of these vendors is not mature enough for us to use to implement our first principle strategies across all of our data islands. This is similar to the current situation for XDR. 

I did say though that if you’ve committed to one of the big orchestration platforms like Checkpoint, Cisco, Fortinet, or Palo Alto Networks, you already have a mature environment in place to deploy your first principle strategies; maybe not 100% but a long way down that journey. And all of these orchestration platforms have a version of XDR that they sell. Adding XDR to your existing subscriptions would be more of an upgrade than a revolutionary step and would likely reduce your environment’s complexity.

And, in that vein, if you’ve already committed to a suite of tools from the likes of Trend Micro, Crowdstrike, BitDefender, and SentinelOne, it’s a no-brainer to add an XDR subscription just to orchestrate all of that capability. It doesn’t fulfil the promise of XDR yet but it does reduce the complexity of orchestrating all of those products. 

One last thing: if you’re a single technology Microsoft customer, the Microsoft XDR product is worth considering. By single technology customer, I mean that you only run the Microsoft operating system on all of your devices and you are singularly focused on their cloud offerings in Microsoft Azure. If that’s your situation, by all accounts that I could find, the Microsoft XDR offering does a nice job of orchestrating the security of all of that technology. 

With orchestration platforms like Checkpoint, security suite tools like SentinelOne, or single version tech giant solutions like Microsoft, there is one roadmap item all of us should be asking for: connect to more third party tools and intelligence feeds. The idea of this technology is that it can orchestrate across the entire kill chain on all of your data islands with all of your technology. The idea isn’t just to be a single pane of glass dashboard for a stovepipe security vendor. For XDR to be the next step in orchestration, we really have to hold our vendor’s feet to the fire to give us everything.

That said, XDR is probably not the tool today for most small-sized organizations, or for many medium-sized organizations. Those groups probably have other fish to fry before they need to embrace this kind of technology and deal with all the hiccups and false starts that are typical of new products. There are other things they can do today that will have more impact in reducing the probability of material impact due to a cyber event then embracing this idea.

Crystal ball.

One thing to keep an eye out for is XDR in relation to SASE or Secure Access Service Edge. According to the same Gartner Hype cycle, SASE is just a little ahead of XDR and may have just reached the peak of inflated expectations. But it still has a long journey before it reaches the plateau of productivity; probably at the same time that XDR does. One possible way this could go though is that SASE vendors will use XDR products to manage their customer’s security stack for them. In other words, XDR will make it easier for them to do so, which will aid in cost and complexity reduction. This is just another reason that SASE is the wave of the future for most organizations. Whether you pay your SASE vendor to use the XDR tool for you or if you prefer to do it yourself, XDR in some form will be a key and essential tool that will work in conjunction with it.

As XDR matures as a technology, it will help further the current trend of collapsing SOAR and SIEM tools into one technology. It just makes sense that the platform we use to collect telemetry (SIEM) should also have a fairly robust capability to automate responses (SOAR). This trend has been happening for a couple of years now independent of XDR. But with the current direction XDR is taking, I think it might encourage it to happen sooner.

And by the way, the genius of XDR is not that the responsible vendors build all of the underlying technology into one unified platform. The genius of XDR is that the responsible vendors use APIs to connect to the customer’s existing security stack. They don’t have to spend years in research and development building those tools. They just have to find clever ways to connect into the tools that already exist. For many XDR vendors, they are using the XDR concept to unify their own suite of security tools which is the easier part of the equation. They should be able to connect to their own products. The tricky part is how robustly they embrace the idea of connecting to third party tools and intelligence sources.

And speaking of intelligence sources, you all have heard me rant that security vendors don’t really help their customers track cyber adversaries. What I mean by that is that they don’t alert me to the probability that APT29 is in my network. Instead, security vendors will alert you that a generic technique that APT 29 uses might be happening, or that a specific procedure attributed to APT29 is occurring, but they don’t focus on the adversary. With XDR, that could all change. Security vendors could use APIs to tie into the Mitre ATT&CK framework that could provide that kind of collection, alerting, and response. For example, you might get an alert that says, “Out of the 100 tactics and procedures that APT29 uses, our XDR product is seeing 80 of them active in your environment. Your current security stack is deploying 30% of the available countermeasures for APT29. Push this button to deploy the remaining 70%.”

Oh, I would love to have that button. Talk about supercharging your intrusion kill chain prevention strategy!

And intelligence companies that have their own XDR product like Crowdstrike or big companies that have a robust intelligence team like Microsoft, already track adversaries in detail. They wouldn’t have to tie into the Mitre ATT&CK framework at all. Instead of getting an APT29 alert, you would get a Cozy Bear alert from CrowdStrike or a YTTRIUM alert from Microsoft.

If you’re listening, XDR vendors, please, please, please give me that XDR button.

As I said, XDR could be the next evolutionary step in security orchestration. Although the idea has been around for a number of years, I'm excited that so many vendors have embraced the concept with working products. That bodes well for the security practitioner trying to reduce the complexity out of their environments. And, it means that security executives should have the XDR concept planted firmly in their roadmap for future deployment.

Full disclosure: 

Microsoft is a CyberWire partner and a paid sponsor for some of our programs. They also host a number of their own podcasts in our network of shows. That said, I didn’t talk to any of their people while writing this essay. My recommendation is based solely on the Forrester Wave report and how Microsoft marketing teams explain XDR on their website.

Reading list.

6 APR 2020: 

CSOP S1E1: Your Security Stack is Moving: SASE is Coming.

  • Hash Table Guests: None
  • Link: Podcast
  • Link: Transcript
  • Link: Essay

11 MAY 2020:

CSOP S1E6: Cybersecurity First Principles

18 MAY 2020

CSOP S1E7: Cybersecurity first principles: zero trust

26 MAY 2020:

CSOP S1E8: Cybersecurity first principles: intrusion kill chains.

01 JUN 2020:

CSOP S1E9: Cybersecurity first principles - resilience

08 JUN 2020:

CSOP S1E10: Cybersecurity first principles - DevSecOps

22 JUN 2020:

CSOP S1E12: Cybersecurity first principles - intelligence operations

20 JUL 2020:

CSOP S2E1: Security operations centers: a first principle idea.

27 JUL 2020:

CSOP S2E2: Security operations centers: around the Hash Table.

  • Hash Table Guests:
  • Don Welch: Interim CIO of Penn State University (1)
  • Helen Patton: CISO for Ohio State University (1)
  • Bob Turner: CISO for the University of Wisconsin at Madison (1)
  • Kevin Ford: CISO for the State of North Dakota (1)
  • Link: Podcast
  • Link: Transcript
  • No Essay

03 AUG 2020:

CSOP S2E3: Incident response: a first principle idea..

10 AUG 2020:

CSOP S2E4: Incident response: around the Hash Table. 

  • Hash Table Guests:
  • Jerry Archer - Sallie Mae CSO (1)
  • Ted Wagner - SAP National Security Services CISO (1)
  • Steve Winterfeld - Akamai Advisory CISO (2)
  • Rick Doten - Carolina Complete Health CISO (1)
  • Link: Podcast
  • Link: Transcript
  • No Essay

14 SEP 2020:

CSOP S2E9: Red team, blue team operations: a first principle idea.

21 SEP 2020:

CSOP S2E10: Red team blue team operations: around the Hash Table.

  • Hash Table Guests:
  • Tom Quinn: CISO - T. Rowe Price (2)
  • Rick Doten: CISO - Carolina Complete Health (3)
  • Link: Podcast
  • Link: Transcript
  • No Essay

16 NOV 2020:

CSOP S3E5: SOAR: a first principle idea.

23 NOV 2020:

CSOP S3E6: SOAR: around the Hash Table.

  • Hash Table Guests:
  • Rick Doten - CISO - Carolina Complete Health (4)
  • Kevin Ford: CISO for the State of North Dakota (2)
  • Kevin Magee: CSO Microsoft Canada (1)
  • Link: Podcast
  • Link: Transcript
  • No Essay

25 JAN 2021:

CSOP S4E3: Microsoft Azure via first principles

01 FEB 2021:

CSOP S4E4: Microsoft Azure via first principles Hashtable Interviews

  • Hash Table Guests:
  • Rick Doten, Carolina Complete Health CISO (5)
  • Mark Simos, Microsoft’s Lead Cybersecurity Architect 
  • Link: Podcast
  • Link: Transcript
  • No Essay

08 FEB 2021:

CSOP S4E5: AWS via First Principles

  • Hash Table Guests: None
  • Link: Podcast
  • Link: Transcript
  • Link: Essay

15 FEB 2021:

CSOP S4E6: AWS security via first principles Hashtable Interviews with

  • Hash Table Guests:
  • Merritt Baer, Principal Security Architect, Amazon Web Services (2)
  • Jerry Archer, CSO, Sallie Mae (2)
  • Mark Ryland, Director, Office of the CISO, Amazon Web Services
  • Link: Podcast
  • Link: Transcript
  • No Essay

22 FEB 2021:

CSOP S4E7: Google Cloud Platform via first principles

  • Hash Table Guests: None
  • Link: Podcast
  • Link: Transcript
  • Link: Essay

01 MAR 2021:

CSOP S4E8: Google Cloud Platform via first principles hash table interviews

  • Hash Table Guests:
  • Bob Turner, University of Wisconsin at Madison’s CISO (3)
  • Link: Podcast
  • Link: Transcript
  • No Essay

08 MAR 2021:

CSOP S4E9: Cloud Third Party Platform security via first principles

  • Hash Table Guests: None
  • Link: Podcast
  • Link: Transcript
  • Link: Essay

15 MAR 2021:

CSOP S4E10: 1Cloud Third Party Platform security via first principles Hashtable Interviews

  • Hash Table Guests:
  • Joakim Lialias, one of Cisco's product marketing directors. 
  • Ram Boreda, a Palo Alto Networks field CTO. 
  • Ashish Rajan, host of the "Cloud Security" podcast. 
  • Link: Podcast
  • Link: Transcript


8 Things CISOs Want to Hear from XDR Vendors” Jon Oltsik, Esg-global.com, 2021.

A History Lesson on Security Logging, from Syslogd to XDR.” by Raffael Marty, VentureBeat, 4 July 2021.

A Log Management History Lesson – from Syslogd(8) to XDR.” Raffael Marty, YouTube, 18 May 2021. 

Cisco SecureX: Integrations and Partners.” Cisco, November 2021. 

Cisco Security and MITRE ATT&CK Enterprise: Outsmart cyber attackers when you know all their tricks,” by Cisco, Downloaded 17 November 2021.

Cortex XDR: Detection and Response Lightboard Video.” Palo Alto Networks LIVEcommunity, YouTube, 27 April 2020. 

Cortex XDR Whitepaper.” Palo Alto Networks, 23 August, 2021.

Cyberwire Podcast Directory,” The CyberWire, 2021. 

Does XDR Mark the Spot? 6 Questions to Ask,” , Joan Goodchild, Dark Reading, 11 March 2021.

Extending Detection, Investigation & Response across the Attack Surface with CrowdStrike and Hunters,” by Chris Kachigian and Andrew Bryan, YouTube, 20 June 2021.

How Integration Is Evolving: The X Factor in XDR | SecurityWeek.com,” by Marc Solomon, Securityweek.com, 7 October 2021.

Introducing FireEye Extended Detection and Response (XDR): A Flexible XDR Solution Born from the Front Lines of Threat Detection and Response,” by Michelle Salvado, FireEye, 16 August 162021. 

Magic Quadrant for Network firewalls,” Fortinet, November, 2021. 

Market Guide for Extended Detection and Response: ID G00747261,” By Craig Lawson, Peter Firstbrook, Paul Webber, Gartner, 8 November 2021, via McAfee, “What Is XDR? Extended Detection and Response,” 2020.

List of Names for Groups of Animals.” Yourdictionary.com, 2021. 

Microsoft Achieves a Leader Placement in Forrester Wave for XDR - Microsoft Security Blog.” by Rob Lefferts, Microsoft 365 Security, 18 October 2021. 

Microsoft Defender | Extended Detection and Response (XDR) | Microsoft Ignite 2020.” by Rob Lefferts & Jeremy Chapman, YouTube, 24 September 2020. 

Network Detection and Response (NDR) (Noun).” Rick Howard, The CyberWire, 21 September 2020.

Prevention, Detection and Response across Endpoint, Network and Cloud,” by Bitfender.

"The Impact of XDR in the Modern SOC," by Dave Gruber and Jon Oltsik, ESG, November 2020.

The Million-Dollar Question: Is Cisco SecureX the Same as XDR? - Cisco Blogs,” by Jolene Tam, Cisco Blogs, 21 September 2020.

Threat Intelligence in SecureX: Fast, Free, or Easy (Pick Any Three) - Cisco Blogs.” By Ben Greenbaum, Cisco Blogs, 27 July 2021. 

Unravel the XDR Noise and Recognize a Proactive Approach,” by Kathy Trahan, McAfee Blogs, 18 October 2021. 

What Is XDR? - Extended Detection and Response.” Cisco, June 2021. 

What Is Open XDR?” by Abby Thurman, ReliaQuest, 11 October 2021. 

What’s New in Gartner’s Hype Cycle for Endpoint Security, 2020,” by Louis Columbus, Forbes, 31 August 2020. 

XDR 101: What’s the Big Deal about Extended Detection & Response?” Curtis Franklin, Dark Reading, 17 December 2020. 

“XDR EDR How VMware’s Integrations Re-Shape Protecting Your Assets,” Tom Corn, VMWare, YouTube, 12 April 2021. 

XDR – Please Explain? - REAL Security.” by Rodman Ramezanian, REAL security, 11 February 2021.