What is XDR? Security for Endpoints, Networks and Cloud in One System
Extended detection and response (XDR) solutions are a new attempt to integrate multiple security tools. They are designed to provide automated monitoring, analysis, detection and repair by integrating multiple products into one security solution. The goal of XDR systems is to improve accuracy of threat detection while improving the efficiency of security operations and remediation. Because the benefits of XDR are considered so promising, Gartner listed XDR as its top security trend for 2020.
XDR solutions can perform automated threat modeling, significantly improving detection and response capabilities, by unifying visibility and control of endpoints, networks, and security for cloud workloads. This increased visibility provides background information on threats and aids in remediation efforts. It can defend against not only known attacks, but also unknown future attacks.
XDR also provides integration between data sources and security operations. By collecting and analyzing data from multiple sources, it can validate the existence of threats, reduce false positives, and cut down the total number of alerts. If your security team focuses only on real threats, you can save valuable time.
XDR, similarly to SIEM, can organize data to provide unified visibility, but unlike SIEM, XDR is a collection of products merged into a single solution. XDR products typically include technologies such as Endpoint Detection and Response (EDR), threat intelligence and analysis, antivirus software, firewall, and data encryption.
Top XDR Solutions
1. Cortex XDR
Palo Alto Networks Cortex XDR integrates data from various sources, including endpoints, networks, and cloud environments. The solution unifies security detection, investigation, response, and prevention into one platform. This helps improve operational efficiency. When combined with Palo Alto’s Managed Threat Hunting service, Cortex XDR can offer around-the-clock coverage and protection against common attacks.
Cortex XDR deploys an agent that protects endpoints against various threats, including malware, fileless attacks, and exploits. It performs local analysis in combination with behavior-based protection, for the purpose of detecting and responding to unknown threats. To ensure consistent security across the organization, the agent works in collaboration with other Palo Alto offerings.
Cortex XDR continuously profiles user and endpoint behavior, attempting to identify evasive threats. The solution runs analysis on data from various sources, including third party feeds, for the purpose of discovering stealthy attacks aimed at both unmanaged and managed devices.
Additionally, the solution provides comprehensive information on each threat and can automatically discover the root cause of an attack. This can significantly accelerate security investigations.
2. Sophos Intercept X Endpoint Protection
Sophos provides cloud-native data security as a fully synchronized service. The Sophos XDR platform includes several solutions, including endpoint protection, next-gen firewall, public cloud visibility, managed services, and threat response.
Key features include:
- Malware detection powered by AI and deep learning.
- Unified console providing cloud-native protection for all devices.
- Managed threat response with 24/7 detection and response services, including threat hunting, and a team of human incident responders.
- Cloud Optix—a platform that provides public cloud visibility and threat response. The main advantage of this solution is that it helps organizations close hidden security gaps.
3. McAfee MVision XDR
McAfee MVision XDR provides advanced threat management based in the cloud. The solution offers coverage across the entire attack lifecycle, providing capabilities for prioritization, orchestration and response. MVision XDR also provides quick risk mitigation and threat analytics.
Organizations can use the solution to proactively respond to external threats. It offers predictions that can help teams determine whether their chosen countermeasures are effective. Additionally, MVision XDR unifies visibility and centralizes control access across all endpoints, networks and clouds.
MVision XDR offers automatic threat prioritization according to risk severity and impact. Incidents are assessed based on several criteria, such as data classification, user, device, and vulnerabilities, as well as any relevant threat intelligence.
In addition, MVision XDR offers managed detection and response (MDR)—a service that provides 24/7 managed threat hunting, advanced investigations,and alert monitoring. Another notable service is MVision Cloud Container Security—a cloud security platform that comes with container-optimized security strategies.
4. Microsoft Defender
Microsoft 365 Defender offers prevention, detection and response to threats across multiple components, including various identities, applications, endpoints, email, Internet of Things (IoT), cloud platforms, and infrastructure.
Microsoft 365 Defender provides XDR powered by artificial intelligence (AI), which helps automate remediation and reduce the scope of manual SOC work. Additionally, it offers priority account protection to save valuable time for security analysts, and help them protect users with access to critical and high-level privileges, and prevent damaging phishing attacks.
Microsoft also provides Azure Defender, which offers XDR capabilities that help protect multicloud and hybrid environments, such as databases, virtual machines (VMs), containers, and IoT. It provides extended protection for SQL servers located in all environments—including on-premises and multi-cloud environments. It can also protect VMs located in other clouds (besides Microsoft Azure), and offers protections for containers, including continuous scanning of images in registries.
Azure Defender can discover misconfigurations and vulnerabilities in real-time. It delivers expert-level threat analysis and monitoring. It can help identify critical threats in the environment, and offers automated alert investigation and quick remediation of complex threats. Additionally, Azure Defender can block sophisticated malware and threats in cloud environments.
5. Trend Micro
Trend Micro Vision One is an XDR platform that collects and automatically correlates data from various sources, including emails, servers, networks, cloud workloads and other endpoints. This solution employs native sensors and protection points with XDR capabilities, to enable threat activity across security layers and quick detection of complex attacks.
Trend Micro XDR provides teams with comprehensive visibility into data, ensuring teams can requily assess threats and respond timely. All information is provided in an organized manner, ensuring analysts can visualize the chain of events across all security layers. Analysts can also use the information to create network traffic analysis or an execution profile.
In addition to the offered XDR capabilities, Trend Micro offers around-the-clock managed XDR services, including alert monitoring, threat prioritization, incident investigation, and threat hunting.
In this article I reviewed five leading XDR solution that can take security operations to the next level. While each solution has its pros and cons, the choice of XDR solution will ultimately depend on your existing security stack and the level of integration available, which will allow you to leverage existing security investments. I hope this will be of help as you investigate the use of XDR in your organization.
About the Author
Gilad David Maayan
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.