The extended detection and response market is tipped to be one of the fastest moving security growth sectors in the next five years. Analysts forecast global revenues will exceed $3 billion by the end of 2026, with an annual growth rate of 56 percent, according to London-based research outfit Omdia.
Uptake is being propelled by the need for unified, enterprise-grade cybersecurity threat detection, investigation, and response capabilities across endpoints, networks, and cloud environments.
But there is another key driver - the difficulty and the cost of accessing specialist skills. To that end managed services are becoming an increasingly important part of the mix.
XDR is not a radical transformation but rather the next natural evolution beyond EDR (endpoint) and MDR (managed) detection and response, which themselves trace their antecedents back through to the antivirus world. So, it’s little wonder that companies like Trend Micro and Microsoft dominate Forrester's most recent wave research. Companies such as Palo Alto Networks, Sentinel One, CrowdStrike and Bitdefender meanwhile are identified as strong performers
For David Worthington, general manager, digital security and risk at Jemena, an energy utility that services millions of households and businesses each day, XDR was an extension of its existing approach. “In simple terms for me, it's extending what we are using for MDR — manage, detect, respond — outside the endpoint,” he said.
“That meant moving beyond just looking at a single host or a group of hosts to now include things like firewalls, cloud services, and web applications, all of those kind of things, and being able to detect and respond to things by those means generally via central console or something like that.
“The goal is to detect an intrusion and respond before the attacker is able to establish a beachhead. And move laterally across the organization.
“In doing that we hopefully avoid having a security incident at all. a way of us responding quicker before it gets to the host that we're trying to protect.”
The visibility of ransomware attacks in recent years has driven cyber security to the top of the risk registry for many organisations and there it remains according to Gartner’s most recent Gartner Business Quarterly report which tracks the priorities of CEOs and directors.
Security executives, analysts and security vendors identified a set of business case drivers and benefits although not all views were universal. Many managed Security Services Providers (MSSPs) were adamant in their view that the XDR and its predecessor EDR (Endpoint detection and response) are cruelling antivirus sales as companies prefer the more contemporary approach. CISO’s we spoke to were just as adamant in their disagreement.
CISOs meanwhile are sold on the value of a single pane of glass that correlates security telemetry from things like cloud workloads, applications, suites, and user personas, as opposed to EDR which focuses on securing endpoints.
But the analysts don’t necessarily agree about the relative value of that that's where the real ROI comes from.
Forrester's senior analyst Allie Mellen, for instance, told iTnews, that while there is value in the single pain of glass point of view, “The challenge is that for most XDR implementations they can provide you with a great view of the attacks that are happening. But if you're looking at all of the functions that the SOC (Security Operations Centre) does specifically around things like compliance.”
“XDR, isn't meant to address that use case. It's not meant to give you visibility into all the data that you could possibly need for every use case in the SOC, and as such, it can be a good place to go specifically for detection and response. But when it comes to other functions, you still need the SIEM (security information and event management) to some extent. Now XDR is definitely pulling away some of those use cases, but it's going to take time, especially since the industry isn't as mature as others.”
Instead, Mellen focuses on access to skills and related savings from outsourcing to service provers, as well as potential licencing savings.
According to Mellen, to effectively run a detection engineering function internally in a SOC, organisations need detection engineers, threat Intel managers, threat hunters, and potentially data scientists depending on the size of the organisations.
“These three roles are very specialised, they're very expensive, they're very difficult to hire for, and they're very difficult to retain. Most of them end up going to the security vendors themselves as opposed to the security team,” she said.
“Inevitably some members of the security team end up having to do this work even though it may not be their area of expertise.”
From an ROI perspective being able to outsource that functionality is a big cost savings, says Mellen. “Now you have a vendor who's actually doing that work.”
That’s the approach taken by energy utility Jemena’s Worthington, "The business case for us was really around improving our response time and developing new capabilities to stop new threats that that come along around."
“We use CrowdStrike for MDR and XDR. I now have an internal team who don't then need to run 24/7 to respond to these incidents,” he said.
“Like everyone, we've got issues trying to both attract and retain good staff. You can retain staff, but you want really good staff in the space. That's one of the key areas where we [and] everyone struggles.”
That single pane, again
While it might not the biggest ROI driver, there’s no doubt the idea of a single pane of glass remains appealing to CISOs.
That’s because of the limitations of discrete endpoint or network-based approaches, and because of the complexities inside virtualised environments, according to Darren Reid, VMware, director of security business unit.
“XDR is really endpoint protection and response as we know it and network detection and response, all pulled together in a single console,” he said.
“We see a lot of customers doing [who] have endpoint protection, which is we used to know as antivirus or next-generation antivirus.
“Instead of being signature-based, it's now behavioural based so we're looking for behaviours and activities rather than necessarily a “… a file that has a particular signature or code hash.
“And then network detection response they're tracing behaviour that are anomalous IP addresses or bad URL addresses and things like that.”
The risk, he says is that company ends up with a network team watching for bad URLs, and an endpoint team watching for bad behaviour on the endpoint, but with teams not necessarily communicating, meaning that each misses some important context.
“But more importantly, in a virtualized world a lot of the activity is happening inside these virtual containers,” Reid said.
"It never gets to the network, it never gets beyond the backplane. So, your network taps never see the behaviour and it's not on the endpoint either. It's somewhere in the workload.”
XDR rings visibility across all of these areas to the single pane of glass, he said.
“You're seeing everything from whatever's going on in the laptop or the endpoint. You're seeing everything that's going on in your network, including everything that's happening at a virtualized level, you're seeing what's going on between workloads. So, if the applications talking to one another, or talking to applications that they shouldn't be talking to.”
That kind of efficiency is appealing to security leaders.
Jemena’s Worthington, for instance, said the advantage of the solution his team uses is that, “Instead of having four or five different services to do some of these things and four or five different consoles, you've got everything in one place.”
Daminda Kumara head of security, Commonwealth Superannuation Corporation, said cyber security anomalies and cyber security attacks can be hard to detect, and describes the single pane of glass as being analogous to the experience of a pilot in the cockpit of a plane.
“For the pilot in the plane during the night it's pitch black, but they've got a cockpit that's giving them all the data where they can actually make the decision,” he said.
"So in my mind, our SecOps analyst and SecOps teams, or defence team is the XDR portal or platform. It is that cockpit.”
XDR should help the business reduce cost and complexity, says Fabio Fratucello, CTO APJ for CrowdStrike, “it’s about smoothing out the complexity from the technology stack to achieve the detection and response outcomes needed. This is essentially all to do with reducing operational cost and risks and that’s something that all executives and board members should be able to relate to.”
Fratucello says that as organisations reinvent themselves, they move through several technology and business transformations, with a goal to become more agile and digitised. “While these changes are expected to improve the business, they are also creating an extended surface that needs to be secured and monitored; the executive team sees technology layered above technology and there’s a real fear about how to secure it all.”
Implementation experience
Varun Acharya, the new CISO at Healthscope who has been through multiple XDR implementations, says moving from EDR, to XDR can be quite straightforward, although as always with technology, the devil is in the detail.
“Some tools have a step-up capability so you can basically step up from a traditional EDR and add an initial licence which gives you the initial feature set,” he said.
"That’s what we did at Healthscope and it made our implementation a lot easier.”
In terms of man hours and work required, Acharya said most of the effort was on the integration side of things.
He told iTnews: "In a relatively homogenous technology ecosystem, for example, one largely built on Cisco or Palo Alto products if you are using all of their screen tools then that part of the integration happens natively."
“You effectively benefit from the ecosystem talking to itself which saves a lot of integration headaches.”
It would be wrong, however, to characterise implementations as set-and forget.
“One of the challenges I’ve run into was really trying to understand how aggressive you want the tool to be,” he said.
"So, particularly in some systems such as business-critical data processing, if it detects malicious activity, you want it to be really sure before it takes evasive action, or you want it to alert first so you can be sure that it's not a false positive or that the risk is not overstated.
"That was probably the biggest challenge.”
To tackle this issue Acharya created separate policies for critical systems within the XDR tool.
Organisational change
As with many projects, technology is not always the biggest challenge. CISOs we spoke to stressed the need for organisational alignment around the goals.
Asked to identify the typical red flags that might emerge in governance oversight for an XDR implementation, Acharya said “I think the biggest one for me has been resistance to change.”
He said his experience is that resistance is less likely to come from the business that from IT.
“If you look at look at technology teams, unless you’re a telco or a bank or security a technology company, chances are your team has limited resources,” Acharya said.
"And the challenge has always been how do you prioritise the focus on something like XDR, which does its thing but isn’t really visible from a business perspective.
“Whereas your IT teams are competing for other resources to do the other things that the business wants, for example rolling out Office 365 which has really huge impact on an organisation's productivity.”
He said it is also important to provide assurances that once you start rolling out the tools you will be able to manage any disruptions the deployment causes deploying. "Having that hyper-care, that's really important.”
Having been through several implementations of XDR, Commonwealth Superannuation Corporation’s Kamara concurs one the importance of stakeholder holder alignment.
“Cybersecurity team is one team, and you need the support from your infrastructure team, your network team, your application teams, and so on,” he said.
“Before kick-off, we have a collaboration session. So, it's not a security project. It's an organisation project.”