Texture Top Right Grey 01

Frequently asked questions about XDR

Learn exactly what extended detection and response is and how it improves SecOps efficiency

What is XDR?

Extended Detection and Response (XDR) technology integrates all of an organization’s security products to unify control points, security data, analytics and operations. XDRs harmonize multiple cyber security controls, such as endpoint, network and cloud data, correlating information to detect and investigate modern attacks.

ESG defines XDR as:
"An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system." Dave Gruber

Why has XDR become so important?

Security teams are facing 2 challenges:

  1. Fast evolving threats actors, continuous change tactics and a shift into multi staged attacks. These attacks become more difficult to detect by traditional security information and event management systems (SIEM) or single technology controls. This means that organizations need to adopt new, multi technology detection controls to surface stealthy adversaries. 
  2. Shortage of expertise: Modern attacks require hard to find investigative expertise at scale.

XDR responds to both of these challenges and helps organizations win the fight against modern attacks with hard-to-find expertise and intelligence.

What is the difference between native, single-stack, hybrid and open XDR?

Many XDR solutions require organizations to replace existing security products with the vendor's own technology suite; this XDR approach is commonly known as native XDR (or single-stack XDR) solutions. Native XDR may be a viable option for organizations who have not yet invested heavily into other security products or services. But those who are content with their investments in specific technologies may be forced to conduct a cost-benefit analysis on moving to a native XDR vendor. A native XDR might not only lock an organization into expensive tools, but they also end up with limited detection capabilities due to less third-party tool support.

Hybrid XDR (or open XDR) solutions offer a vendor-agnostic approach. They integrate with existing security tools from multiple vendors, unifying their benefits within a single platform. Hybrid XDR allows organizations to use best-in-class products and take advantage of prior investments in security infrastructure.

How does XDR differ from a SIEM?

Security information and event management systems (SIEM) require rules to reduce the number of events, with output that is unreliable and inconsistent. SIEM rules can vary in quality, resulting in inaccurate or incomplete analysis. SIEMs require long deployment engagements and must be maintained over time as the threat landscape rapidly changes resulting in difficulties in detecting incidents. SIEMs are used for log storage and compliance use cases, and many traditional SIEMs do not focus on the endpoint, one of the most vulnerable threat surfaces.

XDR differs from SIEM by integrating with third party security tools and threat intelligence, focusing on threat detection and incident response. XDR does not require rules to reduce the number of events that are consumed, instead all events and alerts can be analyzed at scale. XDR applies automated and consistent decision-making into every alert or event that is analyzed to detect actionable and malicious incidents. XDR is typically SaaS based, so deployment is quick and easy without the need to maintain the solution.

How does XDR differ from a SOAR platform?

Security orchestration automation and remediation (SOAR) platforms require programming by security engineers for data collection, correlation and enrichment. SOAR tools choke on large volumes of data, significantly reducing the capability to automate remediation.

XDR correlates real-time threat intelligence with security data without the need to create or maintain playbooks. XDR solutions scale to the largest environments, analyzing all events and alerts that are generated from sensors in the environment to provide better visibility and detect malicious activity. Hybrid XDR detection capabilities can complement SOAR, forwarding escalated alerts to automatically trigger playbooks for incident remediation.

How does Mandiant Deliver XDR?

Mandiant Advantage is a software-as-a-service (SaaS) platform that offers a controls-agnostic suite of solutions to integrate and automate Mandiant expertise and threat intelligence into your environment. Regardless of your organization’s size or technology stack, you can use this platform to achieve Extended Detection and Response capabilities.

Learn more about Extended Detection and Response (XDR).

Ready to get started?

Our security experts are standing by to help you with an incident or answer questions about our consulting and managed detection and response services.

+1 888-227-2721 +61 281034308 +32 28962867 +1 877-347-3393 +971 45501444 +358 942451151 +33 170612726 +49 35185034500 +852 3975-1882 +91 80 6671 1566 +353 (0)216019160 +39 0294750535 +81 3 4577 4401 +03 77248276 +52 5585268207 +31 207941289 +64 32880234 +48 223072296 +7 4954658084 +65 31585101 +27 105008408 +82 7076860238 +34 932203202 +94 788155851 +46 853520870 +886 2-5551-1268 +27873392 +44 2036087538 +842444581914