Security professionals want attack surface coverage, more accurate alerts and a centralized management hub from extended detection and response — or any other security operations technologies.
The term extended detection and response has been around for a few years, but users remain confused about what XDR is and what it isn’t. Some think it’s an extension of endpoint detection and response; some think it’s an integrated suite of detection and response products from a single vendor; and some think it’s an open architecture.
I’ve had my share of arguments and Twitter battles on this topic, but I realize now that none of this passionate industry doctrine matters. XDR means different things to different vendors and users. Want integrated XDR? It’s available from several vendors. Want email security telemetry as part of an XDR product. Some vendors can meet this requirement. Want an open option that builds on top of existing security controls and analytics systems? Ditto.
This industry definitional dogma has become a bit of a distraction. Simply stated, XDR exists because security teams need more from their threat detection and response processes and technologies. This fact is clearly revealed in recent Enterprise Strategy Group research on XDR and security operations center (SOC) modernization that found 85% of organizations plan to increase spending on threat detection and response over the next 12 to 18 months. Clearly, something they’re doing now isn’t working well.
What security pros want from XDR
Rather than arguing over XDR definitions, the security community should instead focus on desired SOC outcomes. To that end, we asked 381 security pros what XDR outcomes would be most important for their organizations. The research revealed the following:
- Thirty-six percent of respondents want XDR to extend and enhance threat detection and response capabilities across a growing attack surface. Beyond endpoints, networks and security technologies, SOC teams want XDR to collect, process and analyze security telemetry from threat intelligence, cloud workloads, identity repositories, IoT devices and so on. SOC teams want XDR to be wide and deep.
- Thirty-three percent want XDR to improve the accuracy and prioritization of security alerts, making it easier to triage and respond to events. In other words, SOC teams want XDR to detect ongoing attacks, not atomic security events.
- Twenty-nine percent want XDR to create a centralized management hub for security operations. SOC teams want a unified workbench rather than a potpourri of UIs and dashboards from different tools. This alone could bolster process efficiency and staff productivity.
- Twenty-six percent want XDR to improve the mean time to detect and respond to threats. Apparently, they aren’t satisfied with their current performance and hope XDR can act as a force multiplier.
- Twenty-five percent want XDR to help them detect unknown advanced threats often missed by existing threat detection tools. This requires improved analytics, better alerting and a Mitre ATT&CK perspective on adversary campaigns, as well as the tactics, techniques and procedures used.
Threat detection and response is business critical but remains fraught with complexities and challenges. For these reasons alone, we’ll see a lot of threat detection and response investment and activity in 2023. Security technologies that help organizations improve threat detection and response efficacy and operational efficiency will be welcomed with open arms. It really doesn’t matter what we call them.
Enterprise Strategy Group is a division of TechTarget.
This was last published in December 2022
Dig Deeper on Threat detection and response