Extended detection and response

Last updated

Extended detection and response (XDR [1] [2] [3] ) is a cybersecurity technology that monitors and mitigates cyber security threats. [4] [5]

Contents

Concept

The term was coined by Nir Zuk of Palo Alto Networks in 2018. [6]

According to Chapple, Stewart and Gibson, XDR is not so much another tool as the collection and integration of several concepts into a single solution, the components varying from vendor to vendor and often including NTA (network traffic analysis), NIDS and NIPS. [7]

According to Gartner: [8]

Extended detection and response (XDR) delivers security incident detection and automated response capabilities for security infrastructure. XDR integrates threat intelligence and telemetry data from multiple sources with security analytics to provide contextualization and correlation of security alerts. XDR must include native sensors, and can be delivered on-premises or as a SaaS offering. Typically, it is deployed by organizations with smaller security teams.

Gartner, 2023 Market Guide for Extended Detection and Response

The system works by collecting and correlating data across various network points such as servers, email, cloud workloads, and endpoints. [9] The data is then analyzed and correlated, lending it visibility and context, and revealing advanced threats. Thereafter, the threats are prioritized, analyzed, and sorted to prevent security collapses and data loss. The XDR system helps organizations to have a higher level of cyber awareness, enabling cyber security teams to identify and eliminate security vulnerabilities. [4] [10]

The XDR solution monitors the malware detection and antivirus capabilities of the endpoint detection and response (EDR) system and many extra cyber log sources to create greater context for Security Operations Center (SOC) teams to perform faster threat detection, investigation and response. XDR improves on the EDR capabilities to deploy high-grade security solutions by utilizing current technologies which proactively identifies and collects security threats, and employs strategies to detect future cyber security threats. It is an alternative to reactive endpoint protection solutions, such as EDR and network traffic analysis (NTA). [5]

See also

Related Research Articles

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

<span class="mw-page-title-main">Trend Micro</span> Japanese multinational cyber security company

Trend Micro Inc. is an American-Japanese cyber security software company. The company has globally dispersed R&D in 16 locations across every continent excluding Antarctica. The company develops enterprise security software for servers, containers, & cloud computing environments, networks, and end points. Its cloud and virtualization security products provide automated security for customers of VMware, Amazon AWS, Microsoft Azure, and Google Cloud Platform.

Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems. Fortinet has offices located all over the world.

Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures.

Secureworks Inc. is an American cybersecurity company. The company has approximately 4,000 customers in more than 50 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is typically the core component of any security operations center (SOC), which is the centralized response team addressing security issues within an organization.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Vectra AI, Inc. is a cybersecurity company that uses AI for hybrid attack detection, investigation, and response (NDR) solutions. The company was established in 2012 and operates in 113 countries from its San Jose, California headquarters.

User behavior analytics (UBA) or user and entity behavior analytics (UEBA), is the concept of analyzing the behavior of users, subjects, visitors, etc. for a specific purpose. It allows cybersecurity tools to build a profile of each individual's normal activity, by looking at patterns of human behavior, and then highlighting deviations from that profile that may indicate a potential compromise.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Javelin Networks is an Israeli Artificial Intelligence (AI) and cyber security software development organization. The organization develops A.I., obfuscation and advanced forensics methodologies, and has branches in Tel Aviv and Palo Alto (California).

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats.

Security orchestration, automation and response (SOAR) is a group of cybersecurity technologies that allow organizations to respond to some incidents automatically. It collects inputs monitored by the security operations team such as alerts from the SIEM system, TIP, and other security technologies and helps define, prioritize, and drive standardized incident response activities.

Identity threat detection and response (ITDR) is a cybersecurity discipline that includes tools and best practices to protect identity management infrastructure from attacks. ITDR can block and detect threats, verify administrator credentials, respond to various attacks, and restore normal operations. Common identity threats include phishing, stolen credentials, insider threats, and ransomware.

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.

Managed detection and response is a type of cybersecurity service providing customers with a cyberdefense technology and the associated remotely delivered human expertise. Those services help organizations monitor, detect, analyze and respond to advanced cyber threats. MDR is a form of managed security service (MSS).

References

  1. What is XDR? - Palo Alto Networks
  2. What is XDR? - Extended Detection and Response - Cisco
  3. "What Is Extended Detection and Response (XDR)?". Trellix.
  4. 1 2 "Gartner Top 9 Security and Risk Trends for 2020". www.gartner.com. Retrieved 2020-10-26.
  5. 1 2 "Understanding XDR Security: Complete Guide". Cynet. Retrieved 2020-10-26.
  6. Rubin, Kevin (2021-07-12). "What is extended detection and response?". Stratosphere Networks IT Support Blog - Chicago IT Support Technical Support. Retrieved 2022-07-29.
  7. Mike Chapple, James Michael Stewart, Darril Gibson (June 2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (9th ed.). Wiley. p. 49. ISBN   978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)
  8. "Untangling XDR: Our Take on the 2023 Gartner® Market Guide". www.trellix.com. Retrieved 2023-10-26.
  9. "What is Extended Detection and Response (XDR)".
  10. Oltsik, Jon (2020-06-08). "What is XDR? 10 things you should know about this security buzz term". CSO Online. Retrieved 2020-10-26.