Skip to main content

Things have certainly progressed since I started writing about XDR (extended detection and response).

There are more vendors claiming to offer XDR—far beyond just the endpoint detection and response (EDR) vendors. XDR now collects, processes, and analyzes telemetry from more data sources, like cloud access security brokers (CASB), SaaS applications, and IAM systems. There are also at least 3 XDR ‘alliances,’ one led by CrowdStrike, another includes vendors like Exabeam, Extrahop, Mimecast, Netskope, and SentinelOne, while a third is based on standards from the Open Cybersecurity Alliance with participants like IBM and McAfee. 

Yup, XDR is making progress by expanding its features and functionality. That’s a great start, but some vendors believe that XDR can cover the whole security operations center technology enchilada, usurping the role of foundational technologies like security information and event management (SIEM), security orchestration, automation, and response (SOAR), and threat intelligence platforms (TIP) as organizations modernize their SOCs with more intelligence, automated workflows, and decision support for analyst processes.

So, while everyone is talking XDR, no one is telling quite the same story. ESG offers this definition:

XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.


All rights reserved Jenson Knight.