Cybersecurity hype keeps building around XDR. So does confusion.

Proponents say that extended detection and response services have huge potential for improving security for customers – if only top industry players could agree on what XDR actually is.

An illustration of a shield deflecting a ray of light

XDR is now a focal point for virtually every major vendor in the security industry.

Illustration: Golden Sikorka/iStock/Getty Images Plus

In mid-2018, Nir Zuk, the founder and CTO of Palo Alto Networks, took the stage at a company event and introduced the world to a new type of cybersecurity product. In the four years since, his concept, which he dubbed "XDR," has swept through the industry. It's now a focal point for virtually every major vendor in the security industry.

In a recent interview, Zuk did not sound happy about the whole thing. Not at all.

XDR, which stands for "extended detection and response," revolves around the premise that security is most effective when all the data from across a customer’s IT environment can be correlated and analyzed together as a whole. It aims to accomplish this feat by bringing together all of a customer's systems and cybersecurity tools into a unified, integrated platform.

Certainly, the cybersecurity industry is notorious for its buzzwords and acronyms. But XDR is not your average security acronym: If you believe the leaders of many top players in the industry, XDR could be the architecture of the future for cybersecurity.

XDR is "the way to actually prevent damage from breaches, and the way to scale and deeply automate security with a scarce talent pool," said Wendy Thomas, president and CEO of Secureworks, which heavily focuses on XDR.

According to proponents, embracing an XDR-based approach can address many of the pressing issues that security teams face: the overload in alerts, difficulty in prioritizing threats, tool sprawl. As IT gets more complex, "it's becoming harder and harder for humans to operate cybersecurity," Zuk said.

However, he is far from thrilled with how others have adapted his idea. There are too many varying uses and misuses out there right now for “XDR” as a term — and in many cases, it's just a new label slapped on old products, Zuk argued.

"I think XDR, today, is just a term that different vendors use differently," he said, acknowledging that XDR has joined a long line of enterprise tech terms that have devolved into nebulous buzzwords.

Still, the high level of attention around XDR makes the confusion in the market a bigger issue than it might normally be. XDR is expected to see surging adoption in the coming years, with Gartner forecasting that 40% of organizations will be deploying the technology by 2027, up from 5% as of last fall.

"XDR is definitely something that we recommend organizations look into," said Patrick Hevesi, a vice president and analyst at Gartner, thanks to its ability to integrate more data feeds into detection and response efforts.

Thinking like a hacker

XDR aims to detect security issues across entire IT environments because that's how attackers operate: Hackers get inside one system operated by an organization, then move around to others during the course of an attack.

As the thinking goes, if you just look at the endpoint — or network, application or cloud infrastructure — you're only going to see a slice of what an attacker is doing. If you can view everything together, as XDR seeks to, then you have a better shot at stopping attacks such as ransomware at an early stage.

In other words, XDR is the security industry's answer to many of the questions that customers are asking as they grapple with an increasingly complex set of environments in 2022.

Most XDR vendors agree on all these reasons for why the approach is so promising. But from there, the question of how to define XDR gets more contentious.

"I firmly believe it's one of the most misused or abused terms in the industry," said Michael Sentonas, CTO at CrowdStrike, which made its name on endpoint detection and response (EDR) and announced its expansion into XDR last fall.

It's notable that so many of the biggest players in the industry are moving aggressively to offer some version of an XDR platform. In addition to CrowdStrike and Secureworks, Microsoft, SentinelOne, Mandiant, Trellix, Sophos, Cisco and VMware are among those who've joined Palo Alto Networks on the list of XDR platform vendors.

As of this writing, Protocol has identified 34 security vendors that are marketing XDR products, and there are likely many more. (The figure also excludes providers of managed XDR services.)

But at this stage, there is little agreement among industry players about what constitutes a "true" XDR — leaving it up to customers to figure out what's what.

"It's hard to talk about the term ‘XDR,’ because every organization defines it the way that they want. And industry analysts have not yet solidified, as a group, what the definition of XDR is," said Mandiant CTO Marshall Heilman.

Extending to new areas

When Zuk first revealed his notion of XDR four years ago, he chose the terminology to make a specific point: EDR, or endpoint detection and response, is not sufficient because attackers don't just target the endpoint. The same problem applies to detection tools just focused on the network, cloud or applications. In Zuk's original definition of XDR, the "X" stood for "anything" — as in, any type of system that a threat actor might leverage in an attack.

However, according to the consensus today, the “X” stands for "extended." As in, detection and response that extends past any one environment.

The industry's conception of XDR has also evolved in ways that are more consequential. For one thing, many vendors now offer XDR-branded products that also leverage data from third-party tools.

Platforms that use data from multiple vendors' tools are now commonly referred to as "open" or "hybrid" XDR. Offerings that use data from a single vendor's tools — such as Palo Alto Networks, Microsoft or Cisco — have come to be known as "native" XDR.

Both native and open XDR approaches can have their advantages, though much depends on how the vendor sets things up, said Forrester Analyst Allie Mellen. Open XDR is touted as offering the flexibility to leverage existing security tools, bringing together data feeds from the products that customers have already invested in.

But that apparent advantage of open XDR could actually be a downside if the third-party tools are not integrated effectively, Mellen said.

"I question whether or not the detection quality is going to remain high, if they're just developing integrations willy-nilly and trying to support as many as possible," she said. The purpose of XDR is to better tailor and curate the experience for the security team, so managing integrations well is critical. "It has to be done with intentionality," Mellen said.

Ultimately, she is hesitant to say that open XDR is generally superior to native XDR. Some native XDR vendors have gained reputations for providing high-value detections, "because they know and understand everything in the environment," Mellen said. "They know all of the telemetry that's coming in. And they choose what telemetry is coming in. So I think it's a bit of a trade-off."

A related issue with open XDR is that, essentially, no single vendor is accountable for the security outcome from the use of the platform, said Frank Dickson, group vice president for Security and Trust at IDC.

If a customer chooses to secure their environment with an XDR platform that ties together tools from disassociated vendors via APIs, then the customer is accountable, Dickson said.

"That's one of the shortcomings of open XDR," he said. "By open XDR, what that fundamentally says is, the customer owns the outcome. The vendor doesn't own the outcome."

'Not being honest'

Zuk argues that there's an even bigger problem with open XDR. Such platforms give the impression that they can leverage data that they don't actually have, he says.

For instance, Palo Alto Networks is among the largest network security vendors, but "none of these [open XDR] vendors is using our data," Zuk said.

Ultimately, open XDR vendors "are not being honest when they say that they have the third-party data," he said. All of which means that the results for attack detection and response are inevitably going to be "sub-optimal," according to Zuk.

Wall panels reading "Singularity XDR Platform""[The XDR] buzz is outpacing the market," said Andrew Maloney, co-founder and COO at cybersecurity firm Query.AI.Photo: Kyle Alspach/Protocol

An executive at another prominent native XDR vendor, Microsoft, made a similar point. Rob Lefferts, corporate vice president for Microsoft 365 Security, said that to be effective with XDR, "you have to actually deeply know the tool that you are investigating — you can't just dump in a bunch of data."

To Lefferts, the concept of open XDR seems to be no different than that of security information and event management (SIEM). And indeed, analysts have noted that a number of SIEM vendors have simply rebranded their products as XDR.

"I look at open XDR, and I'm like, 'Oh, you mean a SIEM? Is that what an open XDR is?'" Lefferts said.

Not surprisingly, executives at major providers of open XDR platforms would disagree.

While some open XDR platforms do have their origins as a SIEM, that's not universally true, said Secureworks Chief Product Officer Steve Fulton. His company touts its open XDR platform as being "purpose-built" for running detection and response across multiple environments.

Open XDR recognizes that most customers do not have tools from just one vendor in their environment and will prefer to leverage their existing investments, Fulton said. Most customers do not want to have to "rip and replace" their security tool set just to use XDR, according to Fulton.

"If you're a native XDR vendor and you're saying, 'You have to have our stack in order to get value out of XDR,' you're going to be pretty narrow in your scope. You're going to miss some things with that approach," Fulton said. "My view is, that approach is going to die away over time."

With an open approach to XDR, on the other hand, "we firmly believe it drives the best security outcomes for our customers," he said. "It's going to give you the widest possible aperture."

Endpoint advantage

At Trellix, the company formed through the merger of McAfee Enterprise and FireEye, CEO Bryan Palma pointed to XDR as the vendor's biggest opportunity looking ahead. The company's core strategy following its rebranding announcement in January has been seeking to become the leading player in XDR, in fact, by integrating both native tools and an open XDR approach.

XDR is "not next-gen SIEM. It's not next-gen endpoint [security]. It's broader. It's a platform,” Palma said. "It's bringing together your capabilities to create a next-level architecture — which is very different than, 'This is the next SIEM.’”

That being said, there are certain elements that any XDR provider should be expected to offer, namely, endpoint detection and security operations capabilities, according to Palma.

"I just don't know how you're a viable player [in XDR] if you don't have an endpoint," he said. "I think to be a true XDR, you've got to have endpoint capabilities."

In terms of security operations, XDR should be able to automatically correlate security issues detected across different environments and present the findings to security analysts for further investigation, Palma said.

CrowdStrike's Sentonas goes a step further in his criteria for what constitutes true XDR: Not only should XDR be able to cut across all of a customer's environments, but there should be essentially no difference between the data coming in from different vendors' tools, allowing for detections that work effectively regardless of the data source.

"The problem we believe we should be solving with XDR is not to just bring in third-party data, but to actually do something meaningful with it, and that is to focus on automated detections," Sentonas said.

Doing this entails a concerted effort around ensuring that the security data "all works the same. It all looks the same. The language between all the vendors, if you will, is exactly the same," he said. The benefit is that machine learning models "should work the same way on another vendor's data as it does on ours."

Many XDR vendors, however, are not treating the data in this way, so they can't extend all of their native detection and response capabilities to third-party tools, Sentonas said.

Automated response

A number of XDR vendors fall short when it comes to the "response" portion of extended detection and response, according to Nicholas Warner, president of Security at SentinelOne.

"That is the difference between XDR and SIEM," Warner said. "Anyone can generate an alert. Not just anyone can actually orchestrate a response — and then make that an automatic response and an effective response."

And that is where endpoint detection and response vendors have a natural advantage over "pure-play" XDR vendors, he said.

"In which way could a pure-play XDR vendor do execution control on a system as a response? And the answer would be, they wouldn't be able to," Warner said. "And that's pretty big. Because that is the 'R' in XDR."

Marketing about XDR was ubiquitous at the RSA Conference in San Francisco earlier this month. The only serious rival for the biggest buzzword at the conference was "zero trust" — which, like XDR, lacks an agreed-upon definition by the security industry.

But compared to zero trust, which is widely understood to be more of an architectural concept, XDR is actually a product in some cases. Increasingly, it's also being offered as a managed service, given the shortage of available security professionals to operate an XDR platform.

Andrew Maloney, co-founder and COO at cybersecurity firm Query.AI, which does not offer an XDR platform, said he thinks the idea of taking down silos between data and tying all systems together is the right goal for cybersecurity as a whole.

But whether you're talking about a "native" or "open" approach to XDR, "the buzz is outpacing the market," Maloney said.

"Now every big player claims an XDR capability,” he said, “whether they have it or not."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories