The Validation of Open XDR

A journey for an open, inclusive, and collaborative XDR 

The extended detection and response (XDR) market continues to be a mess, and nobody can seem to agree on a common definition. I often say if you ask 10 people (buyers, vendors, and analysts) what XDR is, you’ll get at least 11 different answers. Look around; it seems like we have XDR vendors everywhere. In fact, Gartner is tracking hundreds of vendors claiming to be XDR solution providers. The conundrum seems to sum up as:   

• Hundreds of vendors claim to have XDR products 
• Like my ex-Gartner colleagues say, “When everything is XDR then nothing is XDR”  

How about we bring some clarity to this? And yes, we’ll also discuss the XDR Alliance. 

Genesis of XDR – basic supply and demand at work 

From the demand side, XDR represents a symptom of the increasing market demand for simpler security operations tooling, delivered as a cloud service (ideally cloud-native). 

From the supply side, XDR represents an escape route for point solutions with an uncertain future. As an example, endpoint detection and response (EDR) vendors are looking at an ever-growing share of endpoints being unmanaged, servers in data centers being replaced with containers in the cloud, and other trends that shift the focus away from endpoints. In a quest for relevance, these vendors appear to be force-fitting their particular offerings as the requisite foundation of XDR. 

Despite all these vendors’ posturing, we believe that rooting XDR on a single technology or mandating XDR to be a single vendor stack is a flawed approach. 

What is XDR? 

XDR is really anchored along three imperatives:  

1. Extended technology stack – An XDR needs to work across the extended set of technologies already deployed in organizations. Most organizations deploy anywhere between 15-30 security tools in their environments. XDR needs to work across the heterogeneous stacks already deployed in organizations. XDR vendors should not mandate organizations to rip and replace any of their existing tooling to force their own. The notion of single vendor XDR is not realistic, and vendor lock-in is unacceptable.  

2. Extended set of use cases – An XDR needs to deliver on outcomes across an extended set of use cases such as external attacks (e.g., phishing, malware), as well as insider risk (e.g., compromised insiders, malicious insiders). In order to be effective against all of these use cases, an XDR rooted in one main technology is destined to fail (e.g., XDR = EDR++ is simply the wrong approach).

3. Extended workflow along the threat detection, investigation, and response (TDIR) lifecycle – An XDR needs to drive the bulk of the extended TDIR workflow with minimal manual intervention, using a tightly integrated and automated process. XDR efficiency is derived from unlocking the power of collaboration between all these technologies, using rich content aligned to 1) the organization’s existing technology stack, and 2) the use cases in scope. Remember, organizations are expecting XDR stacks that are simpler to use and operate, and that provide more value included. 

The only possible XDR is Open XDR — an Open XDR that is collaborative and inclusive. 

The differences between Open XDR and Security Information and Event Management (SIEM) 

• XDR = a tool focused on TDIR 
• SIEM = TDIR + log centralization + long-term log storage + compliance + searching + reporting + dashboarding 

SIEM and XDR serve two different audiences. For the low maturity end user, XDR can serve as a path to achieving TDIR. Larger and more sophisticated end users require a SIEM to deliver TDIR and handle the large-scale data management requirements for compliance, threat hunting, and security operations reporting.  

The work of the XDR Alliance 

The era of closed and proprietary tools is behind us. The future of cybersecurity in general, and XDR in particular, is open, collaborative, and inclusive. To address end customers’ Open XDR needs, Exabeam helped organize a group of experienced security and information technology providers that support security teams to easily design and implement effective TDIR capabilities using the Open XDR approach. Thus, the XDR Alliance was born. 

The XDR Alliance offers organizations clear and non-ambiguous definitions, reference architectures, a set of integrations, and other best practices to deliver on their XDR needs more easily, via a collaboration across three working groups. 

1. Technical integration, where members have built a Common Information Model (CIM) that will be released as an open-source initiative at Black Hat in August 2022 on the one-year anniversary of the XDR Alliance. The next deliverable will be a set of APIs for bi-directional integration of the vendor categories. The XDR Alliance is also working on pre-integrating members’ technologies and providing prepackaged content for an easier and quicker path to value. 

2. Thought leadership, offering vendor-neutral definitions, reference architectures, and collaboration with the broader community to promote open and inclusive XDR.

3. Demand generation, for example with events promoting the XDR Alliance and its members, and showcasing the work accomplished. 

Delivering a more open and inclusive future 

Why force customers into a locked architecture and penalize them for investing in top cybersecurity technologies? The vision of XDR can only be achieved as a vendor-neutral effort, and Open XDR is the answer. The entire industry benefits from this approach based on openness, choice, collaboration, and inclusion.  

The efforts of the XDR Alliance represent a step in the right direction and benefit end users in the most compelling manner. With a collaborative model that embraces openness, the work of the XDR Alliance stands alone to build a more cohesive future. By releasing a Common Information Model (CIM) as an open-source initiative and coordinating the definition of a set of APIs for easier product integrations, the promise of Open XDR is quickly becoming a reality. 

Have a look at these resources:

• 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots
• Insider Threats: When the Attacker Has Valid Credentials
• A Multiplier for Any Zero Trust Strategy
• Zero Trust Architecture, Practical Considerations for Implementation
• Cloud Security Solutions: 8 Solution Categories You Must Know
• Cloud Security: Principles, Solutions, and Architectures
• XDR vs SIEM: Current Capabilities and How They Will Evolve
• Weighing SIEM vs XDR
• Are you thinking about shifting your SIEM into the Cloud?