Why does the XDR market exist?

The extended detection and response (XDR) market has emerged as a direct reaction to the current cybersecurity landscape. As many security vendors have started associating themselves with the XDR market, we’re launching this first post as a part of a blog series around XDR and the solutions associated with it. In this post, we’ll talk about the market trends and drivers that have created the necessity for the XDR category… and emerging SIEMs.  

1. A fragmented enterprise, redefined perimeter and success of the cloud = explosive number of attack vectors and techniques 

The modern enterprise, with complex business processes, distributed data storage and cloud apps has given rise to a myriad of cybersecurity threats, introducing new attack vectors and techniques for malicious actors to breach even the most protected organization. In this increasingly precarious environment, malware and threats proliferate – zero-days, social engineering, malicious insiders, and more all contribute to the need for solutions to defend organizations against it all. 

2. Narrowly scoped security solutions in a fragmented security landscape are not capable of defending against attack vectors 

And because of the variety and dynamic nature of cyberattacks, the market has been inundated with numerous solutions and tools like firewalls, email security, CASBs, EDRs, web gateways, IPS, NDR, IAM…the list and acronyms go on. Each security solution looks at a single (or sometimes several) attack channel or vector but no one solution can cover everything. Supporting threat detection, investigation, and response (TDIR) in a cost-effective way is hard as modern threats come in any number and combination of vectors and channels. 

3. Traditional SIEMs have become unwieldy trying to address all types of security solutions 

There’s already a category of solutions that helps combine and centralize the myriad of security solutions to look at everything in a broader scope: SIEMs. But traditional SIEMs fundamentally kept the same approach and architecture as they went through massive scope creep. And in the process, what was supposed to be a strength – the flexibility and customizability – has become a hindrance. Traditional SIEMs that are today trying to address many use cases using their older approach just keep getting more bloated, with many complicated features, knobs and dials to optimize. SIEMs are marketed as infinitely extensible and customizable. But traditional SIEM tools are hard to operationalize and tune, due to the number of variables and features that are available. Taking months to stand up a traditional SIEM solution and even longer to keep tuning and adding new rules is no longer a viable option.

A breaking point – from traditional SIEMs, to XDRs and newer SIEMs 

The reaction to all the above forces 1) has created the XDR category and 2) is forcing traditional SIEMs to adapt and innovate (stay tuned for a post soon on this topic).

The premise is that an XDR is a SaaS-based turnkey TDIR tool that a security or IT team can switch on – and it works. This is accomplished by being a more prescriptive and narrow technology with a laser focus on achieving TDIR outcomes. Instead of spending time to endlessly customize the product to handle TDIR, analysts can immediately focus on threat detection and response across concerns like compromised credentials or malware so as to return the organization back to its known good state as efficiently as possible. XDR provides visibility across many important data sources — including endpoint, network, cloud, email, identity, IoT/OT, and others — to find threats missed by individual point solutions. XDR solutions are used to solve the threat investigation and response piece of the puzzle of the SOC mission, while the emerging SIEMs can do that and more… with a bit more complexity.  

In future posts, we’ll delve deeper into what defines an XDR, use cases, and more. Feel free to let us know if there’s a topic around XDR that you’d like discussed.