What is extended detection and response (XDR)?
Extended detection and response (XDR) solutions integrate and correlate data from multiple security products to provide better threat detection and response capabilities than these products can provide alone.
Most organizations today rely on numerous security tools to keep all their devices and environments secured against known and unknown threats. These include endpoint detection and response (EDR), firewalls, next-generation antivirus (NGAV), cloud workload protection platforms (CWPPs), identity and access management (IAM), and many more types of tools.
Until now, most of these tools have been siloed, making it difficult to correlate their data to track down and resolve configuration inconsistencies, vulnerabilities, and breaches. In addition, many security teams have ironically been burdened with too many tools to handle and are suffering from overload and alert fatigue.
XDR solutions gather threat data from all of these security tools, bringing it all together into a single-console view for a single point of insight into endpoints, cloud workloads, network email, and more.
By consolidating and correlating all of this data, XDR security solutions give you a unified view of security incidents. This makes investigation and response much simpler for your security team and improves your overall security posture and incident response capabilities.
Why is XDR important?
Today, there’s a greater need for XDR than ever. First, because the threat landscape has evolved dramatically, with more advanced and sophisticated threats emerging. That makes it harder to detect and respond to security incidents using traditional security tools. Second, most organizations are dealing with environments that are more complex, from Internet of Things (IoT) to operational technology (OT), from bring-your-own-device (BYOD) to work-from-home — all of which are making outdated perimeter-based paradigms irrelevant.
You need eyes everywhere, and that’s where XDR comes in, with a more integrated and comprehensive approach to security that lets you detect and respond to threats more quickly and effectively. The best XDR platforms give you a number of clear benefits:
- Better visibility. You need a comprehensive view of security events across your entire IT infrastructure: email, endpoints, servers, network devices, cloud workloads, and more. With a unified dashboard, XDR lets your security team detect and address threats faster and more effectively.
- Better threat detection. XDR uses advanced analytics and correlation to match up security events from multiple sources: from impacted hosts and root cause to indicators and timelines. This approach is especially valuable against today’s advanced, complex, and stealthy threats that traditional security tools might miss.
- Better incident response. XDR centralizes security event data and streamlines response with powerful automated workflows, including alerting and integrated multitool response actions. This streamlines the incident response process, letting your security team fight back more quickly and efficiently.
Considerations when choosing an XDR platform
While there are many XDR solutions out there, not all offer the same capabilities. Here are some key questions you can ask vendors when evaluating their XDR security solution, based on five primary requirements.
Diverse, multi-domain security telemetry
XDR collects security data from various sources across your entire environment: endpoints, cloud workloads, network email, and more.
- What types of security telemetry can the solution collect and analyze?
- How does the solution integrate with existing security tools across different domains?
- Can the solution scale to handle large amounts of telemetry data from different sources?
Threat-focused event analysis
XDR uses threat intelligence and advanced analytics to identify and prioritize potential security threats based on real-time data.
- How does the solution identify and prioritize potential security threats?
- What type of threat intelligence does the solution use to detect threats?
- How accurate is the solution in identifying potential security threats?
Threat detection and prioritization of data fidelity
XDR relies on accurate, relevant data to detect threats and prioritize alerts.
- How does the solution ensure the accuracy and relevance of security alerts?
- Can the solution prioritize alerts based on data fidelity and the severity of the threat?
- How does the solution handle false positives or inaccurate security alerts?
Data search, investigation, and threat hunting across multidomain telemetry
XDR’s unified console view provides unique insights that help you detect and respond to threats more easily.
- What data sources does the solution support for search and investigation?
- Does the solution provide a unified console to search and investigate security events across multiple domains?
- Can the solution provide real-time visibility into security events as they unfold?
Response to mitigate and remediate the threat
XDR solutions reduce the impact of a threat through remediation options like isolation, blocking, and other mitigation techniques.
- What types of automated response actions does the solution support and across which security domains?
- How does the solution handle false positives and ensure that legitimate activity is not mistakenly flagged as malicious?
- What kind of reporting and analytics capabilities does the solution offer?
What’s the best XDR solution for your organization? Beyond the basic features of an XDR platform, you’ll also want to look for the following advanced features, which will make identifying and resolving incidents far simpler for your team:
- Embedded threat intelligence
- Built-in security orchestration, automation, and response (SOAR) capabilities
- Strong EDR at its core
- Built-in identity protection
In the next section, we’ll explore solutions from the top XDR vendors to see how each stacks up in all these areas.
Top 10 XDR Solutions(in alphabetical order)
- Falcon® Insight XDR by CrowdStrike
- XDR by Cybereason
- 365 Defender by Microsoft
- Cortex XDR by Palo Alto Networks
- Singularity XDR by Sentinel One
- Intercept X Endpoint XDR by Sophos
- Enterprise Cloud by Symantec (Broadcom)
- XDR by Trend Micro
- XDR by Trellix
- Carbon Black XDR by VMWare
Falcon® Insight XDR by CrowdStrike
Austin, TX | 2011 | www.crowdstrike.com
CrowdStrike protects the people, processes and technologies that drive modern enterprise. A single agent solution to stop breaches, ransomware, and cyberattacks — powered by world-class security expertise and deep industry experience.
CrowdStrike Falcon Insight XDR is an AI-powered XDR solution that extends complete visibility and rapid response to threats beyond the endpoint and across your environment.
Vendor claim: “Easily synthesize cross-domain telemetry and activate extended capabilities with one unified, threat-centric command console.”
- Strong core EDR functionality and award-winning embedded threat intelligence
- Built-in SOAR and identity protection
- Award-winning platform regularly recognized by analysts and third-party tests
- Comprehensive visibility and protection across endpoints, networks, and cloud environments with purpose-built XDR integrations across email, firewall, identity, network detection and response (NDR) and secure service edge (SSE), which includes cloud access service broker (CASB) and web.
- Integrated Falcon and non-Falcon telemetry into one single command console
- AI-powered threat detection, real-time monitoring, and forensic investigation capabilities for faster incident response and reduced dwell time
- Single lightweight agent deploys in minutes and is immediately operational — no reboot required
XDR by Cybereason
Boston, MA | 2012 | www.cybereason.com
Cybereason provides endpoint detection and response solutions powered by AI and behavioral analytics.
Cybereason XDR is a security analytics platform that provides centralized visibility, detection, investigation, and response to threats across endpoints, servers, and cloud workloads.
Vendor claim: “A unified investigation and response experience that correlates telemetry across remote endpoints, mobile devices, cloud platforms, and applications to predict, prevent and end malicious operations.”
- AI-driven behavioral analysis creates visual “attack stories”
- Wide range of integrations: email, productivity suites, IAM, and cloud deployments
- Integration with Cybereason MalOp™ to analyze over 23 trillion security events a week
- Designed to effortlessly handle petabyte-scale data through integration with Google Cloud
- Correlates indicators of compromise (IOCs) and indicators of behavior (IOBs) to detect subtle signs of network compromise
- Operation-centric model is able to predict and proactively block attacks
365 Defender by Microsoft
Redmond, WA | 1975 | www.microsoft.com
Microsoft offers a range of security solutions, including Microsoft 365 Defender and Azure Defender, to protect endpoints, identities, and cloud environments.
Microsoft 365 Defender is an XDR solution that provides intelligent security and unified visibility across identities, endpoints, email, applications, and cloud services to detect and respond to threats.
Vendor claim: “Our combined SIEM and XDR solution enables SecOps teams to detect, investigate, respond to, and defend against threats with a fully integrated and comprehensive set of capabilities.”.”
- Built into Windows operating system
- Integrates natively with other Microsoft security products’ SIEM and SOAR capabilities, along with collaboration tools like Outlook, Teams, SharePoint, and Exchange
- Allows for customized alerting and trend categorization for at-a-glance analysis
- Provides comprehensive protection on the front lines of email and endpoints
- Simplified rollout across all endpoints and automated threat prioritization
Cortex XDR by Palo Alto Networks
Santa Clara, CA | 2005 | www.paloaltonetworks.com
Palo Alto Networks provides a range of cybersecurity solutions including next-generation firewalls, cloud security, and threat detection and response.
Palo Alto Networks Cortex XDR is a cloud-based detection and response platform that unifies endpoint, network, and cloud security to quickly detect and prevent advanced threats.
Vendor claim: “The world’s first extended detection and response platform that natively integrates network, endpoint, cloud and third-party data to stop modern attacks.”
- Strong network capabilities
- Simplified deployment and integration
- Promises the most comprehensive endpoint security stack in the industry
- Blocks advanced malware, exploits, and fileless attacks
- ML-powered behavioral analytics across multiple data sources
Singularity XDR by SentinelOne
Mountain View, CA | 2013 | www.sentinelone.com
SentinelOne provides a range of security solutions including advanced threat detection and response solutions for endpoints, cloud workloads, and IoT devices.
SentinelOne Singularity XDR is a next-gen endpoint detection and response platform that uses AI to detect and respond to threats across all devices and networks.
Vendor claim: “Unifies and extends detection and response capability across multiple security layers, providing security teams with centralized end-to-end enterprise visibility, powerful analytics, automated response across the complete technology stack.”
- Patented behavioral AI provides autonomous tracking and response to cyberattacks
- Simple, easy-to-understand configuration
- High level of endpoint protection
- Full API integration and SOAR tools
- Flexibility and extensibility with no-code automation through Singularity Marketplace
XDR by Sophos
Abingdon, United Kingdom | 1985 | www.sophos.com
Sophos offers a range of security solutions, including endpoint, network, and cloud security and data protection.
Sophos XDR is a comprehensive solution that provides advanced threat detection and real-time response across endpoints, servers, and cloud environments.
Vendor claim: “The only XDR platform that combines native endpoint, server, firewall, cloud, email, mobile, and Microsoft Office 365 integrations.”
- Combines XDR with Sophos’ endpoint and server protection to block threats without requiring investigation
- Emphasizes data quality, scope of data, and range of sources for highly accurate threat detection, investigation, and response
- Combines on-device endpoint and server data with longer-term cross-product telemetry
- Relies on a data lake model to log, store, and preserve all key information and events for later analysis
Enterprise Cloud by Symantec (Broadcom)
San Jose, CA | 1982 | www.broadcom.com
Security veteran Symantec is now part of Broadcom, which provides enterprise security and information management solutions.
Symantec (Broadcom) Enterprise Cloud XDR is an AI-driven threat detection and response platform that provides real-time visibility and protection across endpoints, networks, and cloud environments.
Vendor claim: “Data-centric hybrid security for the largest, most complex organizations in the world – on devices, in private data centers, and in the cloud.”
- Broad-function security platform offering flexible hybrid security at enterprise scale
- Highly customizable for any specific requirements
- Provides protection even for unmanaged devices such as BYOD
- Imports and analyzes threat data from all Symantec (Broadcom) sources, including Symantec’s CASB, CloudSOC, Data Loss Prevention (DLP), and Secure Web Gateway (SWG)
- Provides visibility into user activity on more than 40,000 cloud services
XDR by Trend Micro
Tokyo, Japan | 1988 | www.trendmicro.com
Trend Micro offers a range of enterprise security software for everything from servers and containers to cloud computing environments, networks, and endpoints.
Trend Micro XDR is an AI-powered detection and response platform that provides real-time visibility, automated detection, and fast response across endpoints, email, servers, and cloud workloads.
Vendor claim: “First to deliver automated detection and response across email, endpoint, server, cloud workloads, and network.”
- Advanced vulnerability detection
- Risk index and risk insight tabs for deep security insights
- Feature-rich with constant and ongoing feature additions and improvements
- Provides coverage from native sensors, combined with third-party data inputs and feeds, Trend Micro XDR analytics, and detection models
- Focus on overall security posture by integrating XDR with attack surface risk management and zero trust tools
XDR by Trellix
Milpitas, CA | 2022 | www.trellix.com
Trellix may be the newest vendor on this list, but it leverages decades of expertise from its two merged companies: McAfee, a veteran security products vendor, and FireEye, which specialized in network security and sandboxing solutions.
Trellix XDR became the core focus of the newly merged company, bringing together endpoint, cloud, and other security capabilities of both FireEye and McAfee in a unified XDR platform.
Vendor claim: “A living XDR architecture that adapts at the speed of threat actors and delivers advanced cyber threat intelligence.”
- Identification of threats, along with their root cause, and ability to respond in real time
- Claims to be able to consolidate the highest number of native security tools for more effective threat sharing and correlation
- Access to over 1,000 data sources via third-party integrations
- Hybrid XDR integration approach (both native and open)
- Well-established and familiar vendor presence across all security tool segments
- One of the largest customer bases in the endpoint security market thanks to its McAfee and FireEye heritage
Carbon Black XDR by VMWare
Palo Alto, CA | 1998 | www.vmware.com
VMware provides virtualization and cloud computing solutions for data centers, desktops, and mobile devices.
VMware Carbon Black XDR is a combination of Carbon Black endpoint detection and response capabilities and network connection visibility.
Vendor claim: “Achieve new results by preserving and extending the endpoint, workload, network, and identity contexts with VMware Carbon Black XDR.”
- Lateral security approach with added network connection visibility
- No changes required during deployment to infrastructure and endpoints
- Fleet model approach for using endpoints as a distributed network sensor
- Custom responses per a given system and ability to minimize the overall impact via other control points