What is XDR?
XDR clearly, it is important to consider the endpoint security products from which XDR originates.
In the early days of the Internet and computing, traditional antivirus products (AV) were produced to protect endpoints. These were simplistic by modern standards.
For example, one of the most common approaches used by traditional AV to detect malware was “signature-based detection”. Each file has a unique signature and hash value, which meant that AV companies could keep a “library” of all known malicious malware and their associated signatures and hashes. Their AV products would then scan endpoints, and if they detected a file with a known malicious signature, they would block it.
AV products evolved to look for bad scripts and certain other strings and processes, but at its core it was still a case of matching specific information to files within their “libraries” of malicious signatures.
Despite the value of this, it was easy for attackers to bypass. All they had to do was make a single edit to a file that would change the signature and hash value so that it could avoid detection.
There was a need for something better, as traditional AV became less effective over time.
Endpoint Detection & Response (EDR)
EDR was the next development of AV. EDR tools still use signature-based detections to identify malicious files, but their capabilities have improved to deal with small tweaks that attackers make. For example, EDR products can use machine learning to detect the similarities of hash values between the “known” hash of some malware and a hash for malware which had been subtly modified. This is known as fuzzy hashing and humans would not be able to detect similarities between hashes.
More importantly, EDR products can also detect suspicious behaviours on endpoints, rather than just signature-based detections. This provides strong protection against threats and makes it much harder for attacks to succeed.
Crucially, EDR also gives defenders the ability to respond. Security professionals can manage their endpoints with a centralised EDR platform, which enables them to detect threats and vulnerabilities, stop attacks and remediate issues across their endpoints.
Extended Detection & Response (XDR)
XDR is an extension of EDR (hence the inclusion of “extended” in its name). While EDR can provide incident detection and response on endpoints, its capabilities do not extend across an organisation’s broader IT landscape, while XDR does.
It provides threat detection and response capabilities across end-user environments, cloud services, on-premise infrastructure and mobile devices. It unifies signals from multiple technology environments and attack vectors to provide security analysts with a “single pane of glass” for threat detection and response.
For example, with EDR, a security analyst might see an incident that tells them that malware has ran on a machine, but with XDR, they could see the phishing email that was clicked on, the malware download, and the network traffic logs of that machine, all automatically correlated and presented to them. It’s very powerful.