Detection and Response
The XDR Payoff: Better Security Posture
As the extended detection and response (XDR) market grows and evolves, it’s a great opportunity to learn about the positive outcomes like better security posture experienced by organisations that have invested in these capabilities.
According to an ESG poll, more than half of security teams indicate that security operations are more difficult today than two years ago. These teams are currently confronted with an unprecedented wave of changes influenced by five major macro-trends:
- The attack surface within most organisations is rapidly expanding, overwhelming current tools and introducing additional vulnerabilities.
- The threat landscape is continuously evolving and growing in sophistication.
- The increasing adoption of cloud applications and services presents a challenge for existing security tools to keep pace.
- The migration to cloud infrastructure, combined with ongoing defence-in-depth security strategies, generates an overwhelming volume of alerts, telemetry, and noise.
- Security teams find themselves consumed by reactive, firefighting activities.
To cope with this situation, modern security teams need a solution to stay ahead of cyber threats. XDR presents a fresh opportunity to acquire the necessary leverage and address these challenges effectively.
Assessing the Detection and Response Landscape
ESG conducted an extensive survey targeting security and IT professionals who hold responsibility for their organisation's strategies, processes, and technologies related to detection and response. The respondents were exclusively located in North America (United States and Canada) and employed by organisations with a staff of 500 people or higher.
ESG research implemented a categorisation framework consisting of three cohorts, each representing different levels of XDR alignment. Level-3 denoted the companies that exhibited the highest alignment with XDR techniques.
Figure 4. XDR Alignment Maturity Model Distribution
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
Before undertaking the research, it was hypothesised that those with the highest level of XDR alignment achieved a notable degree of aggregation, correlation, and analysis of data from various security controls, employing a highly automated approach.
What is XDR?
XDR expands EDR to cover multiple attack vectors such as endpoint, server, email, network, and cloud workloads. It optimises real-time threat detection, investigation, response, and hunting by unifying endpoint detections with telemetry from various security and business tools. XDR is a cloud-native platform offering flexibility, scalability, and automation.
While many in the industry view its main function as advanced threat detection, XDR provide security teams with flexibility, scalability, and opportunities for automation by:
- Unifying security-relevant endpoint detections with telemetry from security and business tools
- Employing advanced correlation and risk assessment to monitor and evaluate XDR detections, account compromise, vulnerabilities, anomalies, cloud activity, and threats
- Providing actionable risk insights to reduce the number of alerts in an environment
- Delivering Intelligence guidance to synthesise vulnerabilities, risks, security controls, and overall posture
- Optimising threat detection, investigation, response, and hunting in real time
ESG has provided seven use cases to demonstrate organisations’ priorities when employing XDR.
Figure 2. Top 7 XDR Use Case Priorities
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
XDR confusion
Despite XDR’s growing rate of adoption amongst security and IT professionals, there remains to be confusion surrounding its true purpose. According to ESG, 55% believe XDR is an extension of EDR, 44% believe XDR to be either:
- A detection and response product from a single security technology vendor
- An integrated and heterogeneous security product architecture designed to interoperate and coordinate on threat prevention, detection, and response
This misunderstanding around these functions has led several organisations to employ a SIEM to do the job of XDR. Research from ESG reveals that many organisations feel their SIEM falls short of expectations. This may be due to the fact that organisations have tried to feed logs and extensive security telemetry into the SIEM, and then apply rules to uncover, investigate, and respond to threats. However, SIEMs frequently face difficulties in effectively correlating events, placing the burden on security analysts to manually piece together attack signals.
XDR increases security posture
As suspected, Level-3 organisations, which exhibit strong alignment with XDR, reported fewer successful attacks According to ESG, they expressed confidence in their ability to detect and respond to threats and felt less strained compared to Level-1 and Level-2 organisations. Level-3 organisations also acknowledged the enhanced effectiveness of data correlation across multiple security controls, leading to various operational and security benefits.
In fact, ESG found that Level-3 organisations with high levels of alignment to XDR demonstrated improved results nearly across all areas, citing “significant improvement in threat/breach analysis, prioritisation of threats and alert fatigue, visibility into sophisticated attacks, and detection and response times.”
As noted in the graph below, Level-2 organisations found greater results than Level-1 organisations.
Figure 8. Organisations in Higher Alignment Are More Likely to Achieve Greater Improvements
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
Data from ESG surveys have revealed that better correlation leads to better results. Level-3 organisations with high levels of alignment to XDR are 61% more likely to be highly effective at correlating data from different security controls than Level-1 and Level-2 organisations, with 50% of Level-3 organisations reporting that they are highly effective.
XDR = operational improvements
However, 63% of ESG respondents say that they can see room for improvement in overall data correlation. These advancements can be achieved by expanding investments into correlation rules, even with the application of automation.
To bridge this gap, numerous XDR solutions offer the promise of continuous and automated refinement of rules, leveraging extensive and up-to-date threat intelligence from the solution provider. ESG holds a preference for XDR solutions that offer this dynamic and ongoing update of detection rules and threat intelligence.
As this report shows, organisations that have invested in the correlation of data across multiple security vectors are able to detect and respond faster, handle more alerts, and improve their overall security posture. According to ESG, Level-3 organisations with high levels of alignment to XDR were 46% more likely than those with low levels of alignment to have achieved accelerated response times.
Figure 14. Integration and Aggregation Process for Security, Threat Detection, and Response Controls Data
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
XDR delivers highly relevant alerts and visibility to all security teams, empowering them without the high cost and complexity associated with building a custom infrastructure to support it.
Figure 15. Operational Improvements Achieved from Effective Threat Data Correlation
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
In fact, 72% of Level-3 organisations with high levels of alignment to XDR ignore less than 25% of alerts, compared to 65% of lower level alignment organisations that ignore more than 25% of alerts. For organisations that are already struggling to keep up, XDR offers an accelerated path to increasing both visibility and the ability to respond faster to threats.
Figure 16. Security Events/Alerts Ignored by Organisations
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
Next steps
Read our report, “The XDR Payoff: Better Security Posture,” or our “Guide to Extended Detection and Response (XDR)” to learn about quantifiable positive business outcomes achieved by XDR adopters.