I wrote about Managed Detection and Response (MDR) last year – yes, the year we don’t like to discuss much. I feel like I am talking about centuries ago, but I had just come home from RSA in San Francisco about this time last year. Little did I know, that would be my last in-person conference. Things have changed in the past year. People have changed, the way we work has changed, technology has changed, the world has changed (unless you are in Texas like I am, then some things are becoming normal again).
Technology changes all the time, but this past year it has moved faster than any one of us would have imagined possible. Organizations moved to the cloud and Digital Transformation quicker than ever before, driving organizations to rethink security and the next thing to implement.
Thinking back to my last in-person RSA conference, we always had to keep up with all the new buzzwords. Extended detection and response (XDR) was not immune to it, and as we moved on from 2020, XDR became even more prominent in the cybersecurity market. Therefore, it makes sense to discuss XDR and what it means from a services perspective.
What Does the “X” Mean?
First, we must recognize that many product vendors have evolved to create their own XDR products, just as they did with Endpoint Detection and Response (EDR), which was the precursor to MDR. To revisit, IDC defines MDR as a subset of Managed Security Services (MSS), which includes a combination of tools, technologies, procedures, and methodologies to provide a full cybersecurity life-cycle capability for an organization. Service providers can deploy MDR services utilizing a mixture of clients’ existing capabilities and cybersecurity partners supplied tools or services and private intellectual property. MDR services will include a 24X7X365 cybersecurity staff in a Security Operation Center (SOC).
With that said, we note that XDR normally will ingest and correlate various telemetry sources. We also note that while MDR providers started off by focusing on wrapping services around EDR and other security appliances, most if not all MDR providers now ingest various telemetry sources and wrap that around rapid response and mitigation capabilities. Now to discuss the “X” per se, we consider it extended detection and response, bringing in telemetry such as messaging, network, and cloud. The main consideration to understand, is from a services aspect, there is more telemetry that can be brought in with the “X”, but XDR still falls into the same umbrella of MDR.
What Does XDR Not Include Then?
I would be cautious of the terms being used interchangeably by the product vendor or MSSP. As a managed security service, the combination of security controls and tools could be considered MDR or XDR. From a vendor perspective, an XDR platform would not include a managed security service offering with it, and therefore, you would not have that 24X7X365 monitoring, alert triaging, and response support. The 24X7 support would be done in- house with an organization’s own team utilizing XDR.
An MDR service typically contains the features that an XDR platform would provide, and in addition wraps services such as threat hunting, incident response through retainer, investigation, and forensics capabilities.
How Will This Help my Operational Efficiencies?
According to our Security ServicesView, the number one reason to invest in MSS is to improve performance and efficiencies, for detection and response, emergency security tools, 24X7 support and to improve mean time to detect (MTTD) and mean time to respond (MTTR). As a MSSP implementing XDR, the ability to utilize an internal or partner provided XDR platform as the technology backbone for their MDR service that wraps the previously noted services around the XDR platform is compelling.
As we look towards the future, we must consider that XDR will provide a platform that enables the ability to integrate more security functionality that will continue to help improve detection and response methods and security automation processes.
Do I Really Need it Now?
From an evolution standpoint, we believe that MDR is still the overall umbrella for now and can bring in a broad number of tools and technologies such as XDR, EPP, EDR; it will depend on how the vendor is utilizing the term. From a holistic view, managed detection and response capabilities will need to include more visibility and work hand in hand to detect, then to respond rapidly and in coordination. In the future, more non-traditional telemetry will become crucial over time, and so with the ability to correlate various telemetry streams to detect actual actionable alerts without flooding SOCs with false alerts will be imperative.
New architectures that include multiple security capabilities will take time to consolidate, but we know there will always be more to do. Security is a journey that includes new concepts to consider, and future strategies to implement over time. Organizations should not get too caught up with the next silver bullet or buzzword because there will always be a new one.
Want to see more of the demand-side trends in security services procurement? Check out IDC’s Security ServicesView to prioritize their security services investments, value proposition messages, delivery mechanisms, and partnerships in the market.
