XDR is currently one of the “hot” topics in cyber security: Providers are presenting new solutions and offers, and as is so often the case, the new technology is presented as the ultimate solution. This is reason enough to take a look at the background and illuminate where the limits and possibilities lie with traditional SIEMs such as Splunk Enterprise Security.
What is XDR, where does it come from?
Until about 10 years ago, the protection of endpoints – workstations, notebooks and servers – was determined by the so-called Endpoint Protection Platforms (EPP). These solutions protect against malware using signatures from appropriate databases and block or allow applications, ports and target addresses with blacklists or whitelists. The collection of data from individual endpoints is then often done in a cloud-based environment, which analysts can access if needed.
Based on the EPP, Endpoint Detection and Response (EDR) then evolved around 2013, allowing for additional functionality such as assisting analysts in detecting relevant Indicator of Compromise (IoC) or incorporating threat intelligence information. Real-time alerts support analysts, as do functions for forensic investigations. An important criterion here is also the automatic elimination of detected faults, e.g. by isolating or deleting compromised files. In parallel with EDR, Network Detection and Response (NDR) then evolved to protect and monitor not only the endpoints themselves, but also the network infrastructure connecting the endpoints.
XDR is the latest stage of this development to date, focusing on fully automated detection and response as well as data sharing from endpoints, the network, the cloud and, for example, email systems. Here, therefore, the most important areas are brought together in one solution. The X in the acronym is interpreted differently:
- X for eXtended EDR or EDR++
- X for multiple layers or multiple products
- X as a variable for any data source such as endpoints, network, cloud, email
Implementing XDR: native or hybrid?
There are several approaches to implementing the XDR concept:
- So-called native XDR is often a product from a single vendor that offers a complete XDR solution with all aspects such as endpoint security, network security, cloud security and email security based on its own data pool, using methods such as threat intelligence, machine learning and automated response. Many of the well-known providers in the security field, such as Microsoft, Cisco, Fortinet, Sophos and Trend Micro, have already launched their own solutions.
- With the alternative Open XDR or Hybrid XDR, the security products of various providers send their data to a central data pool, which is accessed, for example, by a SIEM (Security Incident and Event Management), a UEBA solution (User and Entity Behavior Analytics) and methods such as machine learning or SOAR (Security Orchestration, Automation and Response). The XDR is then another layer in the respective system. Some providers also offer solutions in this area, such as SentinelOne, Exabeam or McAfee.
Comparing these two approaches, we can examine the following aspects:
||Open / Hybrid XDR
|Depending on the data collection of the XDR provider
||Flexible data collection from different manufacturers and technologies
|“Black box”, which usually does not allow data from other systems
||Open system that accepts data such as logs, but also threat intelligence information from a wide variety of sources
|Focused on the provider’s use cases. Since these often have a history in the EDR environment, the focus is often on endpoint-related use cases.
||Free selection of use cases, also and especially on the areas beyond endpoints.
|Evaluation of the data is limited to the data pool of the provider, the depth and exact design of the evaluation can usually not be influenced.
||Evaluation of data is very flexible, correlation across different technology and vendors is possible as well as integration with security frameworks (NIST, MITRE etc.) and coverage of all attack vectors.
XDR or SIEM: what do enterprises really need?
As is so often the case in IT, the answer is: it depends. Let’s look at a few typical statements on how XDR and SIEM position themselves:
- XDR is the death of traditional SIEMs
- XDR will not replace SIEMs, they are simply different tools
- XDR is not a SIEM. It can work together with it, but basically XDR are advanced EDR solutions.
- XDR is just a marketing term to help slightly modified EDR tools generate more revenue
- XDR is a sexy name under which an EDR vendor tries to sell its solution as a SIEM
- XDR can be used, if necessary, to send data from endpoints, from the network, from the cloud to the SIEM
- XDR cannot do many things that a SIEM can, e.g. store data for a long time and meet compliance rules.
We do not want to discuss the individual statements in detail here, but we quickly see that there are obviously very different assessments.
These are the points that some native XDR providers promote as advantages over traditional SIEM:
- Improved productivity of SOC analysts through more accurate detection
- Built-in automation
- Consolidation of security tools into a single solution
- Reduced complexity compared to individual security solutions
- Easier maintenance
If we contrast these approaches with a traditional SIEM such as Splunk Enterprise Security (ES) we will see that some aspects of XDR such as centralized collection of data from endpoints, network, cloud or email have been present in Splunk for years. Additional components such as Splunk Phantom (SOAR) for advanced automated response capabilities or Splunk UEBA for detailed, machine learning-based analysis of endpoint activities cover further functions of the XDR concepts.
Does this mean Splunk ES is an XDR solution? No, at least not if you follow the definition of Gartner, for example: … a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive
security operations system that: unifies all licensed security components . This definition is very much aimed at everything coming from the hand of one provider. Splunk, on the other hand, draws its strength, among other things, from the connection of all conceivable data sources from a wide variety of manufacturers as well as from the eco-system of partners, whose contributions help Splunk to succeed.
Conclusion: a very personal assessment
I don’t think XDR solutions will replace traditional SIEMs like Splunk Enterprise Security anytime soon. A Splunk ES built according to best practices has long been able to do almost everything that XDR vendors tout as new, and Splunk ES can do much more:
- The use of Splunk Cloud reduces the maintenance effort of customers to a minimum
- Automation is done either with on-board means of Splunk Core and Splunk ES, or for sophisticated scenarios with Phantom
- Machine Learning either in Splunk Core and ES, or for more advanced requirements with UBA provide automatic detection of anomalies at all levels
- The implementation of a Risk Based Alerting (RBA) contributes significantly to the reduction of false positives and thus to the relief of analysts
- Consolidation of numerous security tools in one interface has always been offered by ES, in the future more and more complemented by Splunk Mission Control as an overarching cloud-based user interface
- Splunk meets use cases such as fraud detection or compliance-based use cases that often cannot be addressed by XDR solutions
- Splunk can also use all other data sources for security applications, e.g. data from card readers, door controls or sensors of all kinds that can also provide security-related information
For smaller organizations that are at the very beginning of their security maturity, taking their first steps with cyber security systems, an XDR can be a good and quick way to get started. The low implementation effort and the strong, automated Indicator of Compromise (IoC) filtering with little manual effort to track incidents appears attractive. If the organization accepts being tied to a single vendor as a “black box” as well as a limited scope, then the organization should have potential XDR solutions highlight the following points in detail during the pre-sales process:
- What data contributes to the information security picture?
- Which use cases are covered out-of-the-box, how can more UCs be implemented?
- How can information about assets and identities be mapped?
- How can custom threat intelligence data be integrated?
Larger organizations with very detailed security use case requirements, or even those with existing security tools such as EDR, IPS, vulnerability scanning, anti-malware, etc., on the other hand, are almost certainly well advised to use a SIEM such as Splunk Enterprise Security. These organizations are unlikely to achieve their goals with an XDR, or they will not throw the investment in existing security infrastructure overboard to implement an XDR with limited functionality. XDR can be a useful data source and supplement to the SIEM as an extended EDR.
True to the motto of this article: Splunk ES + XDR – better together.
 Lawson, Craig, and Firstbrook, Peter: Innovation Insight for Extended Detection and Response. Gartner, refreshed April 2021