By Anne Aarness, Senior Manager, Product Marketing, CrowdStrike
While the concept of extended detection and response (XDR) has grown popular in recent years, many security pros may not fully understand what the framework involves, what XDR does, or how it fits into their broader security strategy.
XDR evolved from a dire need to coordinate the value of siloed security tools across enterprise environments. As cyberattacks become more advanced — and alerts from security solutions grow — organizations need their security tools to work together. By bringing in telemetry from systems and applications across their entire IT security ecosystem, defenders can improve visibility and more quickly detect and respond to incidents beyond the endpoint.
XDR, which builds on endpoint detection and response (EDR), can collect security telemetry from endpoints, cloud workloads, network, email and other assets, then filters and condenses this information into a single console. The goal is to unify and streamline security analysis, threat detection, investigation, and remediation for security teams — but there are multiple ways to go about it.
Native XDR vs Hybrid XDR: What’s the Difference?
There are two primary approaches to design XDR: Native XDR and Hybrid XDR, sometimes referred to as Closed XDR and Open XDR, respectively.
Native XDR: Lock-In With A Single Vendor
Solutions built on a native XDR architecture use multiple security tools from the same security provider to form an all-in-one XDR platform. Native XDR may appeal to some security teams for a few reasons; for example, it can keep configuration complexity to a minimum by reducing the need to integrate a lot of disconnected tools — if the vendor has fully integrated the various components. The purchase process is simple, eliminating the need to buy from multiple vendors to implement XDR. Native XDR allows you to work with one trusted vendor to manage a diverse set of tools.
However, this approach has its drawbacks. Vendor lock-in is a big one: native XDR makes an organization fully dependent on one provider. If their existing tools don’t come from the XDR vendor they choose, they’ll have to replace them — an expensive and complicated process. Once locked in, the decision to switch vendors later becomes even more pricey and complex.
Native XDR requires reliance on a single vendor, which drives risk. It’s unlikely one vendor will provide sufficiently strong protection across the entire IT security ecosystem. This may lead to layering additional detection capabilities, which is unlikely to produce substantial benefits. No single vendor can promise to deliver all of the best-in-class security technologies needed to protect against today’s adversaries. High-quality tools and data are essential to produce high-quality XDR detections.
For these reasons, many organizations look to Open, or Hybrid XDR, for a more robust defense.
Hybrid XDR: The Agility of Choice
Hybrid XDR consolidates telemetry from relevant security and IT systems that hold meaningful threat data, aggregating cross-domain threat detection and response into a unified workstream. This approach gives security teams the agility of choice with the flexibility to determine the tools they want to use, enabling them to continue using the systems and applications they’ve already invested in.
A hybrid XDR model still relies on a core platform to manage and coordinate detection and response activities across an organization’s entire security ecosystem. This platform must seamlessly ingest diverse data sets, understand it, generate meaningful detections and make it available for analysts to efficiently triage, investigate and respond to cross-domain alerts. Hybrid XDR typically includes integration with a broad range of tools such as network detection and response (NDR), next-generation firewalls (NGFW), email security gateways, identity and access management (IAM), cloud workload protection platforms (CWPPs), and cloud access security brokers (CASBs), among others.
Best of Both Worlds: The Most Effective Security Stack
Which approach is better for your business?
Native XDR, while seemingly simple on the surface, may require replacing multiple tools to lock in with a single vendor and in doing so, create a lack of coverage in your cyber defenses if a chosen provider doesn’t fully meet your needs. Hybrid XDR, however, brings the best of both worlds by providing a robust, easy-to-use platform and an alliance of best-of-breed products.
Hybrid XDR allows you to continue working with tools from multiple vendors and integrate new and innovative technologies as they emerge. If you’re going to implement XDR, you must choose a platform that will deliver exactly what XDR is: extended detection and response, with a core foundation in EDR. Endpoint security is critical for either Native or Hybrid XDR to succeed, and a platform founded on endpoint detection and response will provide a strong base on which you can build your XDR strategy — extending the visibility, detection, and response beyond the endpoint and ultimately providing better protection for your enterprise.
Learn more about how XDR enables industry-leading extended detection and response.