iTWire talked to McAfee director of systems engineering Sahba Idelkhani about the issues.
An EDR is, as the name suggests, endpoint specific. The idea was to spot malware by what it does, for example making unusual API calls.
Detections would be passed to an analyst for examination and investigation.
While this was an improvement on relying on signature detection, it is still inherently an 'after the event' process.
Another shortcoming, Idelkhani says, is that EDR only provides a partial view of what happened. It does not show what led up to the detection, such as the user opening an email or connecting a USB storage device. Nor does it reveal whether other users were similarly affected.
So XDR was developed to combine multiple security tools into one system.
According to Gartner, "Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."
The analyst firm says there are three key elements to XDR: centralisation of normalised data, correlation of security data and alerts into incidents, and a centralised incident response capability that can change the state of individual security products as part of incident response or security policy setting.
This, according to Idelkhani, means the components of a XDR system need to come from a single vendor with native integration, rather than a cross-vendor approach using APIs for integration.
Such a single-source approach gets around the need to write custom rules to make sense of the data ingested by a SIEM, as an XDR provides off-the-shelf dashboards for security analysts, making implementation and operation quicker and easier.
After all, mean time to detection and mean time to response are usually key metrics for a security operations centre.
This does not mean data from third-party tools can't be used with an XDR, Idelkhani said. McAfee Mvision XDR includes hooks for such tools.
Another important part of an XDR is that it should at least partly automate the response – after all, that's what the R stands for.
Such responses can take the form of blocking IP addresses or blacklisting URLs, for example.
While security automation and response (SOAR) systems provide a basis for automating responses in a multivendor environment, they have not been widely adopted because of the skills required to make it work, he said.
"The integrations are only available for threats that are quite common."
SOAR has a part to play, Idelkhani conceded, which is why McAfee acquired Syncurity, but it makes life easier if SOAR functionality is included in XDR.
McAfee's overall approach is that as much as possible should be blocked by the SOC due to the amount of effort needed to remediate a system after it has been attacked, even if the fix is something as commonplace as reimaging an infected notebook.
This proactive approach means that fewer 'fires' that break out, so SOC analysts are more able to respond quickly to those that do.
Another benefit is that an XDR is likely to detect a given underlying issue in several ways, thus reducing the risk of false positives and helping draw attention to what may be considered in isolation as a minor issue, but which the broader context shows to be more serious. An XDR helps put the pieces together, he said.
An XDR focusses on identifying possible active threats, checking whether the current security posture protects against those threats, and if not, making the necessary corrections.
"It's about shifting as much of the effort to preventative controls," said Idelkhani.