Security Market Segment LS
Monday, 22 March 2021 17:35

Why do you need an XDR?


Attention is shifting from EDR (endpoint detection and response) to XDR (extended detection and response).

iTWire talked to McAfee director of systems engineering Sahba Idelkhani about the issues.

An EDR is, as the name suggests, endpoint specific. The idea was to spot malware by what it does, for example making unusual API calls.

Detections would be passed to an analyst for examination and investigation.

While this was an improvement on relying on signature detection, it is still inherently an 'after the event' process.

Another shortcoming, Idelkhani says, is that EDR only provides a partial view of what happened. It does not show what led up to the detection, such as the user opening an email or connecting a USB storage device. Nor does it reveal whether other users were similarly affected.

So XDR was developed to combine multiple security tools into one system.

According to Gartner, "Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."

The analyst firm says there are three key elements to XDR: centralisation of normalised data, correlation of security data and alerts into incidents, and a centralised incident response capability that can change the state of individual security products as part of incident response or security policy setting.

This, according to Idelkhani, means the components of a XDR system need to come from a single vendor with native integration, rather than a cross-vendor approach using APIs for integration.

Such a single-source approach gets around the need to write custom rules to make sense of the data ingested by a SIEM, as an XDR provides off-the-shelf dashboards for security analysts, making implementation and operation quicker and easier.

After all, mean time to detection and mean time to response are usually key metrics for a security operations centre.

This does not mean data from third-party tools can't be used with an XDR, Idelkhani said. McAfee Mvision XDR includes hooks for such tools.

Another important part of an XDR is that it should at least partly automate the response – after all, that's what the R stands for.

Such responses can take the form of blocking IP addresses or blacklisting URLs, for example.

While security automation and response (SOAR) systems provide a basis for automating responses in a multivendor environment, they have not been widely adopted because of the skills required to make it work, he said.

"The integrations are only available for threats that are quite common."

SOAR has a part to play, Idelkhani conceded, which is why McAfee acquired Syncurity, but it makes life easier if SOAR functionality is included in XDR.

McAfee's overall approach is that as much as possible should be blocked by the SOC due to the amount of effort needed to remediate a system after it has been attacked, even if the fix is something as commonplace as reimaging an infected notebook.

This proactive approach means that fewer 'fires' that break out, so SOC analysts are more able to respond quickly to those that do.

Another benefit is that an XDR is likely to detect a given underlying issue in several ways, thus reducing the risk of false positives and helping draw attention to what may be considered in isolation as a minor issue, but which the broader context shows to be more serious. An XDR helps put the pieces together, he said.

An XDR focusses on identifying possible active threats, checking whether the current security posture protects against those threats, and if not, making the necessary corrections.

"It's about shifting as much of the effort to preventative controls," said Idelkhani.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News