Cybereason Blog | Cybersecurity News and Analysis

Evaluating XDR Solutions? Caveat Emptor - Buyer Beware

Written by Anthony M. Freed | Apr 6, 2022 1:16:38 PM

A recent study found that the majority of security professionals said that their organizations are planning to adopt Extended Detection and Response (XDR). The report indicated that 80% of infosec pros said XDR should be a top cybersecurity priority for their organization, and 68% said that their organization was planning on investing in an XDR solution deployment across their environments in 2022. 

Many organizations have already adopted or are in the process of adopting XDR primarily due to two factors: They need a platform that can produce correlations across telemetry from a broad array of security technologies from different security vendors that currently generate a flood of individual alerts, but minimal context to tie them together.

The other most cited reason for the move to an XDR solution is that they need to realize maximum efficacy and efficiency for the analysts they have on hand, as the cybersecurity skills shortage continues to leave organizations short of qualified staff. Let’s examine each of these factors. 

A Plethora of Security Solutions

In the survey referenced above, 90% of respondents indicated that their organizations use a wide array of security tools provided by multiple vendors. Those respondents affirmed that their security program would benefit from a vendor-agnostic approach to threat detection and response, which is at the heart of the functionality of a true XDR solution.

The issue with having multiple sources of telemetry from disparate security tools from various vendors is that these technologies don’t necessarily work together to expose entire malicious operations; instead each produces an alert from one aspect of a potential attack without tying that element to the other indicators in the environment. 

This means that it is up to human analysts to triage hundreds or even thousands of alerts they receive daily, decide which may be worthy of follow-up or not, then try to ascertain which of the selected alerts may be connected to one another, then perform a series of complex queries across the impacted systems and devices to determine the extent of the issue while manually trying to determine which users, applications, systems, and even cloud workloads may be impacted.

All this takes time–time that works to the attacker’s advantage by allowing the attack to continue to unfold unabated. At the same time, the analysts struggle just to gain adequate visibility into all that may be involved in the attack sequence.

The Cybersecurity Skills Gap

To further complicate an already complicated process with too many security solutions producing too many unstructured alerts, organizations are also faced with detecting security incidents early despite not having a fully staffed security team. 

This obstacle helps to explain why most (59%) SOC teams indicated that they intend to use XDR to improve their mean time to detect and respond (MTTD and MTTR). Slightly less than that (45%) expected to engage XDR in this way with fewer security experts on staff.

Organizations need to reduce their MTTD and MTTR going forward to prevent a security incident from escalating into a full-blown breach event, as the cost of those events is directly proportional with how much time attackers have had inside a target’s network. 

Fewer security professionals equate to fewer skilled personnel who can detect these data breaches early on. Subsequently, it’s not surprising that the cybersecurity skills shortage is likely to shape organizations’ security strategies for 2022. 

As reported by HelpNet Security, 88% of respondents to a 2021 study said that they anticipated that the skills gap would affect their security strategy for the year ahead. Half anticipated a “significant impact.” 

Coupled with the fact that the Cost of a Data Breach Study 2021 found that it takes organizations an average of 287 days to find and contain a breach, and a dwell time of more than 200 days translates into a price tag $4.87 million per breach. By contrast, the cost lowers to $3.61 million if organizations succeed in detecting and containing a data breach in fewer than 200 days.

An Operation-Centric Approach to XDR

The main benefit that motivates organizations to embrace an AI-driven XDR solution is its ability to gather security telemetry from different parts of an organization’s infrastructure and correlate them to produce a complete picture of all related elements of an attack. 

This functionality enables an AI-driven XDR solution to deliver the deep context and correlations that security teams need to take meaningful actions about unfolding security incidents in real-time, as opposed to analysts spending their precious time triaging and investigating uncorrelated alerts and wading through false positives–none of which stops attacks.

XDR provides an operation-centric approach, where information silos are no longer a limiting factor for achieving comprehensive visibility. It combines telemetry from EDR, antivirus, firewalls, CWPP (cloud workload protection platforms), and other solutions and correlates the intelligence into one frame of reference with an emphasis on detecting the malicious behaviors that drive the attack campaign forward.

Caveat Emptor: Buyer Beware

XDR is a relatively recent addition to the security toolbox. As such, there is a lot of confusion about what XDR means and what it can accomplish for users, and so there are many vendors out there who are “selling” XDR when they simply don’t have an XDR platform to offer.

Most of these vendors have simply taken an EDR solution and pulled some cloud workload data into the EDR tool’s display. Yes, they can mimic some of the functionality that an AI-driven XDR solution delivers, maybe even enough to get through a POC with a prospect successfully–but they can’t deliver what they are selling in the marketing materials. They are incapable of handling the terabytes of data daily that are required to deliver true XDR. 

This is specifically relevant for endpoint data. Because of their alert volume and false-positive rates, most EDRs can’t even provide a clear picture of what’s going on across an organization’s endpoints. Jamming even more data into tools that can’t correlate any of that information with non-endpoint telemetry is not going to make any organization more secure. 

The AI-Driven XDR Advantage

An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets and the automated responses to halt attack progressions at the earliest stages. 

In addition, an AI-driven XDR solution should provide Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.

Don’t be fooled by clever marketing ploys that position EDR tools as something they are not or vendors touting their latest big-dollar acquisitions of smaller startups whose technologies they can’t effectively integrate. Yet, they package it all up weeks after the deal closes and try to pawn it off as an XDR solution. 

Ask the hard questions, get the right solution. 



Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.