Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Three Approaches to an XDR Architecture

Extended Detection and Response (XDR) can be confusing based on so many different definitions and approaches

Extended Detection and Response (XDR) can be confusing based on so many different definitions and approaches

In 2020, Extended Detection and Response (XDR) solutions started being touted as the number one trend CISOs should understand to increase detection accuracy and improve security operations efficiency and productivity. Since then, XDR has gained a lot of traction and security vendors are quickly jumping on the bandwagon, recasting their products as XDR solutions.

As Security Operations Centers (SOCs) transition to become more of a detection and response organization they are beginning to look to XDR as a way to reach that destination. If you’re considering XDR, it can be confusing based on so many different definitions and approaches. In attempt to simplify what is out there, here are three main types of XDR architectures that are emerging. 

1. Vendor-locked ecosystem. Often touted by large security vendors as the best path forward, this approach promotes the use of an integrated suite of security products (often cloud based) from a single vendor. Emphasizing simplicity and comprehensive coverage, this approach sounds appealing. But the challenge is that organizations typically protect themselves using many different technologies, including firewalls, IPS/IDS, routers, web and email security, and endpoint detection and response solutions, that are from different vendors. They also have SIEMs and other tools that house internal threat and event data – ticketing systems, log management repositories, case management systems. They may rely on a few “large vendors” to handle the bulk of their security tasks, but usually they also use best-of-breed vendors for controls the larger vendors do not have or do not excel in. A recent study finds that on average organizations have more than 45 different security tools that for the most part don’t talk to one another. This happens naturally over time with different teams, budgets and departments making independent decisions. 

Vendors must be able to accommodate the reality that not every organization will have all their tools from a single provider out of the gate, and the appetite to rip and replace is low in the near-term. Not to mention the fact that new vendors and solutions will continue to emerge given the ongoing innovation required to keep up with new use cases, threats and threat vectors.

2. Land and expand. This approach starts from a specific surface area of attack where the vendor is focused, such as Endpoint Detection and Response (EDR) or Network Detection and Response (NDR), with the vendor then planning to add additional XDR capabilities through integration with other security tools. While this approach provides the opportunity to select a leader in a foundational detection and response technology, it also presents a few challenges. Integrations are key to creating an XDR architecture. However, the vendor is likely to focus on ongoing innovation of their core technology offering, to the detriment of integrations. Not to mention the significant amount of time it will take to identify the tools to interoperate with and execute deep integrations to deliver on the promise of XDR, if integration is not a core competency. 

3. Open platform. Vendors that pursue this strategy offer a platform focused on integration, tying together tools across the different surface areas of attack and well as other security infrastructure. Serving as a conduit between existing security technologies, including vendors claiming XDR solutions, this approach powers a more agnostic approach to XDR. This requires a vendor’s core competency and focus to be on integration and the data flow between systems. Organizations that are not starting with a clean slate and have a variety of best-of-breed solutions across departments and teams, have a flexible path forward with an open, extensible architecture that allows for strong integration and interoperability with existing tools – including that one product the XDR vendor may not be familiar with. Standard interfaces are used for ingestion and exporting, and custom connectors can be written and deployed within hours to connect with new security controls to address emerging threats, as well as with on-premises legacy tools.

There are pros and cons to each of these approaches. But if you view XDR as a destination and not a solution, regardless of the path you take, you will need to understand the focus and core competencies of each vendor, the level of effort involved to transition to XDR, and where there may be distractions. Only then can you have confidence that the vendor you select can deliver on the promise of XDR so you can reach the goal of detection and response across the infrastructure and across all attack vectors.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...