SenseOn

20/08/2022

XDR vs EDR: Which is Better for Your Organisation?

“EDR Is Dead, Long Live XDR,” wrote Forrester researcher Allie Mellen in her 2021 report on XDR. Seen by many as the natural evolution of endpoint detection and response (EDR), extended detection and response (XDR) is slowly gaining in popularity. Although only 12% of cybersecurity decision-makers have adopted XDR to date, 77% plan on doing so in the next two years, found a recent CyberRisk Alliance (CRA) survey

Both EDR and XDR aim to help organisations detect and respond to threats faster. However, instead of focusing solely on endpoints, XDR platforms promise to give defenders a more holistic view of threats across their entire digital estate.

So, is EDR on the way out? Not necessarily. Although XDR is predicted to have a rosy future, the uptake of EDR solutions is also on the rise. Between 2020 and 2030, the global EDR market is expected to expand at a compound annual growth rate of 21%, surpassing a $13.8 billion valuation by 2030. 

Still, as the hype around XDR continues, anyone looking to defend their organisation may now be wondering: is XDR the new EDR? While XDR promises a lot, companies looking to improve their threat detection and response capabilities should also consider other security automation solutions like SenseOn. Here’s why. 

The Rise (And Fall) of EDR Tools

Endpoint detection and response (EDR) is a term for solutions that detect, investigate, and remediate threats on endpoints, i.e., all devices that connect to and from a corporate network, whether that’s laptops, smartphones, IoT devices, etc. According to Gartner, who coined the term in 2013, any EDR tool must provide four capabilities: detect security incidents, investigate suspicious activity, block malicious activity at the endpoint, and offer remediation steps. 

Unlike traditional endpoint security tools such as firewalls or antivirus, which depend on signatures and attack patterns to detect malware, EDR solutions use behaviour analysis and can recognise even advanced threats. Unsurprisingly, as attackers evolve their methods and the number of endpoints at a typical organisation grows, companies are beginning to see EDR as an integral part of their security posture. Gartner estimates that by 2023, more than 1 in 2 businesses will have swapped out their legacy security software for combined EDR and endpoint protection platforms (EPP). 

However, because endpoints aren’t the only attack vectors threat actors use, relying solely on EDR can leave companies exposed to cyber-attacks that start elsewhere (network, the cloud, etc.) or use lateral movement. In a recent experiment, 11 EDR products from well-known security providers failed to detect 10 out of 20 attacks

Even when organisations use other sources of telemetry, like network detection and response (NDR), these tools are seldom integrated, which means that defenders still lack a complete view of their IT estate. The more tools an organisation has, the more alerts security teams get and the longer it takes them to detect, investigate, and respond to threats. In a survey by CRA Business Intelligence (sponsored by eSentire and Exterro), almost 50% of respondents said lack of visibility/context from current security solutions resulted in them missing at least one security incident in the last 12 months. 

Is XDR the Next Big Thing?

The main difference between extended detection and response (XDR) and EDR is that XDR protects more than just endpoints. Coined in 2018 by Palo Alto Networks, XDR applies EDR principles across an organisation’s entire infrastructure, integrating multiple point solutions. Among others, the security tools integrated into an XDR may include EDR, EPP, NDR, mobile threat detection, cloud workload protection, email security, and deception. The precise capabilities of any XDR solution will depend largely on the vendor offering it and their existing product catalogue.

Created to address product sprawl and alert fatigue, XDR solutions centralise threat intelligence data from multiple security products into a single user interface and correlate it to find behaviour that might have gone unnoticed. For many security teams, this is a huge plus. Almost half of infosec professionals across various industries would consider replacing individual point tools with XDR. 

SenseOn > XDR

For any organisation that doesn’t yet have an EDR solution in their tool stack, XDR might make a lot of sense. Although the relationship between EDR and XDR is, to quote former Research VP and Analyst Anton Chuvakin, currently “under debate,” security analysts like Allie Mellen of Forrester view XDR as a replacement for EDR in the SOC, or, to be more precise, “EDR++.” Regardless of whether you go with vendor-specific XDR or open XDR, EDR is the “most pivotal and defining piece” of this new technology. Some EDRs have already rebranded as XDRs

However, if a company’s primary interest in XDR is to improve their detection and response by unifying their security stack (which is one of the technology’s main benefits), they should tread carefully. Right now, the XDR market is still fuzzy. There is a lack of consensus on what XDR is, for example, the tools it encompasses, and even if it’s a “real” market. Some vendors have also been quick to capitalise on this latest trend without actually putting in the work. Gartner anticipates that by 2023, close to 1 in 3 EDR and SIEM providers will say they have XDR capabilities despite lacking core XDR functions. 

Nevertheless, while XDR might not be there just yet, that doesn’t mean that companies have to wait for the market to mature (or for something else to come along) before they can replace multiple-point solutions with one uniform platform and improve visibility. 

A cohesive platform that displaces the need for multiple tools by consolidating EDR, NGAV, NDR, IDS, SIEM, and SOAR, SenseOn correlates data from across an organisation’s entire infrastructure (endpoints, networks, cloud infrastructure, and investigator microservices) in real-time to give a 360-degree view into a company’s digital estate via a single console.

To protect defenders from drowning in a sea of false positives, SenseOn’s “Threat Triangulation” technology, which emulates how a human analyst thinks, correlates events across the environment, flagging only genuine cyber threats. Not only that, but SenseOn also breaks down the relationship between events and devices and maps suspicious behaviour to the MITRE ATT&CK framework. For critical attacks like ransomware, SenseOn’s automated response capabilities can even isolate affected endpoints.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.