XDR (Extended Detection and Reponse)
XDR is a security approach that does more than just monitoring data sources (endpoints or networks) by combining telemetry from multiple layers. Like, endpoints (laptops, servers), networks (firewalls, routers), cloud services, and sometimes even email or identity systems.
An XDR platform takes alerts and raw data from each of the sources into a centralized engine that automatically correlates events, applies threat-intelligence feeds, and uses analytics (often uses Machine Learning) to detect sophisticated attack patterns that might span several components.
Example Workflow:
- Detection across domains - A brute-force login on a endpoint and a suspicious process on a server can be linked as a part of the same attack.
- Automated Response - Once a threat is identified, the XDR solution can plan and arrange containment steps, isolating the infected machine, blocking a malicious IP in the firewall, disabling a compromised user account, either automatically or with one click actions for the analyst.
- Continuous investigation - XDR provides a unified timeline or ‘attack story’, so that when an alert fires, you immediately see ‘Patient Zero’, lateral movement, data exfiltration (unauthorized transfer/removal of sensitive data) attempts, and remediation history (all the response actions taken) in one view. The whole timeline is easily viewed.