Applies to:
Endpoint detection and response capabilities in Defender for Endpoint provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
Note Defender for Endpoint detection is not intended to be an auditing or logging solution that records every operation or activity that happens on a given endpoint. Our sensor has an internal throttling mechanism, so the high rate of repeat identical events will not flood the logs. Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
Extended detection and response or XDR is a new approach to threat detection and response that provides holistic protection against cyberattacks, unauthorized access and misuse. Coined by Nir Zuk, Palo Alto Networks CTO, in 2018, XDR breaks down traditional security silos to deliver detection and response across all data sources. According to analyst firm Gartner, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.” The definition of XDR from Forrester Research is a bit more expansive: “The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.” How Does XDR Work?XDR solutions bring a proactive approach to threat detection and response. It delivers visibility across all data, including endpoint, network, and cloud data, while applying analytics and automation to address today’s increasingly sophisticated threats. With XDR, cybersecurity teams can:
From a business perspective, XDR platforms enable organizations to prevent successful cyberattacks as well as simplify and strengthen security processes. This, in turn, lets them better serve users and accelerate digital transformation initiatives – because when users, data and applications are protected, companies can focus on strategic priorities. XDR Benefits
How does XDR compare to EDR or MDR?XDR security is an alternative to traditional reactive approaches that provide only layered visibility into attacks, such as endpoint detection and response, or EDR; network detection and response, or NDR; and user behavior analytics, or UBA, and security information and event management (SIEM). Layered visibility provides important information, but can also lead to problems, including:
What is EDR Security?Endpoint detection and response refers to a category of tools used to find and investigate threats on endpoint devices. EDR tools typically provide detection, analysis, investigation and response capabilities. Compared to these security solutions, XDR takes a wider view, integrating data from endpoint, cloud, identity, and other solutions. EDR products monitor events generated by endpoint agents to look for suspicious activity, and alerts they create help SecOps analysts identify, investigate and remediate issues. These solutions also collect telemetry data on suspicious activity and may enrich that data with other contextual information from correlated events. However, they lack key capabilities that slow down incident response. EDR solutions do not offer integrations with other tools and data sources for full visibility, so they cannot provide holistic protection. What is MDR?Managed detection and response (MDR) services offer dedicated personnel and technology to improve the effectiveness of security operations in threat identification, investigations and response. These services complement traditional managed security services that focus on broad security alert management and triage. While various definitions exist, MDR services universally provide the following value:
Cortex XDR | Our XDR ProductCortex XDR is the world’s first extended detection and response platform that natively integrates network, endpoint, cloud and third-party data to stop modern attacks. It unifies prevention, detection, investigation, and response in one platform for unrivaled security and operational efficiency. Cortex XDR accurately detects threats with behavioral analytics and reveals the root cause to speed up investigations. Tight integration with enforcement points accelerates containment, enabling you to stop attacks before the damage is done. Combined with our Managed Threat Hunting service, our XDR solution gives you round-the-clock protection and industry-leading coverage of MITRE ATT&CK techniques. |