11 top XDR tools and how to evaluate them

Extended detection and response tools provide a deeper and more automated means to identify and respond to threats. These are some of the most popular options.

radar grid / computer circuits / intrusion detection / scanning
Peterscode / Getty Images

Little in the modern IT world lends itself to manual or siloed management, and this is doubly true in the security realm. The scale of modern enterprise computing and modern application stack architecture requires security tools that can bring visibility into the security posture of modern IT components and integrate tightly to bring real-time threat detection, possibly even automating aspects of threat mitigation. This need has given rise to extended detection and response (XDR) tools.

What is XDR and what does it do?

XDR is a relatively new class of security tool that combines and builds on the strongest elements of security incident and event management (SIEM), endpoint detection and response (EDR), and even security orchestration and response (SOAR). In fact, some XDR platforms listed here are the fusion of existing tools the vendor has offered for some time.

The primary value in XDR systems lies in their roots in SIEM, which gives the system copious amounts of event data from systems across the enterprise. This security data is further enhanced with the EDR components running on workstations and servers, even observing workloads running in cloud runtimes like serverless functions or containers. XDR systems typically take the data collected from your enterprise and compare it to telemetry from external data sources. When analyzed with machine learning tools, this vast array of data can lead to the proactive identification of threats or active attacks within your network.

In addition to early identification of attacks, XDR systems are helpful in threat hunting, root-cause analysis, and incident response. Events are automatically correlated with context such as user or system to track malicious activity as it navigates between systems, escalates privileges, or makes configuration changes. This level of visibility is available nearly instantaneously, without having to manually review and compile event logs or track configuration changes. These same insights can be leveraged to automate initial remediation steps: disabling accounts, marking email messages as SPAM, or even blacklisting IP addresses. Automation of this sort can help buy time to develop a response plan to fully remediate and resecure your infrastructure.

Evaluating XDR tools

Price will always be a key factor for enterprise security systems requiring scale, and XDR systems are no different. They are almost exclusively subscription-based, meaning you’ll have an annual or monthly cost to deal with. Like many security tools, this cost is a tradeoff as the financial risks of a data loss or simply the business impact of a compromise are monumental. The same is true of the manpower that would be required to acquire the same level of protection using existing systems and performing manual correlation of event data.

Key XDR features to focus on include integration with existing hardware, software, and cloud investments, which can impact the effectiveness of the chosen platform as well as the cost and level of effort involved with the initial implementation of the solution. The ability to manage policies and rules is also critical for your business to be able to tune the XDR’s capabilities to meet your business needs, enabling your IT security staff to respond to any threats or incidents more effectively. Finally, ease of use and training (either vendor- or community-based) are important for quickly ramping up and sustaining your investment in an XDR platform.

Popular XDR tools

Below are some of the most significant XDR tools, listed in no particular order.

Trend Micro Vision One

Trend Micro has been in the IT software game for decades, and its XDR offering, Vision One, is one of the more widely respected XDR platforms on the market. Vision One checks all of the boxes an XDR should, including the ability to ingest data from a variety of inputs and the ability to secure endpoints with EDR. Vision One also supports proactive identification of vulnerabilities both within the boundaries of your corporate network and any that are visible publicly. Automated and enhanced remediation is also possible using customizable workflows, security playbooks, and even the ability to perform analysis in an isolated sandbox environment.

Microsoft XDR

Microsoft is one of those vendors that achieves XDR-like functionality by combining different services: Microsoft Sentinel, Microsoft 365 Defender, and Microsoft Defender for Cloud. The services under the Defender brand protect customer-facing resources (endpoints, apps, and email) and cloud services (databases, storage, server VMs, containers, and more) respectively, while Sentinel provides a robust SIEM foundation from which to view and act on contextualized alerts, hunt threats, and initiate investigations.

An obvious benefit of using Microsoft is the inherent integration between its cloud platforms such as Office 365 and Azure, but the real value is that Microsoft has similar event data available for all its customers, making it easier for machine learning capabilities to identify anomalous behavior within your corporate resources. Microsoft also brings automation capabilities with Sentinel including connectors into first- or third-party services with Logic Apps, or the ability to send notifications via email or notifications within Microsoft Teams.

Palo Alto Networks Cortex XDR

Palo Alto’s Cortex XDR integrates with your network devices, endpoints, and cloud infrastructure to identify and shut down attacks. Cortex leverages behavioral analytics and machine learning to detect attacks, aggregating alerts in an efficient, organized way. Palo Alto bills the Cortex XDR agent as a particular strength, leveraging malware detection, host-based firewall, disk encryption, and policy-based USB device management. The triage and investigation process is bolstered with automated root-cause analysis and attack sequence reporting. Incident reports and artifacts are also generated with a detailed breakdown of attack vectors, scope, and impact.

CrowdStrike Falcon Insight XDR

CrowdStrike’s XDR offering, Falcon Insight XDR, touts itself as a focal point for securing your infrastructure by eliminating siloed security tools and enabling a cohesive view across security domains. Falcon Insight XDR collects event data from disparate, disconnected systems and aggregates, normalizes, and applies context to produce an enhanced dataset. This wealth of event data is then analyzed to discover threats or active attacks, leveraging machine learning to detect evolving techniques brought to bear by malicious users. Finally, Falcon Insight XDR enables security professionals to respond appropriately by initiating response actions either manually or through automated workflows to immediately shut down active attacks.

Bitdefender GravityZone Business Security Enterprise

Bitdefender’s antimalware tools have long been a favorite of IT pros, so it’s no surprise that they have endpoint detection well in hand as part of its GravityZone XDR offering. In addition to endpoints, GravityZone monitors network devices, servers, and a wide range of cloud runtimes such as container-based apps, Office 365, Azure AD, and AWS. GravityZone’s analytics start at the sensor with early context applied, with additional levels of data refinement and normalization applied at the cloud layer using BitDefender’s security analytics platform. GravityZone offers different ways to visualize incidents, including a timeline view and an incident advisor. Finally, GravityZone has a set of investigation and response tools that allow you to remediate specific endpoints, interact within a remote shell, or collect digital forensics.

SentinelOne Singularity XDR

SentinelOne’s Singularity platform bridges the gaps among cloud, endpoint, and identity to provide full, unified visibility across domains and technology stacks. Singularity’s cross-domain focus begins with data collection and analysis, building context regardless of the source of the event, and continues through remediation, allowing you to take the appropriate actions to resolve threats in a timely manner. Tight integration with a host of third-party tools and services is enabled through the Singularity marketplace, which surfaces curated connectors for Splunk, Okta, Microsoft, AWS, IBM Security, ServiceNow, and many others. Singularity’s Storyline technology is leveraged throughout the process to build out a rich, actionable final product that guides you through the incident response phase.

Cybereason XDR

Cybereason chose to build its XDR on top of Google Chronicle, which is a Google Cloud-based SIEM and SOAR platform. There is a hefty upside to using Google as your foundation, and that is that Google does data, analytics, and correlation better than maybe any other entity in the world. Cybereason has built its EDR and cloud workload protection as first responders in their XDR, each of which provides early analysis of user and application activity, identifying key telemetry and passing it on to Google Chronicle. Cybereason’s MalOp Detection Engine takes threat data and correlates it into visualized timelines showing a full view of the attack path, enabling your security team to respond accordingly.

VMware Carbon Black XDR

VMware’s Carbon Black XDR is not fully available at the time of this writing. Announced in November 2022, it is still in preview through an early access program. If reputation was the only consideration, there is a strong case to be made for Carbon Black, but beyond that, we know it will share underlying components such as the VMware Contexa threat intelligence service. Add to this first-party integrations with other members of the VMware product catalog such as its virtual machine platforms and the VMware Workspace ONE suite of device and identity tools, Carbon Black XDR will be the first choice for many enterprise customers.

Elastic Security for XDR

Elastic is best known for its web and application content-delivery systems, but like Google, it is in the business of dealing with vast amounts of data and network traffic. Elastic Security for XDR is built to enable you to leverage existing security tools or build out a full XDR platform using components and capabilities from Elastic’s product catalog. Elastic offers both SIEM and SOAR capabilities, as well as threat detection for both endpoints and cloud workloads, live threat intelligence, and a library of existing threats and mitigations in the form of Elastic Security Labs.

Trellix XDR Platform

You’d be forgiven if you’ve never heard of Trellix, but don’t take that to mean it is new to the security game. Trellix is the result of McAfee Enterprise merging with FireEye in October 2021, both of which had strong XDR platforms at the time. Trellix XDR Platform has the feature set to compete with any other entry in the XDR space, integrating with existing security tooling you have in place and enhancing them by eliminating silos and manifesting threat data into actionable events, correlated and prioritized in order for your security team to tailor their response strategy as necessary.

Cynet 360 AutoXDR

Cynet’s 360 AutoXDR platform touches on all key elements of XDR and does so with multiple pricing tiers and options that can enable you to grow into the platform. Core XDR features are included in all tiers for the most part. The lower tiers leave out features such as user behavior analysis and automated remediation, calling into question both the extended detection and response aspects of XDR. Cynet does have a strong user following that speaks well of both usability and product capabilities, which coupled with the variety of service levels make them an intriguing option for prospective XDR buyers.

Copyright © 2023 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)