About 18 months ago, I first wrote about XDR (eXtended Detection and Response) in this post on CSO.\u00a0 Since then, it seems every security vendor\u2014major security vendors and small companies alike\u2014has jumped on the XDR bandwagon and embraced the concept.Some vendors have approached XDR from the endpoint in and others from the network out. Either approach is valid as the premise of XDR is that security shifts from a series of point products to a single platform for threat visibility across the enterprise.\u00a0 Data is collected from the various enforcement points and then analyzed so threats can be detected faster and, more importantly, can be responded to quickly to contain the blast radius.Traditional security tools, such as EDR (endpoint detection and response), often find threats but aren't able to understand where the threats emanated from so corrective action can\u2019t be taken. This is why most detection and response tools are much better at the \u201cD\u201d than they are the \u201cR.\u201d XDR corrects that.5 key capabilities for XDR solutionsXDR cuts across all the security layers, which is why so many vendors have thrown their hat in the ring. This has created a situation where there are a dizzying number of vendors to choose from, some of which are true XDR solutions and some that are XDR by name only.\u00a0 To help with the decision process, below are five key criteria for XDR solutions:Visibility across the security spectrum. The \u201cX\u201d in XDR is "eXtended" so by definition XDR tools need to have broad visibility, but it\u2019s unrealistic to expect any vendor to have security products at all points in the threat landscape.\u00a0 At a minimum, the XDR vendor should offer endpoint, cloud, and network and then ingest third party data feeds for areas like e-mail and application-specific data. Ideally the XDR vendor would own the three pillars but could deliver the capabilities via a partnership. Tying response together across systems could be a challenge, but it is feasible.Machine learning-based analytics. Security systems are generating massive amounts of data\u2014far too much for even the best forensic expert to analyze manually. Machine learning (ML) algorithms can spot even the smallest anomaly that could indicate breach. Despite the need, some security pros are reticent to cede visibility to machines, but it\u2019s the only feasible way to accomplish XDR at scale. The healthcare industry went through this years ago when doctors were uncomfortable having ML systems look at MRIs, but doctors quickly found ML enabled them to spend more time treating patients and less time looking at data.\u00a0 The same is true with security and XDR.Automated response. Similar to ML-based analytics, using automation to respond to security incidents requires a leap of faith. Some might consider it risky to automate threat response, but the fact is manual processes slow down responses and can cost companies millions if there is an active breach. A good interim step would be to have the XDR system recommend a change but enable the security team to validate and execute the change. This is similar to autopilot in a Tesla where the driver needs to keep their hands near the wheel, but the car takes control.Coordinate responses. The inability to coordinate responses across the network, endpoint, and cloud has been an Achilles heel for security teams since the birth of cyber security. The network might notice a threat and shut it down but does not inform the team responsible for endpoints, causing some malware to run amok within the company. XDR requires an integrated response system that enables security teams to eliminate network, cloud, and endpoint threats from a single dashboard. This will enable fast response and contain the blast radius of a threat and keep it manageable.Simplified workflows. There\u2019s an axiom in security that \u201ccomplexity is the enemy,\u201d and that\u2019s certain true for XDR. Today\u2019s siloed security tools provide a seemingly never-ending stream of alerts that are too noisy to make sense of. A proof point of this comes from the fact that the security vendors in many of the major breaches we have seen over the past decade all claim to have seen the incident, but the security teams didn\u2019t act. Too many alerts are as useful as no alerts. XDR systems must provide a complete picture with simplified investigations making it easy to find the root cause, sequence of events, and threat intelligent details from the various sources.One final note for companies considering an XDR deployment:\u00a0 While there are many strong solutions available, they are only as effective as the team that\u2019s using them. A winning XDR strategy will require breaking down the silos between the various security groups, such as cloud, endpoint, and network. The deployment of XDR must be driven from the CISO down with a mandate that the security groups be willing to work across their silos. XDR has come a long way since the term was first introduced two years ago, and people and processes must evolve as well.