According to ESG research on The Impact of XDR in the Modern SOC, improving detection of advanced cyberthreats is the highest priority for enterprise security operations, with 83% of organizations planning to increase threat detection and response spending over the next 12 to 18 months. This is no surprise: threat detection and response is always a high priority.\u00a0Unfortunately, the data reveals something else as well.\u00a0Despite spending millions of dollars on cybersecurity technology over the past few years, most organizations still can\u2019t detect or respond to cyberattacks in a reasonable timeframe.\u00a0 It\u2019s also fair to say that things are getting worse\u2014just ask any organization using SolarWinds for network monitoring.\u00a0Recognizing the need for better mousetraps, the security technology industry is proposing eXtended Detection and Response (XDR) as a possible solution.\u00a0 I posted a blog about XDR last June where I defined the term and speculated on how the market would develop.\u00a0 As I suspected at the time, XDR innovation has steadily progressed, and I expect big things from the supply side for the remainder of the year.\u00a0To be clear, XDR is still an emerging technology, not a panacea.\u00a0 Nevertheless, there\u2019s a lot of industry innovation and investment going into XDR, and it may help organizations bolster security analytics efficacy, streamline security operations, and anchor their SOCs with a tightly integrated security operations and analytics platform architecture (SOAPA). \u00a0Given its potential, organizations should have a game plan for XDR in 2021.\u00a0 I suggest that CISOs do the following:Cast a wide net with lots of upfront research. Only 24% of security professionals say they are \u201cvery familiar\u201d with XDR, which is understandable due to new technology and lots of confusing marketing.\u00a0 Given this knowledge gap, the first thing organizations should do is learn about all types of XDR:\u00a0 Platform-based (i.e., multiple controls with analytics and a control plane), software only (i.e., a software layer on top of existing controls), open XDR, etc.\u00a0 This will help the SOC team decide on a strategy where XDR can supplement or replace existing tools and processes.\u00a0 As a consolidation architecture, it\u2019s likely that many existing and trusted vendors will be pitching XDR as an outgrowth of their EDR, NDR, or security analytics technology.\u00a0 At this early stage, CISOs should invite strategic security technology partners in to educate the security team on XDR and outline their product roadmaps.\u00a0 This should get the team up to speed and help them start to craft an XDR strategy.\u00a0Identify organizational weaknesses and blind spots. Before moving forward with yet another threat detection and response technology, it\u2019s worth digging into existing tools and processes to see what\u2019s working and what\u2019s not.\u00a0 Is the SOC team fully utilizing EDR, NDR, and SIEM or is there a skills or resource gap?\u00a0 Are there process bottlenecks that slow mean-time-to-detect\/mean-time-to-respond to threats that have nothing to do with technology?\u00a0 If either of these things are true, security orchestration, automation, and response (SOAR) and professional services may make more sense than another analytics tool.\u00a0 Since modern cyberthreats move laterally across networks, it\u2019s also worth investigating if the organization has any weaknesses or blind spots when it comes to security monitoring.\u00a0 For example, the ESG research pointed to security monitoring weaknesses related to public cloud infrastructure.\u00a0 In cases like this, XDR should start by improving cloud security visibility and integrating cloud security analytics with existing EDR, NDR, threat intelligence, etc.Pick a starting point for project planning. XDR is an architecture, not a product, so it may take a few years to fully deploy and configure XDR.\u00a0 That said, you must start somewhere.\u00a0 Based on the previous point, it\u2019s not surprising that 43% of respondents to ESG's Impact of XDR in the Modern SOC survey say that their organization would start a project by implementing an XDR solution with threat detection and response capabilities for cloud-based workloads and SaaS.\u00a0 This is a reasonable starting point, but XDR technology can evolve from tactical to strategic coverage.\u00a0 Regardless of where an organization starts an XDR deployment, the security team must look forward, identify points of integration, map out engineering projects, and define a set of metrics it will use to measure XDR and project effectiveness.\u00a0Use XDR to establish security operations best practices. Security operations are haphazard at many organizations, featuring many manual process and constant firefighting.\u00a0 Some SOC teams use SOAR to help them out of this mess, but SOAR platforms require staff resources and skills to create playbooks and code orchestration routines.\u00a0 XDR will likely act as a poor man\u2019s SOAR by \u201ccanning\u201d a lot of common security processes, which should be fine for most organizations.\u00a0 Some XDR platforms can also help organizations operationalize the MITRE ATT&CK framework\u2014a big step forward.\u00a0 In selecting an XDR solution, CISOs should evaluate how each vendor supports and promotes security operations best practices and how well their organization can adapt to these changes.\u00a0Get the IT operations team involved. Incident response requires strong collaboration and cooperation between security and IT teams.\u00a0 To support and improve the team effort, XDR platforms should adapt to existing process handoffs and integrate with existing security operations tools like ServiceNow, Jira, Microsoft OMS, etc.\u00a0 In other words, XDR projects should improve rather than disrupt existing data analysis, case management, incident prioritization, and mitigation efforts.\u00a0 \u00a0Cybersecurity tends to suffer from shiny object syndrome:\u00a0 A new technology comes along, and the industry goes gaga. Unfortunately, when organizations flock to these new tools, they often don\u2019t take the time to fully learn the technologies or modify security operations to achieve the maximum benefit.\u00a0 XDR is an architecture that will take months or years to fully deploy, giving organizations time to do things right.\u00a0 Building XDR into formal projects and future strategies will allow it to become a cybersecurity force multiplier, not just the next buzzworthy topic at RSA and Black Hat.