It’s time to stop debating about what XDR is and focus on how it fits in a security operations center modernization strategy. Credit: Hernan4429 / Getty Images We’ve been discussing extended detection and response (XDR) for years now, but a fundamental question remains: Just what the heck are we talking about, anyway?Alarmingly, this continues to be a pertinent question. According to ESG research, 62% of security professionals claim to be “very familiar” with the term XDR, up from just 24% in 2020. An improvement, but still 29% are only somewhat familiar, not very familiar, or not at all familiar with XDR. So, despite industry hyperbole, arm waving at the RSA conference, and cacophony of XDR talking heads, nearly one in five security professionals haven’t received the message.No common definition of XDRNow what do infosec pros think XDR is? Here’s where it gets interesting. A majority (62%) of those claiming to be “very familiar” with XDR say that XDR is an extension of endpoint detection and response (EDR) technology, 21% think XDR is a product suite from a single technology vendor, and 16% claim that XDR is an integrated and heterogeneous security technology architecture. (It is humorous that 1% of those “very familiar” with XDR responded, “don’t know.”) This means that “very familiar” is relative; security pros are “very familiar” with the XDR definition they adhere to.When we examine potential deployment models, the waters get muddier. Of those claiming to be “very familiar” with XDR, 61% believe that XDR will supplement existing security technologies while 37% say that XDR will help consolidate security technologies into a common platform. When we looked at security professionals who are only “somewhat familiar” with XDR, you see a different picture: 58% of this group think that XDR will supplement existing security technologies while 37% say that XDR will help consolidate security technologies into a common platform. One could then conclude that XDR will supplement and consolidate current technologies, but questions remain about which will be supplemented, which will be consolidated, and in what timeframe. As if XDR wasn’t confusing enough, ESG also found that XDR definitions and opinions also varied as a function of company/organizational size. When security professionals working at organizations with over 10,000 employees were asked to define XDR, 34% say that XDR is an extension on EDR technology, 24% think XDR is a product suite from a single technology vendor, and 41% claim that XDR is an integrated and heterogeneous security technology architecture. Perhaps larger firms think of XDR as an architecture because they already have a plethora of tools and technologies and aren’t looking to “rip and replace” existing investments. They want glue, not dissolvent.Focus on the security process, not XDR definitionAs an industry analyst, allow me to elaborate on this data. In my humble opinion: There is no rigid definition of XDR. As they said in the 1970s, “different strokes for different folks.” Some XDR offerings collect data from email security technologies, some contain cyber-risk telemetry from tools like attack surface management (ASM), some are built around EDR technologies, some are an outgrowth of SIEM. Despite industry debates and dogma (of which I’ve played a part), it is starting to feel like XDR is anything you say it is or want it to be. Yes, this is confusing and will remain so. As always, security pros must approach XDR by defining their requirements, doing their homework, and following the age-old advice, caveat emptor.The definition doesn’t really matter. As Bruce Schneier wrote years ago, “Security is a process, not a product.” If you believe this (and I do), arguments around the definition of XDR are counterproductive. Instead of figuring out which box XDR belongs in, let’s talk about the outcomes organizations seek to achieve. ESG research indicates that 36% want XDR to extend and enhance threat detection across hybrid IT, 33% of organizations want XDR to improve the fidelity and prioritization of security alerts, 29% want XDR to act as a central security operations hub, and 25% want XDR to help detect unknown threats. XDR conversations should begin and end with how to address these requirements.XDR exposes a deeper issue. A whopping 85% of organizations plan to increase their spending on threat detection and response technology over the next 12 to 18 months. To me, this means that the tools and technologies we are using today are inadequate. Maybe they are too difficult to use, maybe they can’t scale, maybe they are too noisy – whatever. XDR will either add to this morass or it will help address the problems. Again, vendors and users should base XDR discussions on this reality.While the industry remains gaga over XDR, CISOs sing a different tune. When I talk to CISOs about threat detection and response, they steer the conversation to security operations center (SOC) modernization. Can XDR play a role here? Yes, if we drop the academic XDR doctrine and figure out how it can add scale, intelligence, analytics, and automation to the SOC. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe