GigaOm Radar For Extended Detection and Response (XDR)
GigaOm Radar For Extended Detection and Response (XDR)
GigaOm Radar For Extended Detection and Response (XDR)
Chris Ray
Apr 11, 2023
Table of Contents
1. Summary
5. Vendor Insights
6. Analyst’s Take
8. About GigaOm
9. Copyright
1. Summary
Enterprise cybersecurity comprises multiple security solutions from various vendors. Solutions are paired with a security information and event
management (SIEM) and/or a security orchestration automation and response (SOAR) tool to allow security analysts to correlate events across the network
to better detect and respond to cyberattacks.
Although SIEM and SOAR tools originally came with out-of-the-box threat detection, the effectiveness of this capability relied heavily on human
involvement to fine-tune the system for their environment. So, systems were limited by the knowledge of the available security staff and required extensive
maintenance to keep up with the ever-changing threat landscape. This limitation led to less-than-intelligent detection and a crippling overabundance of
alerts, resulting in real threats being drowned out by the noise and remaining undetected.
In contrast, extended detection and response (XDR) solutions distribute detection and response across the security stack to provide ubiquitous coverage
from endpoint to cloud by delivering unified visibility, control, and protection. XDR collects telemetry and leverages artificial intelligence (AI), machine
learning (ML), or other statistical analysis methods to correlate event logs, and then evaluates them against intrusion response frameworks. Additionally,
XDR systems integrate threat intelligence to enhance and improve threat detection capabilities. Although having the full security stack telemetry funnel
through an analytics engine that’s enriched with up-to-date threat intel and measured against intrusion frameworks doesn’t provide a silver bullet for
security, it’s as close to “security in a bag” as you can get at this time.
XDR attempts to address the security skills gap by reducing the need for experienced security analysts and instead using AI, ML, and statistical methods to
provide threat intelligence-driven analysis. It identifies connections between seemingly unrelated network activities to uncover sophisticated attacks, and
automated remediation procedures reduce the mean time to respond (MTTR) to a potential incident.
This GigaOm Radar report highlights key XDR vendors and equips IT decision-makers with the information needed to select the best fit for their business
and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating XDR Solutions,” we describe in more detail the key features
and metrics that are used to evaluate vendors in this market.
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution
characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on
strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small
businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises, where ease of use and deployment are more
important than extensive management functionality, data mobility, and feature set.
Enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong
focus on flexibility, performance, data integrations, and features that improve security and data protection. Scalability is another big differentiator, as are
case management capabilities to support large teams.
Specialized (MSSP and telecom): Optimal solutions are designed for specific use cases such as managed security service providers (MSSPs) or
telecommunications operators (telecom).
Cloud-only solutions: These are available only in the cloud. Often designed, deployed, and managed by the service provider, they are available only
from that specific provider. The big advantage of this type of solution is the integration with other services offered by the cloud service provider
(functions, for example) and its simplicity.
On-premises solutions: These solutions run out of a customer-controlled environment, be it infrastructure as a service (IaaS) like AWS EC2 or Azure VM
or on-premises. The customer is ultimately responsible for the administration and security of the entire stack but also in control of the data during its
entire lifecycle.
Hybrid solutions: These solutions are meant to be installed both on-premises and in the cloud, allowing organizations to build hybrid or multicloud
storage infrastructures. Integration with a single cloud provider could be limited compared to the multicloud option and more complex to deploy and
manage. In any case, hybrid solutions are more flexible, and the user usually has more control over the entire stack in terms of resource allocation and
tuning. These solutions can be deployed in the form of virtual appliances, like a traditional network-attached storage (NAS) filer but in the cloud, or as a
software component that can be installed on a Linux VM (that is, a file system).
Barracuda
CrowdStrike
Cybereason
Cynet
Forescout
NetWitness
Nokia
Palo Alto Networks
Qualys
SentinelOne
Stellar Cyber
Trellix
Exceptional: Outstanding focus and execution Source: GigaOm 2023
Capable: Good but with room for improvement
Limited: Lacking in execution and use cases
Not applicable or absent
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge
the potential impact on the business.
KEY CRITERIA
Mobile Device
EDR Capabilities Device Discovery Case Management Risk Prioritization Data Ingestion Data Retention
Security
Barracuda
CrowdStrike
Cybereason
Cynet
Forescout
NetWitness
Nokia
Palo Alto Networks
Qualys
SentinelOne
Stellar Cyber
Trellix
Exceptional: Outstanding focus and execution Source: GigaOm 2023
Capable: Good but with room for improvement
Limited: Lacking in execution and use cases
Not applicable or absent
EVALUATION METRICS
Depth of Endpoint Depth of Platform Depth of Network Depth of Identity Depth of Code
Scalability TCO Extensibility
Telemetry Telemetry Telemetry Telemetry Telemetry
Barracuda
CrowdStrike
Cybereason
Cynet
Forescout
NetWitness
Nokia
Palo Alto
Networks
Qualys
SentinelOne
Stellar
Cyber
Trellix
Exceptional: Outstanding focus and execution Source: GigaOm 2023
Capable: Good but with room for improvement
Limited: Lacking in execution and use cases
Not applicable or absent
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The
chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that
projects each solution’s evolution over the coming 12 to 18 months.
As you can see in the Radar chart in Figure 1, this is a space with many mature platform players, which is the result of vendors being driven by the
demands of customers to add new features rather quickly. This dynamic has some vendors settling to the left (Feature Play) side of the chart a little more so
than they did in last year’s Radar, simply because they may not have added features as quickly as the other vendors.
Starting in the Maturity/Feature Play quadrant of the Radar, CrowdStrike and Trellix offer a similar set of capabilities. Both provide a good mix of features
and the potential for a managed solution.
Moving into the Maturity/Platform Play quadrant, Barracuda’s highly capable XDR solution targets the needs of managed service providers (MSPs).
Cybereason, with its broadly capable, automated, and human-expertise augmented XDR solution, lands well within the Leaders circle. Netwitness has
developed a comprehensive solution, with numerous integrations, though its lack of mobile device support places it in the Challengers circle.
Nokia is positioned as a fast moving leader, has developed new features and capabilities over the last 12 months, and now offers a full endpoint detection
and response (EDR) suite within its XDR tool to deliver a highly capable, telecom-focused XDR solution. Palo Alto Networks’ XDR solution combines
significant telemetry from its various sources with an intuitive and simplified user experience. The Qualys XDR solution continues to provide great value
with its all-inclusive approach to delivering XDR. SentinelOne, with its highly automated and AI-powered XDR approach, provides deep yet easy to
understand visibility through its Storyline Active-Response (STAR) case management feature. Finally, Stellar Cyber offers its vision of XDR through its open-
XDR platform. This overlay-style solution eliminates the need for a rip-and-replace approach, offering businesses an effective and streamlined security
solution.
The Innovation/Platform Play quadrant holds two vendors, Cynet and Forescout. Cynet’s AutoXDR delivers managed XDR that includes behavior analytics,
AI, and deception technologies with simplicity and flexibility at its core. The Forescout solution might be the newest XDR tool and brings innovation to the
market. Instead of needing to rip-and-replace as you might with some XDR solutions, Forescout seeks to create greater efficiencies through the unification
of data across multiple technologies.
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing
pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights
technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge
functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost
circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month
window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or
Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation
and differentiation over incumbent market position.
5. Vendor Insights
Barracuda
Known best for its email protection appliances that revolutionized early enterprise email security, Barracuda has since diversified into many security
products and solutions, including an XDR solution aimed at the needs of MSPs.
Barracuda’s XDR solution comes to the market through a 2021 acquisition of the SKOUT cybersecurity company. Barracuda XDR was built from the ground
up as an XDR solution entirely focused on the needs of MSPs—primarily tenant data separation, consolidation of tenant dashboards into a single interface,
and fully managed detection and response (MDR). The entire Barracuda XDR solution is usually delivered via a cloud service; however, there’s an option to
stand up a physical appliance or VM on-premises. This solution is sold per seat or per device at the MSP. Note that Barracuda XDR can be leveraged by all
businesses through their global channel partner network.
New since the last version of this Radar report is the ability to integrate with SentinelOne, which adds a comprehensive and powerful EDR solution set to
the Barracuda XDR platform. This provides a capability that was previously missing from this solution: the ability to remotely access and isolate the
endpoint. This additional feature is made possible through a mature integration, but it requires additional licensing to enable it.
The solution’s flexibility is quite strong, though, and numerous integrations enable it to gather telemetry from a broad range of sources through its unique
extensible data pipeline. Sources include Microsoft 365, Okta, Amazon Web Services (AWS) Cloudtrail, Google, Cisco AMP, and CrowdStrike.
The BarracudaXDR solution is a managed service, so robust case management capabilities are built in. From a single pane of glass, Barracuda XDR
customers are able to see all active investigations and incidents occurring within their client’s environments. Add to this the 500 detection rules that map
events to the MITRE ATT&CK intrusion framework, each backed by a security operations center (SOC) playbook that is leveraged either by the managed
SOC or the Barracuda XDR customer, and it becomes clear that this solution is built to provide practical security improvements. Note, however, that the
Barracuda solution does not provide coverage for mobile devices.
When evaluating this solution, bear in mind that it is SOC-2 Type 2 audited, and CCPA-, GDPR-, and HIPAA-compliant. With its cloud-native architecture that
leverages Kubernetes underneath, rapid scaling to meet client demand will not be an issue. Moreover, Barracuda XDR is built with ease of use for
administrators in mind and provides simplified integrations during initial setup to accelerate deployment.
Strengths: Barracuda XDR is a highly flexible solution with possibly the broadest selection of integrations available. With its SentinelOne EDR integration,
this solution’s capability set is now more comprehensive.
Challenges: Although the advanced EDR solutions are welcome, they require additional licensing beyond the core Barracuda solution, and there is no
mobile device support.
CrowdStrike
CrowdStrike, the company that’s famous for its single-agent security solution with the tagline “We stop breaches,” was one of the first entrants into the XDR
space. Combining several components of its platform, the CrowdStrike Falcon Insight XDR solution provides coverage for most attack surfaces found in
modern organizations, including cloud workloads and endpoints.
CrowdStrike refers to the common sources of data as domains, and these include endpoint, web, network, identity, and email. Recognizing that it couldn’t
supply telemetry for all of these domains, CrowdStrike established the CrowdXDR Alliance with other security vendors, including Google Cloud, Okta,
Zscaler, Cloudflare, Proofpoint, Corelight, Netskope, and ServiceNow. This alliance enables the Falcon Insight XDR to create a holistic view of an
organization’s security posture.
The CrowdXDR Alliance offers mature integrations that allow CrowdStrike to gather a wide range of additional telemetry. For organizations building out
their security portfolio or migrating existing security solutions to a member of this XDR alliance, this is not much of a challenge. However, for organizations
that are unable to migrate to an alliance solution or leverage an existing Crowdstrike Falcon LogScale integration (of which there are 60 or more), the
effectiveness of the CrowdStrike XDR solution would be limited.
Because CrowdStrike leverages its EDR as part of its XDR solution, it scores very well on the EDR capabilities key criterion, with its deep insight into
endpoint telemetry and strong EDR capabilities like device isolation and some automated remediation.
The Crowdstrike Falcon platform’s ability to discover the environment is based on its agent, which is able to provide application and service inventories.
This data in turn enables identification of outdated and vulnerable applications, as well as insight into application usage, which is often nearly impossible to
ascertain without using end user questionnaires. The discovery method is endpoint-based, so the solution is unable to discover applications or endpoints
from traffic sources.
The MITRE ATT&CK framework is renowned for its simplicity and efficacy. It is an intrusion framework designed to help defenders identify attacker
techniques and behaviors. This information is then used to determine appropriate mitigations and the next steps the attacker is likely to take. CrowdStrike
Falcon Insight XDR solution maps events to the MITRE ATT&CK framework, providing administrators with a large, single-screen visual representation to
illustrate attacker paths and impacted systems. This is a nice feature that can provide clarity quickly during an incident.
CrowdStrike Falcon Insight XDR solution is a SaaS offering, and as with any other SaaS product, it’s critical to assess its ability to meet the regulatory
compliance needs of the client organization’s industry. Happily, the Falcon platform offers the most complete level of certification of any SaaS solution
available, including PCI DSS, CMMC, FedRAMP, HIPAA, FFIEC, SOC-2, and GDPR.
Finally, because it’s a single-agent SaaS solution and the agent is easily deployed, the Falcon platform has low administrative overhead. Logging into the
administrator portal provides a clear and intuitive user experience, which can be navigated easily to find important forensic and incident details quickly.
Strengths: CrowdStrike has powerful cross-platform, cross-telemetry correlation features and class-leading device isolation capabilities. It’s easy to deploy
and set up, and powerful alliance integrations alleviate common XDR pain points. This is a highly scalable, highly certified SaaS solution.
Challenges: Non-alliance-member solutions may be difficult to integrate. The depth of its network, code, and identity telemetry is weaker than some other
solutions.
Cybereason
Founded in 2012, Cybereason brought to the market the concept that malicious operations (MalOps), rather than individual alerts, should be the key focus
of any security operations team. This concept has propelled it to the forefront of the EDR (and MDR) market. An important note here is that all Cybereason
XDR deployments include the Cybereason MDR services, which is a great way to reduce the workload for internal security operations teams.
Recently, Cybereason partnered with Google Cloud, combining technology from Cybereason, Google Cloud, and Google Chronicle. The result is an XDR
solution built on top of Chronicle’s highly capable cloud-based SIEM solution. This partnership brings the ability to search internet-scale data sets rapidly,
making big-data challenges a non-issue for Cybereason. This is a very unique approach to solving a common issue for XDR solutions: what to do with the
massive volume of alert data received from cross-layered telemetry.
Unlike most other vendor offerings, this solution is available in four deployment models: cloud, on-premises, hybrid, and an air-gapped option. The cloud
option is certified to ISO-27001, ISO-27017, and ISO-27018, and is SOC-2 audited and aligned with the Cloud Security Alliance’s (CSA) standards. The hybrid
model shares some of these benefits, but with it, as well as with the on-premises and air-gapped options, the majority of the compliance burden falls on the
client.
The solution offers capable device isolation and blocking features, with both automated and manual options. This is a key capability because organizations
need to remotely isolate endpoints from sensitive data and networks, yet still allow remote administrator access so that Digital Forensics and Incident
Response (DFIR) activities can be performed.
Because XDR involves endpoint protection, a feature that was born in the antivirus era—the ability to whitelist applications or directories to allow some
level of customization per organization—has been reimagined for modern solutions. This capability has now been abstracted from applications and
directories and turned into a feature that can allow (or block) certain behaviors rather than just applications, files, and directories. Today’s security
landscape is one in which fileless malware is becoming more common, which has driven detection efforts to focus more on behaviors. Unfortunately, this
approach also drives up false positives, but modern whitelisting enables organizations to rein in some of those false positives.
Although XDR focuses on the entire spectrum of technologies found in an organization’s infrastructure, the endpoint detection and response component is
still critical. Cybereason’s XDR leverages its EDR technologies, including the ability to respond predictably to MalOps even when the agent is disconnected
from the internet or the management console. Moreover, this solution benefits from having its own in-house threat intelligence team that is able to
operationalize and integrate findings from its research directly into the XDR (and EDR) solution.
Flexibility is a key Cybereason strength. This solution leverages the idea of an app store, from which administrators can select different technologies that
have prebuilt integrations and, with a few clicks, complete most integrations. This feature signals a very mature solution with reduced administrative
overhead. The administrator UI is well designed overall, although there have been a few reports of slow performance.
Finally, consideration is given to the entire platform’s pace of development. Cybereason is clearly pushing hard to innovate and identify new opportunities
to speed up response to attacks, reducing the MTTR to MalOps. However, this development flux also comes with the potential for more bugs, which could
impact usability or feature availability. Bugs are less of a concern with the cloud delivery model, and they do appear to be mitigated quickly through
patching for hybrid, on-premises, and air-gapped solutions.
Strengths: Cybereason’s focus on MalOps results in a high accuracy of alerts. The solution is built on top of Chronicle and offers predictive agent response
behaviors and strong EDR capabilities as a certified cloud solution.
Challenges: Rapid innovation can lead to bugs. A few complaints regarding the performance of the administrator UI have surfaced.
Cynet
Established in 2015, Cynet has combined various solution capabilities into a unified platform, known as Cynet AutoXDR. This platform integrates XDR with
AI response automation and a 24/7 MDR service to provide a comprehensive security solution. What sets Cynet apart is its emphasis on automation as a
core feature of the platform, followed by transferring critical workloads to the managed detection team. This approach stands out from other solutions in
the market.
Cynet AutoXDR is a SaaS-delivered platform that integrates features of NGAV, EDR, user behavior analytics (UBA), and deception technologies to provide a
rich source of telemetry for the XDR engine. Cynet AutoXDR also boasts rapid, simplified agent deployment that can be deployed in just two clicks.
Cynet AutoXDR offers remote device isolation capabilities in an automated fashion. It also gives administrators the ability to remotely connect to endpoints
via shell in a way that’s similar to SSH—a feature that can provide tremendous value during the incident response process. The solution does reference the
ability to reset back to a good backup state, which leverages Microsoft’s volume shadow copy feature set.
Cynet AutoXDR offers a broad range of integrations with existing security technologies, avoiding the walled garden approach some XDR solutions use to
achieve the same results. These integrations are important to consider because companies will almost always keep prior investments in technology, and
won’t replace them with XDR.
A key feature of the Cynet XDR platform is the managed services component, which includes MDR as well as threat hunting and remote incident response.
The MDR offering is what Cynet is known for, and it delivers a well-rounded product. The threat hunting functionality, however, raises questions of efficacy
based on its description in the documentation. If managed threat hunting is a key consideration for an organization, being able to determine the true
breadth, depth, and focus of the managed threat-hunting service would be a valuable step towards picking the right solution.
One of the solution’s standout features is its integration of deception technologies, including honeypots, honeytokens, and honey users. All three can be
deployed into an environment to entice attackers into taking action. Attacker behavior is then recorded so that in the future, similar behaviors (indications
of compromise) are flagged earlier. User behavior monitoring is another powerful feature not found natively in other XDR solutions. This capability provides
deeper insights into trusted user activities, which can be used to identify malicious insiders or compromised accounts before malicious actions have been
taken.
The extended approach that is unique to XDR means these solutions should collect telemetry from as many source types as possible. The Cynet solution
collects telemetry from all of the identified source types, except for code, which is often collected through repository platforms like GitHub and GitLab.
Finally, it’s worth noting that the solution’s extensibility is somewhat limited compared to other solutions. This is to be expected, however, because MDR
components are often a limiting factor for extensibility, regardless of the vendor.
Strengths: Cynet AutoXDR has strong EDR capabilities and managed services are baked in, with threat hunting as an add-on. The solution delivers
integrated UBA and deception technologies, and there’s a lot of flexibility with regard to integrating with existing technologies.
Challenges: There’s no device access to endpoints when isolated, and no code telemetry feature within this solution.
Forescout
Founded in 2000, Forescout is a cybersecurity company specializing in providing visibility and control of devices connected to networks. The company has
created innovative technology that enables automated and proactive security by allowing organizations to continuously monitor both managed and
unmanaged devices on their network and to secure any endpoint device.
Forescout XDR is a cloud-based service that provides actionable alerts on advanced threats across all connected assets—IT, OT/ICS, IoT. It leverages data
from logs and telemetry, converting the information into high fidelity probable threats that are detected automatically regardless of the EDR vendor and
can then be investigated by analysts. Licensing is based on the number of endpoints, defined as a device with an IP or MAC address, and includes log
storage for 31 or 365 days (with longer terms available, for a fee).
This solution takes a vendor-neutral stance on EDR, integrating seamlessly with a wide range of solutions from the leading EDR vendors, including
SentinelOne, CrowdStrike, Microsoft, VMware Carbon Black, Trend Micro, Cisco, McAfee, Sophos, Symantec, and ESET. This is a trend that is becoming
more common in the XDR space as vendors focus on the unification of data instead of developing their own EDR solutions.
Forescout’s Network Security offering, sold separately, delivers real-time device discovery, agentless compliance assessment, segmentation management,
and network access control (NAC) capabilities. This network-based approach to discovery provides substantial insight into all network-connected devices,
including unamaged and cyber-physical systems that don’t support security agents. This approach, in combination with its integrations in the eyeExtend
ecosystem, enables automated network and host-based controls for orchestrating the remediation of noncompliant devices or the containment of threats
to keep the network secure. However, this approach isn’t as comprehensive as those that combine API and agent-based methods of discovery.
Case management is built into the platform but bidirectional integrations into third-party case management solutions like ServiceNow, RSA Archer, and Jira
are also provided. The Forescout case management capabilities revolve around the NIST Incident Response Life Cycle processes, enabling users to apply
a comprehensive approach to incident management.
Risk prioritization with Forescout XDR is based on projected impact and estimated severity of the event, ranging from “Sev1” to “Sev5,” making it intuitive
for users familiar with Information Technology Infrastructure Library (ITIL) processes. To ensure comprehensive mobile device security, clients need to
leverage the right tools. Forescout XDR solves the issue in the same way as with endpoint security—by integrating with the customer’s existing tooling.
As XDR solutions need to be able to ingest data from a variety of sources, Forescout provides more than 180 integrations across network security,
infrastructure, enrichment platforms, applications, and cloud vendors, covering the full range from IaaS to firewalls to identity, email, multifactor
authentication (MFA), threat intelligence platforms, and more. Data retention is offered in two tiers. The standard tier offers three days of searchable data
with 31 days of archived data while the professional tier offers three days of searchable data with 365 days of archive data.
Strengths: The Forescout solution creates a way to view telemetry from across various security and infrastructure tools in a unified way, while offering a
simple integrative approach with existing technologies.
Challenges: The vendor-agnostic approach taken by Forescout and others does not facilitate a consolidated approach to security tooling.
NetWitness
Founded in 2006, NetWitness specializes in providing advanced security analytics and threat detection solutions. It was acquired by RSA Security in 2011,
which, in 2020, then spun off its enterprise security division and established NetWitness as a stand-alone entity. Today, NetWitness remains owned by RSA
Security and provides security analytics and protection against modern cyberthreats.
NetWitness XDR is designed to be flexible and, due to its modular architecture, can be deployed in either an on-premises or cloud environment. This
makes it highly adaptive to different use cases and requirements. Additionally, its user interface has been carefully refined using feedback from customers,
making it easy for new users to learn and navigate the system quickly.
NetWitness XDR provides comprehensive EDR capabilities for all major operating systems, including Linux, macOS, and Windows. Moreover, having its
own EDR agent means it can offer deep endpoint telemetry to ensure automated remediation. This feature is not unique in the XDR space but can add
significant value when used correctly, so it should be noted.
The NetWitness XDR slogan–“See everything. Fear nothing.”–accurately portrays its discovery capabilities. Using a variety of data sources, such as
endpoint telemetry, behavior analytics, and data from integrated technologies (identity platforms, public clouds, and so forth), the NetWitness XDR platform
is able to create a comprehensive and unified view of an organization from the perspective of its assets and identities.
This solution has an efficient incident management workflow that aggregates events over time, across multiple data planes, such as network and
endpoints, providing a queue of prioritized incidents. These incidents contain contextual information about relationships, order of events, and flow of
communications to enable a clear understanding of the incident. The analyst can inspect all related metadata and raw data, including reconstructed
network sessions, files, log events, and involved processes and commands on the endpoint.
The workflow lets analysts prioritize risks with unsupervised ML behavioral models, rule-based logic, host and asset ranking, and rich contextual
enrichment. Severity is determined by rankings and detections triggered, and the information can also be integrated with customer-provided risk-ranking
feeds or third-party risk-management platforms such as Archer.
Mobile device support is limited to the consumption of logs from mobile device-focused platforms that are also able to integrate with the XDR solution.
NetWitness XDR collects and analyzes data from over 400 out-of-box sources, including Windows logs, proxy logs, firewall logs, Linux logs, cloud provider
logs (such as CloudWatch), endpoint agent telemetry, NetFlow, and network packet capture telemetry. Custom parsers can also be created using the
solution’s GUI. Even if a log source is not associated with a parser, NetWitness XDRcan extract default attributes. The custom parsing is a standout feature
for this space.
NetWitness XDR uses a policy-based multilevel data retention approach to empower organizations to decide what to keep and for how long. It also
separates policies for payloads and metadata, allowing customers to craft policies to suit compliance and regulatory needs.
Strengths: This is a comprehensive XDR platform with over 400 ready-to-use data sources, custom parsers, and policy-based data detention capabilities. It
also provides advanced EDR solutions and powerful case management features.
Nokia
Nokia, the Finland-based multinational corporation founded in 1865, didn’t take its current form until the 1960s when computing technology became an
integral part of its business. From then on, the company established itself as one of the main players in mobile telecommunications, including 5G networks,
and has since extended its reach to B2B telecom services with offerings such as XDR.
The Nokia XDR solution, part of a larger security suite called Netguard, is designed to provide powerful mobile client network protection for both 4G and
5G services. Through its automated capabilities, this solution augments in-house security teams so they can observe traffic more accurately and take
action swiftly.
Users can consume the Nokia XDR solution either in-house as a self-managed service or as an external, pay-as-you-go Nokia NetGuard Cybersecurity
Dome. This solution is suitable for large telecoms and MSSPs working on telecom networks.
Change is the name of the game in the XDR space, and Nokia’s XDR solution is a great example of that. Nokia rapidly developed its own agent-based EDR
solution, which supports multiple platforms like Linux, Solaris, AIX, and Windows, then integrated it into the XDR offering, providing comprehensive
endpoint security.
Once a malicious actor has been detected on an endpoint—whether an unmanaged mobile device or a device with an EDR agent installed—the next step is
to isolate it. This cordoning off is necessary to protect the entire network and all connected endpoints, and Nokia achieves it using the built-in SOAR
capabilities that power its automations.
The solution was found to be flexible, with integrations for multiple mobile technologies and a range of cloud infrastructures. This broad integration
extends the effectiveness of the solution by increasing the scope of telemetry gathered.
Because of the solution’s mobile-centric nature, device discovery isn’t as impactful as other key criteria, such as its case management capabilities, which
are designed for large SOCs or MSSPs that work together, or its robust risk prioritization system that helps to clarify the malicious actions that present the
highest risk to the organization. Nokia’s risk prioritization system combines a bespoke threat intelligence service, anomaly detection algorithms, and
customizable SLAs to provide effective solutions to security issues in the mobile space.
The solution is very extendable due to the vast array of connectors and integrations available. It also enables personalized dashboards and reports on a
customer-by-customer basis, providing extensive reporting abilities and full certification sets that further support its features.
Strengths: Nokia demonstrates clarity in its vision and features with its highly capable XDR platform. This solution includes the ability to collect data from a
diverse set of sources, a powerful automation engine, and intuitive dashboards and reporting.
Challenges: Nokia has focused on the telecommunication space, and although it integrates Microsoft’s XDR Sentinel components, it may not be a good fit
for SMBs or small enterprises.
PAN offers a unified collection of services and products under the Cortex brand platform, which encompasses its solutions targeted for the SOCs, including
XDR, and it’s safe to assume that if you purchase a Cortex product, it will interact well with another Cortex product and other PAN products. Additionally,
Cortex XDR provides numerous ways to directly ingest any third-party data sources.
Recently, PAN released its Identity Threat Module, which can be used to create new dashboards and reports in the XDR solution to better monitor the
identity-based attack vectors that are often difficult to see. This feature includes new analytic models that integrate identity data into the XDR solution.
Another new feature, although limited in utility, is this solution’s ability to provide basic telemetry around the location and use of IOS mobile devices.
The Cortex XDR solution performs very well on EDR and device isolation. It offers device isolation through both automated and manual channels, and it
includes a live terminal to the isolated host for administrators to access and perform incident response activities. Uniquely, the Cortex XDR agent includes a
DFIR toolkit, eliminating the need to maintain and deploy a solution in response to a breach. The endpoint-focused capabilities of this solution truly make it
stand out; however, this also comes at a cost. While this solution is well able to integrate security telemetry from other Cortex solutions, it does less well
with telemetry collected from non-PAN technologies.
Strong discovery capabilities enable XDR solutions to provide tremendous ROI because they help organizations find previously unknown systems, users,
and data—a perennial challenge for security teams. The Cortex XDR product does provide endpoint-focused discovery of, for example, installed packages,
applications, services, and users. However, the endpoint-centric approach makes it difficult for the solution to identify new systems and hosts, as this is
typically performed through network monitoring.
For many organizations, responding to an incident can show where that organization is weak or strong. For example, during incident response processes,
relevant context is often limited and decisions may be made hastily. The Cortex XDR solution leverages the Causality Analysis Engine (CAE) to
automatically correlate all telemetry and events (both PAN and third party) related to the same security incident. This in turn gives security teams the most
informative context available, in a time-series format, enabling them to make the best decisions.
The user interface is quite intuitive and follows the same simple design principles found in other PAN products; however, some users have reported that
they find the automation capabilities to be lacking compared to PAN’s full XSOAR solution.
For non-endpoint telemetry, licensing is based on a “per TB of data ingested” model, meaning the more data consumed by the XDR solution, the more it
will cost the organization. Endpoint data is included and is retained for 30 days by default, but that retention span can be adjusted. As with other platforms,
including those with a broad suite of products, this solution is an excellent fit for organizations that have already invested in PAN products; the XDR
solution benefits from the quality and quantity of data collected in PANs other solutions, such as Prisma Cloud and its NGFWs. Additionally, as noted above,
the Cortex XDR does ingest third-party data sources and is not limited to the PAN stack.
Strengths: PAN’s solution has powerful XDR capabilities, with great telemetry depth into identity, network, endpoints, and platforms. Code telemetry is
light, but it does exist. The product’s simple to understand yet powerful correlation capabilities provide much needed insight.
Challenges: This solution would likely require more upfront effort and cost for organizations not already invested in the PAN ecosystem.
Qualys’ XDR solution follows the delivery model the company is known for: cloud first, but it is also available on-premises for certain use cases. The Qualys
solution is based on a single agent that’s installed on endpoints (support is included for Linux and Windows) and leverages data collectors for telemetry
where agents can’t be installed.
Once agents are installed and telemetry sources are configured to send to data collectors, operators can review alert data from within the Qualys portal.
This is a key feature of the Qualys solution. All of its cloud-native solutions use the same agent, so pivoting from XDR to another Qualys service, like user
and entity behavior analytics (UEBA), is straightforward. Therefore, if an organization already has Qualys solutions in place, the deployment of Qualys
Context XDR is trivial.
Qualys’ XDR product contains its EDR solution, which delivers a variety of capabilities, like playbook-based remediations and direct pivots into other Qualys
platform solutions like vulnerability management. If an organization is using a different EDR solution, Qualys can most likely integrate with it. If you’re
considering the Qualys EDR solution, be aware that device isolation is not available yet but is expected by the end of Q2 2023.
The Qualys Context XDR solution maps events to the MITRE ATT&CK framework and provides convenient, easily understood tagging of events with
specific MITRE ATT&CK techniques and tactics numbers. This allows the rapid evaluation of risks, which in turn facilitates appropriate response actions and
timelines.
Case management capabilities provide a starting point for security teams to begin their investigations of threats. These investigations frequently grow in
scope and complexity, and a strong case management capability ensures they are carried out correctly and in a timely fashion. The Qualys solution
provides integration with ticketing platforms, a common case management solution, but it lacks in native incident case management features (which are
planned as a near-term roadmap item).
Finally, the output of an XDR solution should enhance the security operations team’s experience. A key criterion we have identified is the ability to describe
risks concisely, as they pertain to an organization’s particular technology and infrastructure. In the case of Qualys Context XDR, this is a very robust
capability, very well executed.
Strengths: Risk prioritization logic creates a clear picture of risks, significant effort is given to integration with other vendors, and the solution is part of a
larger proven solution portfolio.
Challenges: This solution is lacking in native case management capabilities, though it plans to add them in the near term.
SentinelOne
Founded in 2013, SentinelOne is an AI-driven security company. It offers an effective EDR solution that utilizes ML to advance endpoint security. The
solution serves as the springboard for customers to move into XDR and has been developed via continuous iteration since its inception. The SentinelOne
XDR solution (called Singularity XDR) is sold in a tiered model; the research discussed below was performed on its top-tier license and some features may
not be available in lower tiers.
SingularityXDR is a cloud-based solution with agents for macOS, Linux, and Windows and native endpoint, cloud and identity protections. It provides
monitoring of VMs and containers from major IaaS providers. The integration list is extremely large and straightforward, with support for identity platforms
such as Okta and Onelogin, and IaaS providers like AWS, Google Cloud, and Microsoft Azure.
Leveraging ML, all security events are mapped to a “Storyline,” which is then coupled with automated responses to create what SentinelOne calls the STAR
feature. This feature is most useful in the EDR portion of the solution, but it is not limited to EDR and is actually able to map events from other telemetry
sources as well.
Another key aspect of SentinelOne’s EDR is its device isolation features, which include secure remote shell access to isolated endpoints, remote USB
control, and additional remote administration capabilities with the “Ranger Pro” add-on license.
Like other solutions in this space that have evolved from EDR, the device discovery capabilities are provided from the endpoint’s perspective. This
approach means that while discovery is able to enumerate application usage, packages installed, and services registered on managed endpoints, there is
still a lack of coverage of the network. Some XDR solutions are able to leverage network data to identify previously unknown systems to help expand
security coverage to those unknown endpoints.
MITRE ATT&CK coverage and capability is a great benchmark for measuring EDR efficacy and can be used to some extent to measure XDR efficacy. The
SentinelOne XDR solution, with the EDR solution built in, scored the highest of any vendor for coverage of the ATT&CK framework, as well as for having the
fewest missed detections in MITRE testing. This is no small feat and demonstrates effective, practical security for endpoints. In addition, risk prioritization is
achieved using AI confidence levels to verify suspected malicious actions.
The SentinelOne XDR solution is highly extensible with its API-first development methods. And, with its proven EDR solution integrated and broad data
ingestion capabilities, it’s not surprising that the SentinelOne XDR solution is viewed so favorably by many in this space.
Strengths: SentinelOne offers powerful and effective EDR capabilities including device isolation. It includes numerous robust integrations, its STAR case
management feature makes tracking incidents simple, and it’s very extensible.
Challenges: Device discovery is limited to what can be found on the endpoint, and TCO can creep up with the numerous add-on licenses.
Stellar Cyber
Stellar Cyber is a cybersecurity company that provides an AI-powered, open-XDR platform for threat detection, investigation, and response. It’s built on an
API framework that enables easy platform integration with various security tools and provides a unified view of the security environment. The Stellar Cyber
platform uses ML and AI to automate threat detection, analysis, and response processes.
Stellar Cyber’s XDR solution is based on an open-XDR approach, which allows organizations to leverage their existing security investments while providing
a centralized platform for managing security operations. The platform collects data from various sources—such as endpoints, networks, cloud
environments, and applications—in real time. This comprehensive data collection enables security teams to detect complex attacks across the entire attack
surface quickly.
Stellar’s focus is on the SMB and mid-market space, and it therefore offers a co-managed XDR option for organizations that need additional security staff
resources. With co-managed XDR, Stellar Cyber’s team works alongside an organization’s existing IT staff or MSP to provide proactive threat detection and
response services. The co-managed service includes access to the Stellar Cyber platform, as well as ongoing support from its team of experts who can
provide guidance on threat hunting, incident response, compliance reporting, and more.
Stellar Cyber strategically selected NDR as a built-in capability in its open-XDR platform. Stellar Cyber NDR combines raw packet collection with NGFW
logs, NetFlow, and IPFix from physical or virtual switches, containers, servers, and public clouds, enabling deep packet analysis for over 4,000 applications
and L2-L7 metadata and file assembly from network traffic. With intrusion detection system (IDS) and malware sandbox included, it automatically detects
known bad actors and actions through commercial real-time signatures and malware detection leveraging sandbox technology.
Opting for an open-XDR approach, Stellar has decided to forgo developing its own EDR agent and instead focus on creating a versatile integration
capability that can both draw data from other EDR solutions and upgrade them with bi-directional integrations.
The same approach is applied to identity threats, email telemetry, cloud data, and SaaS events. Rather than replacing existing technologies, this method
should be seen as an overlay that can construct a unified and comprehensive view of security information from all sources.
Leveraging its built-in SIEM and SOAR capabilities, the Stellar solution is able to map security events to the MITRE ATT&CK framework. This feature is made
possible largely by the AI-powered event correlation engine and its ability to integrate with a broad range of existing technologies. Case management
functionality is available through the operator portal’s elegant design, with a simple-to-understand visualization of event timeline and impacted assets.
Discovery is enabled via the aforementioned broad integration capability. The Stellar solution is able to discover host and user data from the many source
types. From there, it can enrich the discovered assets and users with threat intelligence and context unique to the client organization.
The risk scoring system is comprehensive and facilitates easier prioritization. It assigns scores for alerts based on their severity and accuracy, and takes
into account the alert score and number of alerts for incidents as well. Additionally, it identifies risks associated with user accounts, factoring in elements
like importance, identified vulnerabilities, and past security alerts.
Mobile device security is a weak point for this solution, which is a common issue in the XDR market as this capability is still developing. This solution can
identify and recognize mobile devices via network telemetry, but that is the only coverage it offers. Finally, the open-XDR approach should be evaluated in
relation to the organization’s goals. If vendor consolidation is one such goal, this approach does not lend itself to that practice.
Strengths: Stellar’s XDR solution enters the XDR market with the intention of acting as the glue to unify and consolidate information that is siloed within
multiple IT and security solutions. It’s a simple, yet feature-rich and effective XDR solution.
Challenges: Mobile device security is limited to discovery and the open-XDR approach may not be a good fit for all organizations.
Trellix
Since 2004, Trellix has combined automated processes with human guidance to achieve strong security outcomes. With a good reputation for its EDR
product, the company was in an ideal position to launch an XDR solution when the need was identified. However, Trellix’s XDR does not include the
network, identity, and cloud asset protection that is available within its broader platform for an additional cost.
Trellix’s key strength is its flexibility. This solution is a clear winner in terms of its ability to integrate with and extract telemetry from the broadest variety of
sources in the XDR space. The breadth of data ingestion is key, because a good XDR creates value from its correlation of disparate event sources into a
unified chain of incidents, allowing security teams to see solutions clearly in an otherwise very noisy environment. For organizations that have a broad base
of technologies and tooling in place, this is a capability that will be extremely valuable.
Trellix offers impressive EDR capabilities with a 99.5% ransomware neutralization rate and the ability to isolate and remotely access affected endpoints. As
such, it provides practical advantages over legacy AV and NGAV solutions as well as some other XDR solutions.
XDR solutions are most effective when they provide automated remediation for common and repeated tasks, and low-code or no-code automation
configurations are desirable. We have not been able to find documentation or examples of real-world security use-case automations that use the Trellix
XDR. However, the space is still young, so it may not be reasonable to expect all XDR vendors to offer this yet.
Collecting and then correlating the telemetry data from across an environment are good steps toward identifying root causes and valuable future actions,
but a good XDR solution can’t stop there. Trellix goes a step further and, through its case management capabilities, assigns a prioritized risk score to each
incident chain. These scores empower security teams to prioritize operational work more effectively. In addition, risk scores are paired with explanations
that provide rationales for security teams to help them better understand an incident and its impacts on the environment. This is a feature rarely found in
security solutions generally, let alone in the XDR space.
The UX is intuitive, clean, and simple. Scalability is a minor concern. While some vendors take a walled garden approach to their XDR solution, meaning
that they work very well with their own solutions and technologies but not so well with other vendors’ technologies, Trellix is clearly taking the opposite
approach. With over 1000 out-of-the-box integrations, agent and agentless telemetry collection methods, strong EDR, powerful correlation capabilities, and
good reporting and alerting, this is a solution that will suit many organizations’ needs. However, an on-premises architecture is not offered, which may
exclude organizations that want the utmost control over their data. Mobile device coverage is not available, so for organizations hoping to add iOS and
Android devices to their XDR solution, this is not a good choice.
Strengths: The Trellix XDR solution delivers comprehensive observability and protections for enterprise organizations that are endpoint-centric. It has a
diverse catalog of integrations and is effective and generally easy to use.
Challenges: Device, system, and environment discovery capabilities are limited and protection for mobile devices is not provided.
6. Analyst’s Take
EDR ushered in a new age of cybersecurity, offering organizations and security professionals unprecedented visibility into and control over the high-risk
domain of endpoints. With its deeper insights and reactive and proactive automated actions to mitigate risks, EDR revolutionized the way security is
handled in organizations. The practical benefits that were realized soon sparked demand for similar capabilities across other areas, such as networks,
cloud computing, and identity management.
The demand from organizations for a comprehensive, integrated security solution prompted vendors to try to meet their needs. Their solutions range from
purpose-built to existing technologies adapted to form the basis of XDR solutions explored in this report. Knowing where XDR comes from is essential to
comprehending its current state and can provide insights into what’s expected in the future.
The Radar chart (Figure 1) shows that a majority of the solutions are from long-time players in a variety of security spaces, and that makes sense because
XDR leverages telemetry from some of those spaces. These platform vendors will provide organizations with a broad spectrum of security solutions that
can be purchased independently or together, to provide the XDR capabilities that fit requirements and budgets.
On the Feature Play side of the Radar, there are a few relatively new vendors. Though they don’t have the breadth of security tooling the other solutions
have, their solutions generally show the greatest levels of flexibility, not to mention some of the most significant ingenuity displayed in this space.
Typically, the comparison of Maturity players with Innovation players takes a larger role in the analysis of a market; however, in this case, all vendors
surveyed are rapidly developing capabilities and defining the XDR space, so this component of the evaluation is deemphasized. With that said, the vendors
identified as innovators are those more likely to be first to integrate new features.
Mobile devices have become common across all organizations because they are inexpensive and enable convenient, quick access to systems and data.
However, they also open up new vectors of attack and for this reason we are seeing some—but not all—XDR solutions now offer coverage for mobile
devices.
It’s important to remember that XDR solutions are themselves very new. Some are a mix of both new and mature technologies. Others are purpose-built,
with almost no perceptible boundary between solution components. There isn’t necessarily a good or bad part of this interesting mash-up, but
understanding it helps to set expectations accordingly. In new spaces like XDR, marketing terms and slogans can create distractions. It’s better to identify
use cases that will provide the most value to an organization, and then determine product requirements to ensure the best overall XDR solution is selected.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs,
and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their
business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid
understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid
pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys,
use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a
spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a
deep and meaningful level.
9. Copyright
© Knowingly, Inc. 2023 "GigaOm Radar for Extended Detection and Response (XDR)" is a trademark of Knowingly, Inc. For permission to reproduce this
report, please contact [email protected].
Privacy Policy MSA Terms of Service © GigaOm All Rights Reserved 2024