When you ask for a definition of XDR, the answer is always vaguely based on what came before it. It’s an evolution of EDR, but with extended telemetry sourcing. EDR itself evolved as a response to endpoint security’s lack of operational capabilities for proficient cybersecurity operations. . There’s always a lot of acronyms involved, with some of the most trendy buzzwords like ‘next-generation,’ or ‘hybrid’. Somehow we keep evolving new names for the solution, but the problem they are meant to address stays the same. It all just adds up to more noise in the cybersecurity space.
Why SIEM, NDR, and EDR had to evolve (into XDR)
SIEMs started as an exercise in log-collecting (a task it still excels at). Over time, administrators started using it to create rules to identify anomalous activity and it became a security tool. Unfortunately, SIEMs weren’t very good at collecting endpoint data and so we got EDR. This worked well for a while until we realized that the quality of alerts could be augmented by correlating EDR with telemetry from other sources. Unfortunately, EDR was only good for endpoints and so we needed the next evolution and got XDR.
The trouble with this reactive approach to building security solutions is that it misdiagnoses the problem and ensures that your solution will inherit its predecessors’ weaknesses and legacy DNA. For example, XDR and EDR sometimes still rely on rulesets that need to be maintained by specially trained security staff. NDR tries to look at too much data. When those rules are not properly laid out, you get heaps of false-positive anomalies being alerted. A Ponemon Institute study found that “25 percent of a security analyst’s time is spent chasing false positives—sifting through erroneous security alerts or false indicators of confidence—before being able to tackle real findings.”
Provide the Best Solution for the (Correct) Problem
First-principles thinking is a mental model that allows you to innovate in leaps, rather than increments (famously championed by Elon Musk). The first step is to focus on your problem and that you are indeed solving the correct problem. We often waste energy by trying to solve the wrong problem. It’s easier—but lazier— for us to think in terms of analogies, basing problems on things we are familiar with or assumptions we are comfortable with. EDR and XDR were both developed taking into account the weaknesses of their predecessors. That’s why they’re typically defined as an analogy: ‘it’s like X, but better.’ Instead, we challenged our assumptions and asked the hard questions that lead to better innovation.
Vendors are also prone to misapplying new technologies because of this misdiagnosis. We’ve seen powerful new AI techniques being developed only to be misapplied. As pointed out by Joseph Blankenship from Forrester at a recent discussion, vendors started saying to themselves “We’re pretty good at big data now, so let’s turn security into a big data problem,” with disastrous results.
So what is the ‘correct’ problem? It’s not that SIEM isn’t doing enough. The problem isn’t EDR, NDR, XDR, or any other acronym, for that matter. The problem is that catastrophic compromises occur with unacceptable frequency because the adversary remains undetected in the network for too long. This problem hasn’t changed much—apart from getting worse—through various iterations of security tools built upon their flawed foundations. We developed Continuous Compromise Assessment® in direct response to this root cause. That’s why we were able to elegantly apply emerging technologies to their best strengths.
How Lumu Sets Itself Apart
SIEM, EDR, NDR, and XDR all cover different use cases. As such, when you ask which one you need, the answer tends to be ‘a little bit of each’. They are a set of solutions for ingesting security solutions telemetry. Unlike XDR, Lumu is a standalone solution that can work in tandem with—but does not rely on—a SIEM. In terms of quality of life, resources required, and resiliency, Continuous Compromise Assessment surpasses SIEM, EDR, NDR, and XDR, while helping companies control the impact of cybercrime.
Continuous Compromise Assessment was designed to operationalize the concept of ‘assume you are compromised, and prove otherwise.’ To do so, we collect the most pertinent network metadata which is then standardized and correlated in the cloud using the Illumination Process®. The result is an experience that detects incidents of confirmed compromise in real time and kills the noise of endless, low-quality alerts.
XDR and Continuous Compromise Assessment end up ticking a lot of the same boxes, despite their different evolutionary trails. We chose a path that avoided the baggage that comes with a long line of failing cybersecurity products. Lumu was not designed to be “more of the same, but better,” but rather to be an actual breakthrough addressing a crucial problem.
Ready to start asking the right questions? Open a Lumu Free account.