Skip to content
Products and Services PRODUCTS & SERVICES

What is Extended Detection and Response (XDR)?

Common questions answered

This article was updated on November 22, 2023 to provide the most recent information.

Sophos has established itself as a leader in extended detection and response (XDR). But what does XDR mean? What does it stand for? How does Sophos play in this market? For answers to these and other Frequently Asked Questions, read on!

What does XDR stand for?

There are three common interpretations of “XDR”.

  • Analyst firms like Gartner and Forrester describe it as “Extended Detection and Response.” “Extended” meaning that its scope goes beyond the endpoint to combine security data from multiple sources.
  • Another interpretation is that the “X” stands for “cross-layered” or “cross-product” detection and response; the point here being that data is combined from multiple products or security layers.
  • The third interpretation involves looking at “X” as a kind of mathematical variable standing in for whatever data sources you can plug into the equation (e.g., endpoint, network, cloud, messaging, etc.).

What is XDR?

Is XDR a product? A platform? The answer is yes.
XDR can be packaged and delivered as a tool or suite of tools that organizations deploy, administer, and operate.

A simple definition of XDR would be:
An approach that unifies information from multiple security products to automate and accelerate threat detection, investigation, and response in ways that isolated point solutions cannot.

Sound familiar? It should do: One of the defining strengths of Sophos products in recent years has been Synchronized Security: a set of features that enable endpoint, network, mobile, Wi-Fi, and email, to products to share information in real time and respond automatically to incidents. XDR represents the evolution of Synchronized Security into the fast-growing market category it has now become.

XDR can also be provided as a managed service by a team of experts using a proprietary or curated tech stack. Sophos offers a full MDR (Managed Detection and Response) service offering which is underpinned by Sophos XDR tools and technology.

Gartner definition of the XDR market:
(Source: Market Guide for Extended Detection and Response August 2023)
Extended detection and response (XDR) delivers security incident detection and automated response capabilities for security infrastructure. XDR integrates threat intelligence and telemetry data from multiple sources with security analytics to provide contextualization and correlation of security alerts. XDR must include native sensors, and can be delivered on-premises or as a SaaS offering. Typically, it is deployed by organizations with smaller security teams.

How is XDR different from SIEM or SOAR?

If you’re already familiar with the terms SIEM and SOAR, it’s not a stretch to see where XDR improves on the formula. XDR shares many functional similarities with SIEM (security information and event management) and SOAR (security orchestration, automation, and response) tools. Some even refer to XDR as a kind of spiritual successor to SIEM and SOAR.

The core differences, however, come down to the primary intent of SIEM and SOAR tools, and the focus of XDR on threat detection and response. The fundamental property that makes SIEM tools valuable is their ability to collect and analyze staggering volumes of log events and other data across disparate sources. Again, this is functionally similar to what is achieved through XDR. But whereas SIEM is primarily a search tool – requiring users to ask multiple questions (often in different ways) and assembling the resultant answers to arrive at a conclusion – XDR is capable of automatically responding to threats or, in cases where automated response cannot be performed, accelerating analyst-led threat hunts and investigations to improve response times.

Similarly, while SOAR platforms can add machine assistance to human security operators through the creation of playbooks (i.e., logic flows that can trigger scripted actions when certain conditions are met), they will not create those processes or workflows for you. So, while SOAR can help with alert management, it requires significant up-front investments in implementation as well as ongoing maintenance (tuning) performed by experienced security analysts to build effective case management and incident response playbooks.

Can an XDR approach be achieved using a SIEM or SOAR or some combination of the two? Yes. But it would require significant investments in tools, people, and processes to fill the gaps in functionality.

What is the business impact of XDR?

For security, IT, and risk management leaders, XDR capabilities reduce the complexity of security configuration, threat detection, and response, enabling organizations to prevent successful attacks from advanced adversaries.

XDR has earned favor among the C-suite for providing more accurate detection and prevention capabilities at a lower total cost of ownership. XDR, delivered either as a product or a managed service (MDR), appeals to security and IT leaders with limited resources who seek to reduce the total cost and complexity of their security program and improve their threat detection and response capabilities.

Organizations continue to seek security vendor and product consolidation to manage risk and improve security operations productivity. XDR vendors are making a play in this consolidation.

How does Sophos perform in the XDR market?

The XDR market is growing, having developed significantly from its EDR (Endpoint Detection and Response) background with XDR products now competing with SIEM/SOAR solutions.

According to Gartner’s Market Guide for Extended Detection and Response (published August 2023) by the end of 2028, “XDR will be deployed in 30% of end-user organizations to reduce the number of security vendors they have in place, up from less than 5% today.

Sophos currently has over 40,000+ XDR customers globally and has established itself as a leader in extended detection and response. And we have the industry recognition to back it up: Sophos XDR is one of only 10 vendors recognized in the 2023 Gartner Market Guide for XDR, was named a Leader in the G2 Grid for XDR, earned the position as the sole leader in Omdia’s vendor comparison for Comprehensive XDR, and delivered exceptional results in the 2023 MITRE Engenuity ATT&CK Evaluations (Round 5: Turla).

What do the terms “Hybrid XDR”, “Native XDR” and “Open XDR” mean?

These terms have made their way into the vocabulary of XDR recently, and some vendors are starting to use them in their messaging. In short, consider them as deployment options for XDR.

  • Native XDR integrates security tools from a single vendor’s portfolio, delivering the most efficient outcomes.
  • Hybrid XDR (also known as Open XDR) utilizes third-party security tools, reducing the need to rip and replace existing products.

Sophos XDR offers ultimate flexibility with the most complete native toolset and extensive third-party compatibility, with curated and correlated threat detections.

How do customers buy XDR from Sophos today?

Customers start by purchasing “Intercept X Advanced with XDR” licenses for endpoints and servers. Using these licenses, organizations can either deploy Sophos’ industry-leading Endpoint Protection or use our ‘XDR sensor’ deployment option to run alongside their incumbent endpoint solution.

But that’s just the beginning. Our expansive Sophos Central product portfolio is “XDR-ready”, meaning that each additional product adds value to the customer’s XDR toolset. When an XDR-ready product is deployed, it sends extensive telemetry data to the Sophos data lake, generates prioritized threat detections in the Sophos Central Threat Analysis Center, and enables the customer to query cross-product data for threat hunting and investigations.

Sophos XDR users can also leverage telemetry from an extensive range of third-party (non-Sophos) security tools, enabling organizations to get more ROI from their existing technology investments while speeding up security operations. Technology partner ecosystem integrations are available via Integration Packs (optional add-ons) including identity, network, firewall, email, cloud, productivity, and endpoint security solutions. Endpoint and Microsoft integrations are included with Sophos XDR subscriptions at no additional cost.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!