什么是XDR

1. 概念?
    1.1. 起源
    1.2. 定义
    1.3. 功能
2. XDR兴起原因 ?
3. XDRs工作内容?
4. XDR优势?
5. 市场
    5.1. 市场采用率
    5.2. 采购建议
    5.3. 评价指标
    5.4. 使用XDR风险
    5.5. 代表厂商
        5.5.1. cisco SecureX 案例
        5.5.2. McAfee MVISION XDR
6. 与XDR对比
    6.1. SIEM and SOAR
7. 参考

1. What is XDR?

1.1. 起源

eXtended Detection and Response 扩展检测响应。由 Palo Alto Networks 于2018年提出该术语。2020年Gartner分析并将其评为《Top9 安全和风险趋势》。

XDR是EDR发展的自然扩展：Endpoint Protection → EDR(Endpoint Detection and Response) → XDR。

发展路径：特征码 → 特征码+主动防御 → EPP(启发、情报、网络、沙箱、AI) → EDR(行为分析、关联进程流量、给出调查信息、恢复) → XDR。

1.2. 定义

总结

X：支持将特定供应商1的多种端点、网络、云端、应用3数据聚合成一个整体1(数据湖5)。

D：着眼大局8，进一步检查4，跨层分析7，关联调查1、通过数据可见、自动化检测、分析、搜索当今和未来威胁3。

R：提供全局情境化信息，简化加速调查5，自动化响应3（调用端点、网络2响应）。

效果：全局调查不遗漏8、减少响应时间7、减少工程难度9、简化安全工作10、拥有专家标准11，为soc提供深度洞察12。

Gartner

XDR is a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed security components.

XDR是一种基于SAAS的、特定于供应商的安全威胁检测响应工具，本机将多个安全产品集成到统一安全组件的内聚安全操作系统中。

架构图：

Extended Detection and Response Conceptual Architecture

Cynet 365

    Extended means XDR  can provide insight into data in networks, clouds, endpoints, and applications (unlike traditional EDR which only focused on endpoints).

    Detection means XDR has automated analysis capabilities that can help it identify anomalies in the IT environment, detect potential security incidents, and provide the full attack story.

    Response means that XDR gives security teams the tools to immediately respond to an attack, by locking down endpoints, applying network segmentation, or other proactive measures. 

X多设备、D自动检测攻击、R调用EPP、网络阻断。

CISCO

Extended detection and response (XDR) delivers visibility into data across networks, clouds, endpoints, and applications while applying analytics and automation to detect, analyze, hunt, and remediate today's and tomorrow's threats.

XDR提供跨网络、云、端点、应用程序的数据可见，同时应用分析和自动化来检测、分析、搜索和补救当今和未来的威胁。

Fortinet

(XDR) is a natural extension of the endpoint detection and response (EDR) concept, in which behaviors that occur after threat prevention controls act are further inspected for potentially malicious, suspicious, or risky activity that warrant mitigation. The difference is simply the location (endpoint or beyond) where the behaviors occur.

XDR是EDR的自然扩展，行为将被进一步检查，以确定是否存在潜在的恶意、可疑或有风险的活动，进行缓解。区别是行为发生的位置(端点或端点以外)。

PaloAlto

Introducing a better category of detection and response tools: XDR. XDR stitches together data from the endpoint, network, and cloud in a robust data lake. Applying advanced machine learning and analytics, it identifies threats and benign events with superior accuracy and gives analysts contextualized information, simplifying and accelerating investigations.

XDR将来自端点、网络和云的数据聚合到一起，形成一个强大的数据湖。通过机器学习和分析技术，精准发现威胁，为分析人员提供情境化信息，简化和加速调查。

McAfee

XDR holds the promise of consolidating multiple products into a cohesive, unified security incident detection and response platform.

XDR is a logical evolution of endpoint detection and response (EDR) solutions into a primary incident response tool.

XDR有望将多个产品整合为一个内聚的安全事件检测和响应平台，是EDR向主要事件响应的转变。

Trend

Extended detection and response (XDR) is cross-layered detection and response. XDR collects and automatically correlates data across multiple security layers – email, endpoint, server, cloud workloads, and network – so threats are detected faster and security analysts improve investigation and response times.

XDR通过跨层接收分析数据，以便更快地检测威胁，提高人员的调查和响应时间。

Syamntec

XDR delivers deep insights to your SOC

XDR为SOC提供深度洞察

Sophos

See the bigger picture so you never miss a thing. Detect and investigate across endpoint, server, firewall, and other data sources.

着眼大局，这样你就不会错过任何事情，通过端点、服务器、防火墙和其他数据源进行检测和调查。

Fireeye

XDR integrates and unifies control points, security data, analytics and operations into a single enterprise solution. XDR supports multiple telemetries such as endpoint, network, web filters and cloud sensors to accelerate detection and response, while reducing engineering headaches.

XDR将控制点、安全数据、分析和操作集成并统一到一个企业解决方案中。XDR支持多种远程测量，如端点、网络、web过滤器和云传感器，以加速检测和响应，缓解工程工作量。
CheckPoint XDR旨在简化企业网络的安全管理。XDR集成了全部基础设施安全性可见性，包括端点、云基础设施、移动设备等等。从而简化了安全管理。
Rapid7

A unified, expert-driven approach to SIEM

同一标准的、专家驱动的SIEM。

1.3. 功能

总结

推荐：

开箱即用。
开放接入：各类常见安全产品集合 To be a collection of common security products that are integrated 。
聚合数据：泛化和集中存储数据用于查询、分析。
分析关联：提供多种检测形式，分析、关联多安全产品数据，提高检测精度。
调用响应：提供多种响应方法，改变安全产品状态作为响应策略的其中一步。
整体系统：将工具联系到一起形成一个整体安全运营系统。
结合用户：RSA认为，应包含UEBA，将用户行为与安全事件结合起来。

简化版：

X：规范化XDR生态系统的关键日志。
D：关联安全数据、报警。
R：响应策略中，可改变安全产品状态作为响应的一部分。

原文

XDR主要功能：

    To be a collection of common security products that are integrated out of the box

    Centralization and normalization of data in a central repository for analysis and query

    Improved detection sensitivity resulting from the contribution of multiple security products working in coordination

    Correlated incident response capability that can change the state of individual security products as part of the recovery process

开箱即用的安全产品集合。
泛化聚合：泛化和集中数据用于查询分析。
提高精度：通过多安全产品配合工作提高检测精度。
关联响应可以改变安全产品状态。

XDR is a vendor-specific threat detection and incident response tool that unifies multiple security products into a security operations system. Primary functions include security analytics, alert correlation, incident response and incident response playbook automation.

功能应包括安全分析、关联警报，事件响应、自动响应Playbook。

At a minimum, XDR tools require continuously updated intelligence about attacker tool tactics and techniques. They also need data normalization and other forms of preprocessing to enable analytics and correlations. They will typically also require extensive SaaS-based data storage, preferably in a graph database that is capable of connecting events that are not predefined. XDR tools tie together threat-facing security components, such as EPP/EDR, firewall, NIPS, SEG, CASB and SWG, into a cohesive security operations system.

XDR需要不断更新攻击检测策略和情报，规范化数据用于分析，大量基于saas的存储服务、最好能用图数据库技术。将多种安全工具(EDR、FW、IPS、SEG、CASB、SWG)联系到一起，成为一个整体安全运营系统。

The primary value propositions of an XDR product are to improve security operations productivity and enhance detection and response capabilities by including more security components into a unified whole that offers multiple streams of telemetry, presenting options for multiple forms of detection and concurrently enabling multiple methods of response.

使命：多安全组件纳入统一的整体，提高检测、响应能力，呈现多种形式检测形式，并同时启用多种响应方法 。

XDR的三个必要条件：

    Centralization of normalized data, but primarily focusing on the XDR vendors’ ecosystem only

    Correlation of security data and alerts into incidents

    A centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting

规范化XDR生态系统的关键日志。
关联安全数据、报警。
集中式事件响应功能：可以更改个别安全产品的状态，作为事件响应或安全策略设置的一部分。

2. Why XDR ?

因为以下问题，Gartner标识80%组织正试图找方案解决这些问题。 10
总结

企业安全难点：

供求侧重点不一致：市场需要以事件为中心，而安全产品以检测率为中心。PA
报警太多：产品多、安全产品存在间隙，告警太多、缺少关联。人员超负荷工作。

现有方案(SIEM+SOAR)难取代：

SIEM覆盖率低：SIEM覆盖度不够(XDR在功能上SIEM+SOAR类似)。Gartner
SIEM归并依赖规则，导致报警、响应能力欠缺。
SIEM厂商安全能力欠缺：XDR供应商比SIEM厂商优势是有威胁分析力量。  SIEM vendors typically do not have the same level of threat detection and research analysis labs as XDR vendors.
SOAR面临缺乏API。
跨厂商构建XDR困难。 challenge independent vendors will face when integrating across multiple vendors.
用户做不了：XDR的用户群，没有时间和能力将最佳产品集成进SIEM+SOAR。

XDR时机成熟：

XDR市场很有前途：80%、5%。
行业趋势：各领域最佳方案整合；云、数据、AI集成。
XDR有能力实现开箱集成(各厂商自有生态)。

Gartner

XDRs are similar in function to security information and event management (SIEM) and security orchestration, automation and response (SOAR) tools.XDR products aim to solve the primary challenges with SIEM products, such as effective detection of and response to targeted attacks, including native support for behavior analysis, threat intelligence, behavior profiling and analytics.

XDR在功能上SIEM+SOAR类似，SIEM覆盖度不够、用不好。XDR旨在解决SIEM产品的主要挑战，有效检测和响应攻击(行为分析、威胁情报、行为分析)。

SIEM vendors typically do not have the same level of threat detection and research analysis labs as XDR vendors.XDRs are not a replacement for all SIEM use cases, such as generic log storage or compliance.

XDR供应商比SIEM厂商优势是有威胁分析力量，XDR不具备做SIEM的日志存储、合规能力。

It may be possible for SIEM and SOAR tools and new entrants to claim XDR capability as the industry matures. (Hunters)the complexity of building a useful XDR for vendors that own all the components and can source the data natively illustrates the challenge independent vendors will face when integrating across multiple vendors.

随着市场成熟，逐渐有SIEM厂商入场，但难点是跨多个供应商构建一个有用的XDR很复杂，目前缺乏行业统一标准，缺乏数据收集、通用数据格式和api，还取决于产品厂商的战略。

Despite these challenges, and more listed below, the overall rewards of more efficient, effective security operations for the mainstream market make XDR a promising new approach to enterprise security.

XDR市场很有前途，因为市场需要安全运营、有效响应。

As security products mature, best-of-breed product functionality tends to become features of broader platform products. Integrating them is a natural next step. 

随着安全产品的成熟，市场趋向于在各个领域采用最佳产品。随着云、大数据、AI发展，集成它们是很自然的下一步。

The traditional integration point in most enterprises has been the SIEM tools, which are good at collecting logs, but rarely improve detection fidelity in most implementations, use contextual indicators to combine multiple alerts or provide full incident response capability. Newer SOAR tools are designed to provide integration across multiple components, but are hobbled with a lack of available APIs, data merging issues and a workflow that is disconnected from the detection activity that can efficiently launch response activities.

企业中SIEM工具擅长收集日志，但很少能提高警报、响应能力。SOAR由于缺乏可用的api等问题也无法有效响应。

XDR consolidate multiple vendor-specific security products into a cohesive security incident detection and response platform that is accessible to the mainstream market without extensive integration efforts.

XDR产品要将多个特定于供应商的安全产品整合为一个事件检测、响应平台，无需进行大量集成工作，即可在主流市场应用。

XDR products will appeal to pragmatic enterprise security buyers that do not have the resources to integrate a portfolio of best-of-breed security products into a SIEM or SOAR tool.

XDR用户群：没有资源将最佳安全产品集成到SIEM、SOAR工具中。
Fortinet 安全产品见存在缝隙；告警太多；缺少关联(靠人类关联)。
Palo Alto

Too many alerts that are incomplete and lack context. EDR detects only 26 percent of initial vectors of attack, and due to the high volume of security alerts, 54 percent of security professionals ignore alerts that should be investigated.

Time-consuming, complex investigations that require specialized expertise. With EDR, the mean time to identify a breach has increased to 197 days, and the mean time to contain a breach has increased to 69 days.

Technology-focused tools rather than user- or business-focused protection. EDR focuses on technology gaps rather than the operational needs of users and organizations. With more than 40 tools used in an average Security Operations Center,23 percent of security teams spend time maintaining and managing security tools rather than performing security investigations.

系统太多、告警太多，重复任务，处理耗时，现有产品定位(以检测率为中心)不是以事件为中心。
Fireeye

SIEM归并事件依赖规则，因规则不可控，导致报警不准确、不完整；SOAR依赖工程师做数据关联，工具无法处理数据，降低了自动修复的能力；XDR厂商通常使用自家体系，将客户锁定在自己供应商体系中。

X(结合广泛的供应商、检测、情报)D(推理引擎连接SOC的不同证据确定威胁)R(集成SOAR，实现对事件的自动快速响应)
McAfee

使用更复杂的攻击方法规避传统的安全控制

系统太多、事情太多、误报太多。安全团队多年来一直处于超负荷状态，

企业需要统一和主动的安全措施来保护技术资产的整个环境

These XDR products are limited in scope to the vendors’ own products and technology.such as Cisco, Fortinet, Fidelis Cybersecurity, McAfee, Microsoft, Palo Alto Networks, Trend Micro, Sophos, FireEye and Symantec.They can provide private APIs to enable automated actions,these XDR products will be rapid time to value resulting from out-of-the box integration.

当前，XDR供应商主要关联自有产品(思科，Fortinet，Fidelis Cyber​​ity，McAfee，Microsoft，Palo Alto网络，趋势科技，Sophos，Fireeye和Symantec)，他们调用自有API实现自动化，开箱即用体现价值。

3. How XDRs work?

总结

收集规范化：吸收和提炼多安全系统的事件数据。类型应包含下表。
高性能存储：提供无限时间段的快速索引搜索。
多维检测：将来自多个产品的微弱信号组合成恶意活动的有力证据。
关联分析：为事件产生、发展提供上下文。
处置建议：通过加权给出处理优先级。
主动响应：自动为事件执行补救措施，已知的自动处置、未知的给出有效报告。

附接收服务类型表。
Gartner

The core requirement of XDR systems is a centralized collection of historic and real-time event data in common data formats. Event data must be available for fast indexed searches for indefinite periods in scalable and high-performance storage. Another requirement is to use multiple detection techniques to combine weak signals from multiple products into strong evidence of malicious activity. In addition, XDRs are designed to enable a faster, more efficient response capability aided by automation. Finally, XDRs have the potential to improve the security posture by making it easier to maintain.

收集事件数据，在高性能存储中，事件能够用于无限时间段的快速索引搜索；
使用多种检测技术，将来自多个产品的微弱信号组合成恶意活动的有力证据；
自动化的帮助下实现更快、更有效的响应能力；
XDR本身容易运维，从而使安全状况向好。

接收服务类型应包括

Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) products EPP、EDR

Cloud access security brokers (CASBs)云访问安全代理

Secure web gateways (SWGs) 安全网关

Secure email gateways (SEGs) 邮件网关

Network firewalls, network intrusion prevention systems (NIPS) and unified threat management products FW、IPS、UTM

Identity and access management products 身份和访问管理类产品

Data loss prevention products DLP

User and entity behavior analytics UEBA

Network traffic analysis 流量分析

Global threat intelligence 威胁情报

Cloud workload protection platforms 云工作保护平台

Cloud security posture management products 云安全态势管理

Web application firewalls WAF
SOAR, vulnerability management, ITSM and CMDB SOAR、漏洞管理、ITSM、CMDB
Windows，Mac，Linux，Android，iOS  微软提出

潜力

More accurate detection and prevention capability 更准确的检测预防能力

Lower total cost of ownership driven by higher security operations productivity and lower acquisition costs 提高效率降低成本

Faster time to value (versus buyers integrating best-of-breed products) 更快创造价值

Security that is adaptable to changing infrastructure and application architecture 能适应不断变化的基础架构

Fewer blind spots 减少盲点

Faster, more accurate and informed detections — i.e., alert correlation and full incident response data correlation 更快、更准确、更知情的检测

Faster time to remediation — playbooks and operations integration — and automation 更快响应

Better visibility and searchability 更好的可视化和搜索

Prioritized hardening with product configuration and software vulnerability management as an integrated task across the portfolio, and not isolated siloed activities 给出关键风险优先级

RSA

A strong user and entity behavior analytics (UEBA) capability one that ties user behavior monitoring into the other types of event and system analyses being performed.

应包含UEBA功能，将用户行为和其他事件联系起来。
CISCO

XDR collects and correlates data across email, endpoints, servers, cloud workloads, and networks, enabling visibility and context into advanced threats. Threats can then be analyzed, prioritized, hunted, and remediated to prevent data loss and security breaches.

XDR跨电子邮件、端点、服务器、云工作负载和网络收集和关联数据，从而对高级威胁提供可见性和上下文。然后可以对威胁进行分析、排序、查找和补救，以防止数据丢失和安全漏洞。
Fortinet

Epp+IAM+Switch+AP+FW+CABS+WAF+SEG+All of the products are integrated and send telemetry to a single, central analytics platform

一堆系统+中央分析平台
McAfee

统一端点、网络和云的可见性和控制来增强检测和响应能力，从而提高安全操作的生产力。XDR吸收和提炼多个遥测数据流。提供以威胁为中心的上下文来更快响应威胁。

检测响应攻击
原生的行为分析支持
威胁情报
自动关联、确认警报(减少需要误报)
相关数据整合、准确分类
通过加权给出处理优先级
综合分析

Trend

SIEM的扩展。

Fortinet一堆系统+中央分析平台。

link
Symantec

收集数据、规范化、关联；产生的事件如已知，则自动处置、如果未知，SoC分析师根据XDR提供的有效报告，可以采取迅速的行动。

4. What are the benefits of XDR?

Gartner

核心优点：

Improve protection, detection and response capabilities.(覆盖广)提高保护、检测和响应能力。

Improve overall operational security staff productivity.提高整体操作安全人员的生产力。

Lower total cost of ownership to create effective detection and response capability. 降低总拥有成本，以创建有效的检测和响应能力。

提高保护能力

    Sharing local threat intelligence immediately among component security products to provide efficient blocking of threats across all components. Also, leveraging externally acquired threat intelligence in multiple different detection methods (for example, network and endpoint).

    Combining weak signals from multiple components into stronger signals of malicious intent.

    Reducing missed alerts by correlating and confirming alerts automatically.

    Integrating relevant data for faster, more accurate alert triage.

    Providing centralized configuration and hardening capability with weighted guidance to help prioritize activities. 


组件(端、网络、情报)共享本地威胁，以提供跨所有组件的有效阻止威胁。
多组件的弱信号组合成强恶意信号。
自动关联、确认警报来减少错过的警报。
整合数据，更快、更准确地进行警报分类。
提供集中配置、加权报警，确定告警处理优先级。

提高人员生产力

    Converting a large stream of alerts into a much smaller number of incidents that are required to be manually investigated

    Providing integrated incident response options that have necessary context from all security components to resolve alerts quickly

    Providing response options that go beyond infrastructure control points (i.e., network and endpoints)

    Providing an automation capability for repetitive tasks

    Reducing training and upleveling Tier 1 support by providing a common management and workflow experience across security component parts

    Providing usable and high-quality detection content with small to no tuning required


将大量警报转换为需要手动调查的少量事件。
提供各安全系统集成事件，以快速解决警报。
提供除了网络、端点外更多响应方式。
重复工作自动化能力。
提供跨安全组件的通用管理和工作流体验，减少培训、熟悉成本。
无需调优的可用、高效检测能力。

Fortinet

缩小安全差距；关联安全信息和自动化操作。

5. Market

5.1. 市场采用率

Adoption Rate（8 April 2021）

Gartner：Less than 5% of organizations have an XDR product strategy.  it is clear that the security market is ripe for consolidation, and XDR products will be appealing to more pragmatic organizations. -1

只有不到5%的组织有XDR产品策略。XDR安全市场已经成熟，XDR产品将吸引更务实的组织。

51% of security professionals are not satisfied with their ability to detect attacks.45 cybersecurity tools on average per organization.78% of security analysts say each security alert takes 10+ minutes to investigate.The number of daily security alerts received by the average security operations team is 11000. -9

ESG research indicates that 84% of organizations are actively integrating security technologies so XDR can act as a turnkey security technology integration solution. Furthermore, 80% of organizations would be willing to spend the majority of their security technology budget with a single enterprise-class security vendor.

ESG的研究表明，，因此XDR可以作为一个交钥匙安全技术集成解决方案。此外，80%的组织愿意将他们的大部分安全技术预算花在单个企业级安全供应商上。

51%的安全专业人员不满意自己检测攻击的能力。平均每个组织有45种网络安全工具。78%的安全分析师表示，每个安全警报需要10分钟以上的调查时间。安全运营团队平均每天收到的安全警报数量为11000个。84%的组织正在积极集成安全技术。80%的组织愿意将大部分预算花在单个供应商上。

Gartner, 80% of organizations are either currently or planning in the next two to three years to consolidate security vendors

80%的企业计划在未来3年内整合安全供应商。

5.2. 采购建议

Gartner

Security and risk management leaders are struggling with too many security tools from different vendors with little integration of data or incident response.

Extended detection and response (XDR) products are beginning to have real value in improving security operations productivity with alert and incident correlation, as well as built-in automation.

XDR products may be able to reduce the complexity of security configuration and incident response to provide a better security outcome than isolated best-of-breed components.

XDR products have significant promise, but also carry risks such as vendor lock-in. The XDR market is immature and capabilities vary widely across products from different vendors.
有市场痛点：安全工具太多，工具很少集成数据或事件响应。
有价值：XDR风险识别及自动化响应开始具有真正的价值。
XDR可以降低事件响应的复杂性。
XDR产品有很大的前景，但也存在供应商锁定等风险。XDR市场还不成熟，来自不同供应商的产品的功能差别很大。

给采购者建议：

Work with stakeholders to determine if an XDR strategy is right for your organization based on staffing and productivity levels, level of federation of IT, risk tolerance, and security budget. Develop a gap analysis between your existing capabilities and those you’d want to have from an XDR solution.

Conduct thorough product evaluation and testing to ensure outcomes meet the promises of this fledgling capability.

Develop an internal architecture and purchasing policy that is in line with your XDR strategy, including when and why exceptions might be permissible. Ensure that future security purchases and planned technology retirements are aligned with a long-term XDR architecture strategy.

Outsource to a managed security service provider (MSSP) that can build an XDR substitute if it is likely to be beyond the skill sets of existing staff.
选择合适产品，与人员、生产力水平、IT水平、风险容忍、安全预算匹配。
全面评估产品。
指定与XDR匹配的安全策略， 确保未来的安全采购计划与长期XDR架构策略对齐。
如果内部能力不足，要使用托管安全服务提供商(MSSP)替换XDR。

Some XDRs are focused on integrating infrastructure security tools, such as combining network and endpoint security together. However, more advanced XDRs are focusing up the stack by integrating with identity, data protection and application access. These security services are closer to the business value of the incident.

有些厂商专注于端点和网络融合，高级的xdr通过与身份、数据保护和应用程序访问集成，这些安全服务更接近事件的商业价值。

Since the goal of XDR is improved detection accuracy and security operations center (SOC) productivity, integrating products that can contextualize and inform the incident response activity across common kill chains will be the initial goal. Combining security products that are not commonly involved in the same attack kill chain will have less value.

XDR的目标是提高检测精度和SOC生产力，XDR的目标是通过杀伤链模型聚合告警并响应。若将不相关攻击关联到一起则没有价值。
Fortinet 方案集的广度、有效性、集成和自动化

5.3. 评价指标

Quality of the component — security efficacy still matters 安全组件能力

Quantity of products that integrate into the XDR system, as more visibility is beneficial 集成产品数量

Depth of integration across component parts (for example, whether it is data-level integration only or deep configuration integration that allows the XDR system to change the state of component parts manually or automatically)跨组件集成

Accuracy of correlation of alerts into incidents 报警准确性

Use of advanced analytics such as UEBA to detect more sophisticated threats 使用高级分析(如UEBA)来检测更复杂的威胁能力

User interface and contextualization that enables faster remediation 用户交互和情景化

Quality of detection capability to detect more subtle attacks 挖掘隐蔽风险的能力

The range and depth of automation capability, including predefined playbooks and ability to customize automation 自动化处置能力

The range of partners that can integrate into the XDR system out of the box 可直接集成的合作厂商范围

Vendor execution on completing its roadmap and integrating new products and acquisitions into the XDR system XDR厂商集成新产品能力

The ability of the provider to offer advanced support, including a managed service offering and training 厂商提供服务能力(培训、托管、巡检)

Cloud-native service architecture 云原生架构

Common data schema 常规数据架构

Common programming standard/framework, for both internally developed apps on the platforms and third parties to follow 常规编程架构

Rich set of APIs 丰富的API

Enriched/correlated data from multiple sources supporting use cases such as threat hunting and advanced AI/analytics 丰富的数据源场景用例

Detections that do not use endpoint agents/telemetry only 不仅通过端点能力做检测

Response actions that go beyond manipulation of the endpoint only 不仅通过端点能力做响应

Actions initiated in one tool and carried out in another 在不同工具间实现检测和拦截

Pivot between integrated tools within the same portal/UI  同一个页面(UI/portal)集成多个工具
Automation to initiate common tasks 可自动创建通用任务

5.4. 使用XDR风险

The emergence of XDR products is still in the development phase and there are numerous risks that can derail this new approach.
产品未定型，可能方向偏离
There’s a basic problem with event management — new event sources and event volume are increasing faster than the technology to deal with them. Every increase in the sophistication of integration, detection, response and automation, can only partially compensate for the scale and complexity of the problem. While XDR may improve this situation, it is unlikely to solve it.
新的事件源和事件量的增长速度超过了处理它们的技术。且不太可能解决。
XDRs could lead to overreliance on a single vendor. XDRs may help improve security efficiency but may also lead to vendor lock-in, and potentially sacrifice functionality in component parts versus best-of-breed components.
很容易导致单一供应商依赖(单点故障、规则更新依赖、情报缺乏多样性、供应商落伍、产品不适用)。
XDR could improve efficiency, but in doing so, could sacrifice security efficacy as well. Just because a vendor is doing multiple things that are integrated doesn’t mean it is necessarily doing it well. Efficacy will be a key metric for IT security leaders to pay attention to. You will not only have to answer the question of does it find things, but also is it actually finding things that your existing tooling is not.
因为依赖一个供应商，可能降低安全性。

Vendors are initially integrating mostly their own products, so may be missing critical integrations or component parts to make them effective. XDR may simply become a mechanism to try and lock in to a particular vendor without delivering the real benefits, and be a suite of point solutions versus a truly orchestrated whole. As a result, buyers need to be strategic in selecting an XDR provider.
供应商主要集成自有的产品，因此可能会缺少关键组件来使XDR有效。
There is only a small list of vendors that can truly offer an XDR approach. Many of the XDR products are immature and do not have full integration across all components. Most organizations do not have a complete portfolio of products from a single XDR vendor, or the budget to acquire them. Therefore, it will take three to five years for most organizations to realize the full value of an XDR product.
大部分XDR产品不够成熟，无法跨所有组件进行集成。大多数组织没有来自单一XDR供应商的完整产品组合，也没购买预算。因此，大多数组织将需要三到五年的时间来实现XDR产品的全部价值。

It is clear that XDR buying cycles will be longer and more complicated than buying individual component parts. The average tenure of a CISO may be shorter than the time to implement a more strategic XDR component parts buying program.

购买XDR的周期将比购买单个组件更长、更复杂。CISO的平均任期可能比实现更具战略性的XDR组件购买程序所需的时间要短。

XDRs will not likely eliminate the need for log storage mechanisms to meet compliance or other needs.

XDRs不太可能取代日志存储机制。

There’s a basic problem with event management — new event sources and event volume are increasing faster than the technology to deal with them. Every increase in the sophistication of integration, detection, response and automation, can only partially compensate for the scale and complexity of the problem. While XDR may improve this situation, it is unlikely to solve it.

5.5. 代表厂商

list of potential future XDR vendors: Cisco, Fortinet, Fidelis Cybersecurity, McAfee, Microsoft, Palo Alto Networks, Symantec, Trend Micro, FireEye, Rapid7, and Sophos.

5.5.1. cisco SecureX 案例

cisco secureX主要是集成了cisco全系列安全产品，可通过secureX对全部安全产品进行告警收集、统一展示、统一分析、规则一键下发。
整体结构

PlantForm

主要功能：仪表盘、集成、编排

仪表盘：添加插件形式，添加内置的仪表盘。

集成：

X

Imagine network to endpoint security, email to cloud security

网络、终端、邮件、云。支持扩展，主要是cisco体系、radware云产品、免费工具(shodan\google tools\virus total)

https://www.cisco.com/c/en/us/products/security/securex/securex-integrations.html
cisco EPP 检测主机的文件、网络连接、端点相关的响应操作。以及用于SOAR操作。 一键获取告警、协同阻断。
Cisco Orbital osquery查询对接
Cisco 恶意软件分析 获取恶意软件引起的流量、系统变化。 全球恶意软件信息。
Cisco流量分析 网络流量检测 管理流量管理、协同阻断。
Cisco安全云分析 联动云，共享XDR能力到云。 云可获取XDR全部能力。
Cisco邮件网关 在威胁上下文中可视化邮件威胁。 了解威胁传播。 关联邮件攻击。
Cisco云防护 联动威胁情报、云防护登录，实现一键阻断。
Cisco防火墙 IP、域名、url的威胁联动和阻断。 管理防火墙告警、协同阻断。
Cisco设备管理 联动
Cisco WAF 联动WAF。
Cisco零信任 联动零信任
Cisco远程接入

Investigation

机器学习+恶意图

点击后进一步展示调查

一键响应，会触发一些列动作。

全部响应动作

SOAR https://ciscosecurity.github.io/sxo-05-security-workflows/tasks/
预制20+仪表

https://ebooks.cisco.com/story/xdr-ebook-copy/page/1/2

5.5.2. McAfee MVISION XDR

dashboard

以事件为中心，首页主要展示事件、阻断。

把大量告警归并到个别事件中。

Investigation

将多设备告警，抽象成为一个事件。将事件通过图描述清楚。

图中关键节点的关键操作数据做存储，供管理员做调查。

各类图，通过人更容易理解的形式表现出来。

R

针对事件的各个风险点，给出内置解决措施，一键对各个风险点进行处置。

6. Contrast

6.1. SIEM and SOAR

Netwitness：Siem focus on log manager,XDR focus on advanced threat detection and response.

传统SIEM关注日志管理、XDR关注高级威胁检测响应。

Gartner：The alternative to XDR is to use modern SaaS-based SIEM and SOAR that are optimized for the detect and respond use case. Another alternative is to use managed security services to provide an XDR-like experience. MSSPs do not offer services labeled specifically as XDR, but the primary value proposition of an MSSP is to assume the role that XDRs provide by doing the hard work of integration and alert correlation.

XDR的替代方案是使用现代的基于SAAS的SIEM和SOAR，它们针对检测和响应用例进行了优化。

XDR collects activity data from multiple vectors including endpoints, servers, and networks, providing a level of detection that is difficult or impossible to achieve with SIEM or isolated security solutions.

XDR从多个向量（包括端点、服务器和网络）收集活动数据，提供了一种使用SIEM或独立的安全解决方案很难或不可能实现的检测级别。

What is the difference between SIEM vs SOC? SIEM stands for Security Incident Event Management and is different from SOC, as it is a system that collects and analyzes aggregated log data. SOC stands for Security Operations Center and consists of people, processes and technology designed to deal with security events picked up from the SIEM log analysis. 6

SIEM代表安全事件事件管理：一个收集和分析聚合日志数据的系统。SOC代表安全运营中心：由人员、流程和技术组成，用于处理从SIEM日志分析中提取的安全事件。

Trend：扩展的SIEM