cybersecurity Glossary

What is XDR?

XDR technology is the natural evolution of antivirus solutions to be able to detect and respond to threats where an antivirus is not sufficient. Currently, antiviruses are limited to their knowledge bases to detect malware. Further, they cannot detect if a virus that has not been catalogued by the antivirus solution infects your environment or if the threat extends beyond malware (e.g. insiders, cybercriminals or other malicious actors), where it isn’t necessary to analyse a binary but rather a complete behaviour.

XDR technology is installed on endpoints (and other sources of network activity, like firewalls) to collect all logs and send it to a centralised platform, where it is converted into telemetry, which is analysed by the XDR to identify whether it corresponds to a threat or not.

It should be noted that XDR is the direct extension of EDR technology. The difference between the two is that the capabilities of an XDR extend beyond endpoints to further enrich both the telemetry it collects and the threat response capabilities.

In the context of managed security services, third-party management of XDR solutions is referred to as MDR (Managed Detection and Response). An MDR service may include proactive searching for security incidents, a process known as Threat Hunting.

Threat Hunting: A managed service that concentrates on containing threats and detecting suspicious activity on the network before they can cause damage. This service utilizes telemetry data from EDR and XDR technologies and adheres to the methodology outlined in the MITRE ATT&CK framework.

Incident response: It is a reactive managed incident response service. This service is activated when there is a security incident and aims to identify and contain a malicious actor and recover activity.