Today we released the first Forrester New Tech: Extended Detection And Response (XDR) Providers, Q3 2021. This research gives a market overview of XDR and highlights the value proposition for this emerging technology, the major players in the marketplace, and the primary vendor segments for all 29 vendors that participated.

The emergence of XDR has plunged security pros into yet another confusing and dissatisfying debate over whether a technology will be a genuine alternative to security information and event management (SIEM) or just another copycat. Forrester believes differentiated XDR technology will supersede endpoint detection and response (EDR) in the short term and usurp SIEM in the long run. XDR provides a novel approach to a decades-old problem, as EDR providers expand their capabilities and target market.

Two Different Paths For One Complex Problem

There are two very different approaches to the challenge of detection and response in the security operations center (SOC) today.

The first and most well-known approach is a security analytics platform. Forrester defines it as:

A security analytics (SA) platform is built on big data infrastructure, converging logs from network, identity, endpoint, application, and other security-relevant sources to generate high-fidelity behavioral alerts and facilitate rapid incident analysis, investigation, and response. 

Security analytics platforms combine SIEM; security user behavior analytics (SUBA); security orchestration, automation, and response (SOAR); and often network analysis and visibility (NAV). They follow the philosophy of maximizing visibility across the environment to identify each aspect of an attack. Undoubtedly, security analytics platforms are the backbone of the SOC — it is rare to run into a SOC that does not have one implemented for detection, response, and compliance.

XDR, in contrast, evolves endpoint detection and response capabilities. EDR vendors built their products on a philosophy: Endpoint telemetry is the most effective for high-efficacy detection, investigation, and response. The market has validated this idea, and EDR is a well-known and valuable tool for incident responders. However, EDR still lacks the complete picture of the attack. Incident responders are left to pick up the slack by funneling EDR alerts into the SIEM or security analytics platform and manually enrich them with data from other sources. EDR vendors extend their capabilities (XDR) to serve incident responders’ needs to integrate additional telemetry sources and deliver richer alerts and more comprehensive response capabilities.

Forrester defines XDR as: 

The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools, such as NAV, email security, identity and access management (IAM), cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation. 

XDR looks to address three fundamental problems in security operations today:

  1. Efficacy of detections, by basing detections around the endpoint and other places business data is stored and accessed.
  2. Speed of investigation, by extending emerging investigation capabilities in EDR to automate root cause analysis across integrated telemetry sources. 
  3. Speed and completeness of response, by extending emerging response capabilities in EDR to automate the generation of response recommendations and allow for the orchestration of all response actions.

XDR products are limited today on the capabilities they can deliver; most of the solutions can extend their endpoint capabilities to varying degrees, but in most cases they cannot outright replace security analytics platforms. That said, XDR is on a journey, and Forrester expects that over the next five years, security analytics platforms and XDR will collide.

Why XDR Market Segmentation Matters For Security Pros 

Segmenting the XDR market may seem pedantic. However, it is critical to convey what outcomes security pros will achieve with solutions in a category consistently and how they must deploy, manage, budget, and staff the offering. Based on these factors and outlined in this report, there is a clear distinction between the outcomes, deployment, management, budget, and staffing required between XDR and security analytics platforms. This report also separates XDR into two segments based on approach: native XDR and hybrid XDR.

Forrester defines hybrid XDR as: 

An XDR platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry. 

Forrester defines native XDR as: 

An XDR suite that integrates with other security tools from their portfolio for the collection of other forms of telemetry and execution of response actions related to that telemetry. 

This segmentation can help security pros differentiate the most effective approach for them based on ease of deployment, bundled pricing, integrations with third parties, and other factors.

Next Steps For Security Pros Interested In XDR 

We continue to recommend security pros experimentally use XDR as part of their security strategy while the technology is still relatively nascent and has not reached maturity for mainstream adoption. This New Tech report serves as a market overview for this critical emerging technology and precedes the Forrester XDR New Wave™, expected to publish in Q4 2021.


Read the full Forrester New Tech: Extended Detection And Response (XDR) Providers, Q3 2021, and schedule an inquiry with me to learn more.

Related Resources: