• XDR isn’t the new kid on the block, but its continued evolution merits attention.
• The best XDR is ready for enterprises of all sizes and able to deliver value at every budget.
• Getting a handle on today’s XDR will equip you to choose wisely and detect smarter, not harder.

Whether I’m working the booth at Black Hat or speaking at BSides, the same questions seem to come up.

Everyone wants to know about Extended Detection and Response (XDR). So let me take a chance to answer some of the most commonly asked questions here. That way, next time we meet, maybe you’ll ask “How are you, Paul?” and say it like you really care.

What is XDR? And what makes it so special? 

You see, when an EDR and a SIEM love each other very much…just kidding. But given that I do actually get asked this question often enough, let’s start with a clear definition: XDR is a platform that correlates security signals from multiple parts of the environment (like endpoints, networks, apps, email, etc.) so SOC teams can have the necessary context to detect, investigate, and respond to threats with speed and accuracy. 

Why are teams moving from EDR to XDR?

XDR equips teams defending on the modern threat battlefield—a place where attackers don’t stay in one lane. No longer honing in on a single domain like endpoints, modern attackers wage complex attacks on networks, email, the cloud—you name it. Defense focused on endpoints alone no longer holds up to layered attacks that span multiple signals. As threat actors diversify, defense has to adapt. 

XDR is a natural evolution of EDR. It understands the interconnected nature of attack vectors and meets attackers wherever they are with unified prevention, detection, and response.

Can XDR reduce alert fatigue?

Specifically, comprehensive XDR with native telemetry does reduce alert fatigue by correlating signals to deliver incident predictions, prioritized alerts, and context-backed insight. The key here is choosing an XDR that does the legwork for you and automates responses, calling out only when it has a clear, context-backed indication that a potential threat requires SOC response. 

This also means reduced context switching for analysts. When working out of a single interface, you get all the telemetry and intel you need in one place, which greatly relieves cognitive load, reduces response times, and gets you back in the fight faster after dealing with an incident.

What is native telemetry correlation and why does it matter in XDR?

I like to think of telemetry as a narrator: It takes disparate threads and ties them together in a coherent (or correlated) attack story. With telemetry native to the platform, you no longer have to stitch together API integrations to get a clear understanding of an attack. Native telemetry means you aren’t stuck tying together “lots of alerts” and trying to see how they connect. Instead, the attack narrative is delivered to you, seamless, no loose threads, ready for immediate use. 

An XDR platform that includes native telemetry correlation saves precious data, money, and time. It simplifies the stack because one solution can do the correlation work of many. And to your SOC’s delight, it cuts down on correlation time, lessening the burden on your team to remediate threats across domains.

Does XDR replace SIEM?

XDR does not replace SIEM outright. SIEM still makes sense for specific use cases. But XDR does reduce reliance (and spend) on complex SIEM workflows in many detection, investigation, and response situations. In most use cases, XDR is appealing for its all-in-one streamlined correlation and ability to do more with less. By contrast, SIEM can be cumbersome, asking a lot of SOC teams tasked with working through correlations and driving up operational costs.

What role does AI play in XDR?

AI is an exceptionally useful tool for pulling together signals across a range of attack surfaces and correlating them at machine speed. In Symantec CBX, AI helps summarize incidents, identify patterns, prioritize alerts, and predict an attacker’s next move. Fast correlations deliver insights so human SOC teams with experience and insights of their own can act quick. 

So, while AI doesn’t magically replace skilled defenders, it does equip them to do more with less—and do it in record time. It reduces the time to respond, and the post-incident timeline by producing highly accurate incident summaries. These time savings extend both directions for the analyst, making their workflows more efficient on both ends of the timeline.

How can XDR help small or resource-constrained SOC teams?

Symantec® CBX stands out here, as an XDR built specifically to answer the needs of smaller or under-resourced teams. Symantec CBX is a simplified solution that natively correlates signals across disparate detection surfaces, cutting down on noise and delivering actionable insights. 

Because it relieves the need for more headcount to digest data from a variety of solutions, CBX is ideal for strapped SOC teams. Those teams are now in the front lines, facing enterprise-scale threats without the enterprise-level staff, budget, or tolerance for complexity. 

It’s ironic. The industry talks about the leaner SOC as if they are an outlier. But the truth is that most teams don’t have the budget or talent pool they deserve in a threat landscape flooded with many equal opportunity attackers that are willing to attack even the smallest enterprises—especially if they play a valuable role in a supply chain. I think of these teams as the forgotten majority, and they’ve been waiting too long for XDR that meets them where they’re at and arms them against the Goliaths they’re facing. 

Still curious? Check out CBX Fest

Symantec CBX is a game-changer in the ongoing XDR evolution. If you want a deeper dive, check out the CBX Fest series for even more details on exactly how CBX delivers endpoint, data, and web protections fueled by comprehensive native correlation. 

And when you see me August 4-6 at Black Hat USA, ask me about my favorite movie, or my last vacation—something to show you’re not just using me for fantastic security advice. (I’m joking. I love it. Ask away.)  

See you kids at Black Hat!