Extended detection and response (XDR): Metrics to consider

Organizations continue to grapple with the pace of threat expansion, especially those that evade existing cybersecurity solutions or go undetected for longer than they should. Even under the best of circumstances, security operations can be stretched thin by today’s demands and the siloed nature of security solutions that scatter data and slow productivity.

To turn the tide, security decision-makers are pinning their hopes on extended detection and response (XDR), according to a recent study on XDR usage conducted by CyberRisk Alliance.

Among the key findings:

  • The lack of visibility or context from existing security solutions caused 47% of respondents to miss threats at least once in the past 12 months.  
  • Only 17% are very satisfied with their ability to correlate security data across all products and services. Without the ability to see anomalies and/or malicious activities as they occur and across the spectrum of products and services, it’s impossible to catch everything.  
  • Poor visibility into network threats was a significant problem for monitoring employee-owned endpoints, software vendors and third-party partners, with mean visibility scores of 4.6, 4.6, and 4.5 (out of 7), respectively.  
  • While familiarity with XDR is high (70%), current adoption of an XDR platform is relatively low — only 12% of respondents reported using this technology.  
  • However, 77% of respondents said they will likely invest in XDR in the next two years. 

XDR capabilities essential for security companies

With that in mind, security companies are putting a lot of time and money into enhancing their XDR capabilities. Sophos, for example, acquired SOC.OS earlier this year, in part to enhance its Extended Detection and Response (XDR) solution.

As Sophos CTO Joe Levy put it at the time, “SOC.OS will also provide our Adaptive Cybersecurity Ecosystem with a broader set of third-party telemetry, so security analysts have better visibility into important events and alerts. SOC.OS has an impressive list of integrations that will benefit Sophos customers as we continue to expand and develop industry-leading XDR and MDR capabilities.”

Metrics for effective XDR

For organizations looking to adopt XDR technology, it’s important to use strong metrics to ensure deployments work as intended. Security teams need to measure how well their XDR:

  • Analyzes both internal and external traffic,
  • Correlates various alerts and data,
  • Incorporates machine learning, and
  • Quickly detects threats.

To that end, Sophos recently held a webinar with Forrester Research Analyst Allie Mellen called “Crafting XDR Metrics that Matter”, which focused specifically on measuring the effectiveness of XDR platforms, processes, and procedures to drive improvements and achieve operational objectives.

In addition to the metrics above, Mellen cited the importance of:

  • How much support an XDR vendor provides,
  • The volume of telemetry data the tool collects. 
  • Of that data, how much of it is truly useful?
  • Too much data can overwhelm security teams, so it's crucial to confirm that the platform collects useful telemetry that will help strengthen cyber defenses without burdening analysts.

Click here to watch the full webinar

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.