Untangling XDR: Our take on the 2023 Gartner Market Guide

By Grant McDonald, Director of Product Marketing, SecOps and XDR at Trellix
Exploring extended detection and response.
Exploring extended detection and response.

With threats on the rise and organisations using an average of 25 individual security solutions, security professionals look to advanced solutions like extended detection and response (XDR) to reap the benefits of an integrated security approach.

Over the past 18 months, Trellix has been named in Gartner reports addressing native security capabilities critical to an XDR solution. Why? We believe it is because Trellix has truly understood the needs of this evolving market, and is delivering on the definition of XDR per the new 2023 Gartner Market Guide for Extended Detection and Response“Extended detection and response (XDR) delivers security incident detection and automated response capabilities for security infrastructure. XDR integrates threat intelligence and telemetry data from multiple sources with security analytics to provide contextualisation and correlation of security alerts. XDR must include native sensors and can be delivered on-premises or as a SaaS offering. Typically, it is deployed by organisations with smaller security teams.”

This report, which recognises Trellix as a representative vendor, offers strategic guidance for SRM leaders to understand and evaluate the applicability of XDR platforms for their needs. Vendor consolidation, closing threat detection and response gaps, better alert correlation, enriching alerts with greater context, and improving security efficacy and operations are all referenced in the report. Gartner also offers practical guidance throughout to help customers measure a vendor against expected XDR outcomes.

You can read the report here to get the full set of recommendations, but our take on the report focuses on five key areas:

Can XDR help with vendor consolidation?

Native security capabilities that address common threat vectors are an early call-out, with the bare minimum requirement of an endpoint sensor and one other native security sensor with pre-built integration. A longer list that includes many technologies beyond the endpoint is offered for consideration. This is interesting, as several XDR vendors require that customers adopt their endpoint technology but may lack other components. As Gartner notes about the list of security sensors: “The mandate being that these are threat- and response-focused sensors that can add to the greater whole than the individual items provide on their own.” Buyers should investigate how many native security controls beyond the endpoint are available, particularly if vendor consolidation is a driver for the business.

Can XDR make better, more efficient use of the data you already own?

Data correlation in the form of enrichment, analytics, automation, orchestration and workflow improvements is a layer within the core elements of XDR. It requires integrations with third-party products and advanced analytics to drive automation and orchestration across threat vectors to create higher-value alerts. Looking at the depth of integrations and data ingestion speed and asking for demonstrations of SOAR capabilities can help you determine how well a vendor can provide SOC efficiency.

How well does XDR create timely threat intelligence?

Making threat intelligence actionable is a practical benefit of XDR. The more data that can be processed across sources and delivered in a prioritised way for teams, the faster they can improve detection and response efficacy. Exploring the volume of sources (native and third-party feeds) a vendor can leverage, along with how fast data can be ingested and presented in a prioritised manner, should be a consideration for buyers.

How well does XDR complement your current team and tools?

As per Gartner: “While XDR cannot replace the need for SIEM in all use cases, XDR can replace or augment the SIEM threat detection and response use case for a specific security domain.” The ability to craft more automated responses and integrate with converging platforms is critical for businesses that lack resources, specialised skills or want fewer tools. In addition to how vendors can replace or augment current tools, it is critical to explore how truly open vendors are when it comes to integrations. Vendors that lack the ability to ingest data from a range of third parties will have a harder time adding value to and making the most of the data you already own.

Does XDR maximise automation with built-in capabilities?

“Gartner has stated that orchestration and automation are mandatory capabilities for a credible XDR.” Guided workflows, user-generated automation and the ability to share events with other security controls is critical to simplifying security operations. Solutions that perform automated hunting and quickly connect analysts to orchestration and automation can go a long way to help overwhelmed teams. The ability to trigger automated actions in other controls is important, especially with new and emerging threats to quickly halt a threat actor while teams investigate the root cause. Asking for specific SOAR use cases can help uncover how well and how fast vendors perform.

Trellix is recognised as a representative vendor in the XDR market. We believe Trellix solves all use cases addressed in the report and meets every XDR requirement listed.

Figure 1: The Trellix Platform integrates native and third-party security controls, XDR functionality and multiple threat intelligence feeds.
Figure 1: The Trellix Platform integrates native and third-party security controls, XDR functionality and multiple threat intelligence feeds.

Our open, integrated XDR ingests data from the largest array of native, best-of-breed security controls spanning today’s critical threat vectors as well as more than 1 000 third-party data sources. Leveraging more than 1 billion global threat sensors, Trellix is able to correlate and enrich data so you get timely insights to improve your detection, investigation and remediation response times.

Figure 2: Key capabilities that set Trellix XDR apart.
Figure 2: Key capabilities that set Trellix XDR apart.

Unlike competing XDR solutions, we unlock data from the security controls customers already own without requiring a Trellix-native solution. In the same vein, we leverage intelligence from our elite Advanced Research Center team of researchers and more than 40 000 customers as well as numerous third-party feeds, to prioritise and remediate threats for analysts and help them investigate faster with more accurate insights into attack behaviours. Guided investigation and hundreds of built-in SecOps playbooks drive automation and further simplify workflow processes for SecOps teams.

Figure 3: Trellix XDR rapidly ingests data from multiple data sources to prioritise, create context and drive automation for faster threat detection and response.
Figure 3: Trellix XDR rapidly ingests data from multiple data sources to prioritise, create context and drive automation for faster threat detection and response.

Why Trellix XDR?

  • Ingests data from a wide range of Trellix best-of-breed native security controls.
  • Open data integrations from 1 000+ third-party sources out of the box.
  • Multi-vector, multi-vendor detections that prioritise threats.
  • Extends contextualisation with threat intel from native and third-party sources.
  • Built-in playbooks for SaaS-based and on-premises response actions and orchestration.

You can check out the full report from Gartner here to learn more about the vendor strategies best designed to deliver on the promise of XDR for your business.

Share