Dazed and Confused by the XDR Telenovela?

Confusing drama? Intrigue? Passion? Cliffhangers? Look no further than the XDR Telenovela and its never-ending stream of episodes.

New episodes — the plot thickens

If you are looking at an XDR solution, this is a tough spot to be in. I know I would be frustrated.

It is not all doom and gloom, and there is some good news. A couple of recent blogs have highlighted the drama and, interestingly, made a good case for an XDR definition that emphasizes the need for a more open approach. For example, Omer Singer in his “The shortest XDR definition”, or Oliver Rochford in his “The great XDR versus X-EDR debate”. And I have been blogging about this for a while now, for example in this discussion of pros and cons of native XDR versus open XDR.

Each of our blogs also points to the same problem, most XDR definitions cannot agree on what exactly XDR is. This creates confusion in the marketplace for end users who are already overwhelmed managing and integrating an average of more than 19 SOC tools. And along with this … trying to provide efficient threat detection, investigation, and response (TDIR) to their organizations.

Here are some thoughts that most people can agree with:

  • Yes, EDR is an essential element of XDR.

o But is EDR enough? Today’s attack surface is extraordinarily complex. We have a post-Covid workforce evolving remotely, many workers using unmanaged devices, and most organizations are considering or embracing cloud-first initiatives.

  • Yes, the pre-integration that single-vendor ecosystems offer is interesting and valuable.

o But are these single-vendor offerings well integrated (or is this more Telenovela drama)? What about the organizations concerned with vendor lock-in and want a best-of-breed approach?

  • Yes, XDR use cases can be covered by some of the leading SIEMs (e.g., Exabeam)

o But what if organizations do not want to persist their data? What if compliance is not needed? For those organizations afraid to be overwhelmed by a SIEM, and who just need TDIR, an XDR is an interesting and relevant alternative.

Overcoming the Telenovela — finding a common definition

  • Simple and clearly understood by everyone
  • Precise enough to differentiate XDR from adjacent technologies such as SIEM
  • Yet federative enough to be embraced by key stakeholders and promote collaboration among the broader community of vendors, service providers, end-clients, press and analysts.

Because the goal of XDR is focused on detection and response (let’s not forget investigation, and threat hunting…) across an extended set of technologies in organizations, it does take a community to promote an acceptable XDR definition. It is this community that needs to come together and agree on a definition, promote it in the marketplace, and work to make it a reality.

If we do not reboot the XDR Telenovela and start to collaborate, the attackers win, and the industry and our customers lose.

Exploring an XDR definition — let’s focus on expectations and outcomes

Let’s make an XDR definition that is simple and encompassing yet captures the unique characteristics of the XDR approach. I think we can all agree that XDR is about solving organizations’ TDIR problems as best as possible. This means offering coverage against a wide set of threats, delivering short time-to-value, and performing efficiently using advanced analytics and automation to maximize human capital.

Here are some thoughts after much research and many conversations with clients, vendors, and industry analysts:

“XDR is a set of technologies required to easily deliver on threat detection, investigation, and response outcomes for common use cases, with the following characteristics:

  • Cloud-delivered and cloud-ready
  • Focused on TDIR
  • Offers coverage for threat-centric use cases (trivial to sophisticated)
  • Accommodates today’s heterogenous environments
  • Enables immediate time-to-value as a turnkey solution”

Millions of people love their Telenovelas, and we support viewing habits of every kind, but we think it is time to simplify the XDR Telenovela, work on a definition that many vendors have already embraced and leave the drama where people want it.

Stay tuned for more from us on this topic.



Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.