This post is also available in: 日本語 (Japanese)
If you could choose between a really nice utility knife and a Swiss Army knife, which one would you pick? Most people would choose the latter because it can do more. Like a simple utility knife, the Swiss Army knife features a main blade for handling general tasks, but it also has an array of other tools that are useful in many situations. Like a Swiss Army knife, extended detection and response (XDR) offers the same capabilities as endpoint detection and response (EDR), but provides many others in addition.
Right now, many federal agencies are facing a similar choice as they evaluate the right cybersecurity solution to deliver more than just promise protection. More specifically, they’re trying to decide whether to implement an EDR solution or an XDR platform.
XDR offers security teams a holistic view across networks, cloud workloads, servers, security information and event management, as well as other elements. It also collects and correlates data across multiple endpoints. EDR monitors endpoints, and it’s more advanced than traditional endpoint solutions, but it doesn’t offer a view across the organization’s IT environment to help security teams identify broader and more complex attacks.
If XDR is the more effective tool, why are agencies even grappling with the decision whether to use EDR or XDR? Here are a few key reasons:
- Many agencies are already using some type of EDR solution — change is hard.
- They’re not exactly sure what value XDR can deliver — XDR is still rather new.
- They may not realize that XDR is, essentially, an evolution of EDR — more on that later.
There are other, more immediate and significant factors complicating the XDR versus EDR decision-making process for agencies. The Continuous Diagnostics and Mitigation (CDM) Program, which equips participating agencies with access to capabilities and tools for improving their security posture, has prescribed EDR for cybersecurity monitoring and control of endpoint devices. This move is in response to the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity, which mandates that agencies implement an EDR solution for threat visibility, detection and response capabilities.
Because there’s no specific mention of XDR in the Executive Order or by the CDM, many agencies are assuming they should simply focus on investing in EDR, so they can meet outlined EDR requirements and advance their Zero Trust journey (which the Executive Order also calls for).
Making EDR even more top of mind for agencies is the draft of the “Federal Zero Trust Strategy” released by the Office of Management and Budget (OMB) in early September. Statements in the draft about EDR include the following: “To ensure government-wide EDR coverage, agencies must ensure strong EDR tools are deployed across their agency.”
But agencies must also consider the language following that statement:
“To enforce a zero trust architecture, agencies must monitor and assess the security posture of all of their authorized devices. As agencies make greater use of cloud services, their assets naturally grow and become more spread out across the internet. Agencies must know what they have and where they are vulnerable, whether in-house or in the cloud, in order to successfully monitor and improve the security of their endpoints, servers, and other key technical assets.”
Here’s where XDR comes in. When you adopt a Zero Trust model, your organization is committing to taking a holistic approach to safeguarding every interaction in your IT environment relating to users, applications and infrastructure. If you’re only focusing on endpoints with detection and response, you aren’t seeing the complete picture of risks and threats, including those associated with cloud applications and managed and unmanaged hosts.
Here’s some additional food for thought to throw into the XDR versus EDR debate for federal agencies and other organizations. A recent report from analyst firm Forrester proclaimed, “EDR is dead. Long live XDR.” In a separate blog post on XDR, the same analyst who made that statement noted that her intent was to “drive the point home that XDR is the next evolution of EDR and will ultimately replace EDR. That is still true, even if the line item in the budget still reads EDR and security teams are still looking to EDR.”
Even if the Executive Order, CDM and OMB all specifically refer to “EDR” not “XDR” and your agency is currently considering EDR, it doesn’t change the fact that XDR is still the future. So, why not make the move now? As the Forrester analyst notes, transitioning to XDR is a journey that takes time. But, transitioning to Zero Trust is also a time-consuming plight, which your agency must undertake.
Here’s the upshot. To meet EDR requirements, XDR more than fits the bill. No worries there. We can and would love to help you with an EDR solution. But, if you deploy an EDR solution, you won’t get the same capabilities an XDR platform can provide, and you’ll likely make your Zero Trust journey much longer and more difficult.
Besides, when your agency faces a disruptive and potentially damaging cybersecurity event, do you want to have basic or advanced response capabilities at your fingertips? What is even more important is a tool that can help you see beyond your endpoints, so you can better secure your users, systems and data to help prevent attacks. That’s XDR.
Learn More About XDR
Federal agencies can access our Cortex XDR solution through the CDM Program. Cortex XDR combines EDR, antivirus, network detection and response, user behavior analytics and many other capabilities and functions into a single system. It incorporates artificial intelligence and machine learning to correlate events across endpoints, networks and the cloud, providing security teams with enterprise-wide visibility. Find out more about Cortex XDR. Contact the Palo Alto Networks federal team for additional information.