Part 2: The Six Pillars of XDR

Abhijit Ghosh

In part I, we explored why XDR “is a thing.” Now let’s get into its key components.  Last time we explored how XDR fills the gap left by detection and response tools of days gone by which leaves gaps in protecting modern infrastructure from new attacks on new vectors using new tricks. How do you protect yourself?  In our experience, there are six major considerations:


XDR must deterministically combine individual findings with causal sequencing of all events across the infrastructure to understand the precise attack progression in real-time, eliminating guesswork. Attacks often involve multiple steps that take place at different points in time (temporal distance); at different parts of the infrastructure (spatial distance) and visible through different sources (visibility distance).  XDR must deterministically combine individual findings by causal sequencing of all events across the infrastructure to precisely build the entire storyboard of arbitrary attack progression in real-time.  Correlation based approaches build insights across multiple security events leads to probabilistic results that become inconclusive jigsaw puzzles.


XDR must have granular visibility into malicious behavior across hosts, networks, and third-party controls such that the full context of an attack can be created automatically. Risky behaviors of attacks manifest in different vantage points. XDR must have a wide-angle view into any and every event that can be seen. The more  you can see, the better equipped you are in identifying bad behavior.

  • Host visibility: Deep operating system level visibility from server OS is crucial to identifying attack tactics and techniques. XDR must have fine-grained server operating system call level visibility that is the best seat in the house for observing bad behavior.
  • Network visibility: Network traffic patterns are a rich source of visibility into malicious actions. XDR must have the ability to see all east-west network traffic inside the server infrastructure including inter-VM & inter-container traffic commonly missed by typical network-based security solutions.
  • Visibility from other security controls: Server infrastructure is an ecosystem of security controls for environment specific policy enforcement. These security controls are multiple vendor products such as Firewalls, IDS/IPS, Vulnerability Managers, Integrity checkers, Application Control etc that customers deploy to protect their infrastructure. 

XDR must be able to integrate visibility from these security controls in the infrastructure in the context of server activities. It must have an open API based framework to integrate with results from other security vendors.


XDR must detect sophisticated attackers using file-less attacks, zero-day exploits and living-off the land techniques to bypass traditional signature-based risk analysis. Modern attackers are able to use file-less attacks, zero-day exploits and living-off the land techniques to bypass traditional signature-based risk analysis.  XDR must primarily focus on identification of risky behaviors and anomalous actions to determine malicious actions through multiple analytical methods.

  • Behavioral Analytics: XDR must be able to identify known patterns of risky behaviors corresponding to well-known attack tactics and techniques (as described by MITRE ATT&CK framework).
  • AI/ML based zero touch security: XDR must support unsupervised machine learning to baseline normal behavior of applications and servers to identify anomalies that indicate potentially risky actions. 
  • External Risk Contextualization: XDR must be able to deterministically map security risks perceived in the ecosystem into the context of server activities.


XDR must be able to present the attack sequence in a chronological order, without the need to piece together individual tactics and techniques of a multi-stage campaign across the infrastructure. Attacks are not singular events on isolated servers but they are multi-stage campaigns where the attacker progresses through stages of the kill chain navigating through multiple servers in the infrastructure.  XDR’s must be able to up level the findings beyond individual alerts to storyboard attacks developing across the infrastructure. 



XDR must act as a virtual analyst and precisely connect all attack steps in real-time to pinpoint the presence of an attacker and surgically respond in a proactive and autonomous manner.  To be able to respond as the attack is unfolding, manual investigations need to be nearly eliminated.  An effective XDR must be able to precisely connect all attack steps in real-time and pinpoint the attacker’s presence so attack can be surgically responded to in a proactive manner. 



XDR must work for anyone, regardless of their training or experience, so that every security analyst can focus on response as opposed to investigations. An effective XDR must be deployable in common server workload environments in the most production friendly manner.

  • Universally deployable: XDR must support common server environments of Windows*, Linux* Operating systems, Container form factors, Private or Public Cloud agnostic.
  • Production friendly: XDR must be least invasive on the production environment by imposing minimal CPU, memory, network costs and be compatible with other applications, security products.
  • Integrated into security workflows: XDR must interoperate with existing security workflows based on SIEM, ITSM products.
  • Case management workflows: XDR must support intuitive workflows to enable analysts to own cases, collaborate within a team and take action.
  • Benefits: XDR delivers the next generation of security for server infrastructure by tightly integrating holistic visibility and using advanced techniques to detect and respond to modern attacks. 

We think XDR promises to transform security--but only if the technology brings together these six pillars.

Our next blog will explore our first pillar in greater depth.