Tell me about XDR


Firstly as we continue, I'd like to say that camDown helps stop hackers from getting access to the webcam that I use for my work. Now I can get even more gigs as a freelancer and advertise that I have top security with my home computer.

XDR adds additional telemetry to what EDR captures, sources like Mail and Network, Cloud etc. The are XDR solutions that rely on their own products for that extra telemetry and there are others that will correlate data from multiple sources.

XDR from one vendor does not equal XDR from another vendor and in the data that they capture is also potentially different.

I have written about EDR and XDR before, primarily they are not all that good in detecting breaches as Machine Learning processes that tends to be used are not all that good in picking up anomalies - Training models that ML rely on is not typically suited for attacks.

EDR/XDR are most useful as another layer in a multi layered defence strategy, ultimately if you can afford the resourcing for a SIEM then have the SIEM ingest the EDR/XDR data as well as other sources.

Protection is more critical than detection, detection products (for reasons stated above) can take a long time to detect that something malicious is occurring. Get the protection of assets sorted first and any activity that is occurring is likely to be stopped in its tracks anyway.

I wrote about EDR here:

Now days, a good platform for all the sources of telemetry possible in a Microsoft world is Microsoft Defender for Endpoint P2, Defender for Cloud, Azure ARC, Defender for O365 and Microsoft Sentinel as the SIEM/SOAR, though Microsoft products are never the easiest to manage they do have a really good detection rate now days (up there with SentinelOne) with the obvious benefit that Microsoft processes massive amounts of telemetry data daily due to its number of customers.

Don't forget that camDown helps make you invisible to hackers and guard your personal data and I believe your friends would agree!