XDR – Advantages From a Wider View

Avatar photo
Art Ocain

Endpoint Protection Isn’t Enough

There are hundreds of great security products on the market, each filling specific needs and having pros and cons. Endpoint detection and response (EDR) is no exception. EDR finds and kills the threat on the endpoint, your computer or server, but it is looking at a very narrow picture of the attack surface. It misses the network, identity, Cloud data, and email threats that face your organization. This lack of complete visibility has is where extended detection and response (XDR) comes to into play.

EDR is very effective in stopping threats that reach the endpoint, so why do we need more? Isn’t the endpoint what we are trying to protect? Yes, but threats that bypass EDR, affect manufacturing operational technology (OT), affect IoT, containers, or attack legacy systems unprotected by EDR are at risk. Lastly: Wouldn’t it be nice to stop the threat before it reaches your endpoint?

What does XDR do?

Good XDR will correlate data from:

  • Endpoints (event logs, EDR telemetry)
  • Identity (Active Directory, Okta, Duo, Azure AD, Thycotic, PingFederate, etc.)
  • Network (firewalls, core switches, wireless controllers, network IDS systems, netflow)
  • Email Security (Microsoft Defender for 365, Armorblox, Mimecast, Proofpoint)
  • Email Platform (Microsoft 365, Google Workspace, Exchange Server)
  • Cloud (cloud firewalls, AWS/Azure/GCP logs)
  • Infrastructure (VMware logs, IIS logs, FTP/SFTP logs, access logs, audit logs)

Good XDR will correlate all of these events and build associations between them. It will enrich data from threat feeds and map events to frameworks MITRE ATT&CK and/or MITRE D3FEND.

Good XDR will integrate with endpoints and firewalls in order to execute playbooks, stop threats, clean infections, and isolate hosts.



  • Bob, your CFO, is in the news as your company celebrates a stellar quarter. The screen transitions to the CEO announcing a new innovation, a product that is sure to reduce energy consumption for the entire world. The threat actor, watching the news, just identified their new target: you.


  • The threat actor compiles a malware payload using code that they have used with ransomware clients in the past. The payload allows them to move through your network, execute commands, exfiltrate data, collect credentials, and deliver more malware.


  • The threat actor sends phishing emails to your finance team and sends fake invoices with the malware payload to the accounts payable address on your company’s website. Let’s say Bob, your CFO, falls for a phishing email. The threat actor now has Bob’s credentials. Next, Jane in Accounts Payable opens a fake invoice that contains a malicious payload on the old, unpatched finance system.


  • The malware payload elevates its privileges and acts as an administrator rather than as Jane.


  • It next compiles and installs a backdoor for the attacker. It also installs a service on the system so that it will execute again even if the system is rebooted.

Command & Control:

  • The malware does a DNS lookup to live.super****hairbydesign.com and receives a command to start uploading the finance database to the attacker’s cloud server. The DNS lookup tells the threat actor sees that your company is infected.

Actions on Objectives:

  • Next, the threat actor uses Bob’s credentials to access the VPN, which does not have MFA enabled. Upon connecting, the threat actor explores your network discretely, and finds a server called ENGINEERING-SRV. Using Bob’s credentials, the threat actor opens the shared drive on ENGINEERING-SRV and starts downloading all of the data over the VPN, including all of the intellectual property behind the new energy innovation.
  • The threat actor sees a server on the network called BACKUP-NAS and deletes all of the files on the file share.
  • Once the finance databases and the engineering data is uploaded, the threat actor instructs the malware to deploy a kill script, which disables volume shadow copies (VSS) and deploys a custom-compiled ransomware variant across the network.


  • Endpoint detection and response (EDR) software on your network identifies and stops the ransomware from executing on 300 of your 389 computers. Alerts reach your IT helpdesk and your team launches its incident response plan. The IT team finds that many of your server file shares, including ENGINEERING-SRV, are fully encrypted.

Note that EDR was effective in catching the ransomware based on its behavior, even though it was custom-compiled and did not match any known virus signature. It was not effective in preventing the attack, nor preventing the exfiltration of your data.


The XDR Improvement

Recommended Solution
AirCISO logo

Use AirCISO XDR for free and get useful data on your cybersecurity threats and vulnerabilities in your environment immediately. Get all the data a CISO needs to know where they stand.

>>Learn More
XDR would have prevented increased visibility on the attack. By talking to your email security solution, XDR would have noticed the phishing attempts aimed at Bob and the finance team and correlated it with VPN access from the outside. XDR would have noticed Bob accessing the Engineering server, which is probably not common. It would have noticed the payload coming to Jane and its execution on the finance system. On the privilege escalation to administrator, XDR would have fired a critical alert. Integrating with the firewall, XDR would have recognized the calls to the threat actor’s cloud server, as well as the exfiltration of data, correlating that information with the attack. XDR would have killed the connection to the cloud server by integrating with the firewall, cutting off the exfiltration.

Using the telemetry from all of these sources, XDR maps the attacker’s actions to the MITRE ATT&CK framework and identifies the threat actor as an 87% match to a hacker named PwnMeDude.

Integrating with the telemetry from your EDR, XDR could correlate the data and clean or isolate hosts as the kill script and propagation are recognized.


Take a Look at XDR

Understanding that these attacks are opportunistic, and the attackers look for gaps in security and unpatched systems, it is important to have more visibility and more correlated data. While important, EDR is only a piece of the puzzle. More data with strong correlations can create fewer, more informed alerts for IT and security staff.

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

What Is Patching and Why Is It Important?

Fix Vulnerabilities with Effective Patch Management Software Development and Vulnerabilities Software development involves the creation of software designed to solve a problem or improve efficiencies within an organization. When writing the code, devel
Avatar photo
Bill Bowman
>>Read More

Airiam Announces New CEO

Former MePush Founder and CEO to Lead Expanding Organization Airiam, a managed IT and cybersecurity company with a deep focus and expertise on ransomware recovery and cyber resilience, today announced Conor Quinlan is now the organization’s CEO. Quinla
Avatar photo
Bill Bowman
>>Read More

Count the Total Number of Incoming Emails Per Day in Outlook

How many emails do you think you receive per day? 100? 200? Curious to know exactly how many emails you are receiving each day … Well find out using this little tip! 1. In Outlook, right-click the Search Folders under the email account that you want
Jess Watters
Jessica Watters
>>Read More