Extended Detection and Response (XDR)

What is XDR?

XDR stands for cross-layered detection and response. XDR collects and then correlates data over a variety of security layers, including endpoints, email, servers, cloud workloads, and the general network. XDR is a new, alternative approach to traditional detection and incident response, integrating detection and response procedures across multiple environments.

How XDR Works

Well-designed threats can be hard to detect because they work between security silos, which are multiple security approaches that work in parallel but not necessarily together. Due to their ability to lurk between security silos, they can spread or multiply as time goes by. As a result, they may evade the attention of a security operations center (SOC) and end up causing more damage.

XDR isolates and dissects these threats. It collects then correlates each detection according to individual security layers. Each “layer” represents a different attack surface: endpoints, email, network, servers, and cloud workloads. The specific ways in which an XDR solution protects each attack surface would be outlined in the white paper of your XDR provider.


Managing endpoint activity is essential to figuring out how a threat could have gained a foothold and spread from one endpoint to another. With XDR, you can use endpoint sweeping to search for indicators of compromise (IOCs) and then hunt them using information gathered from indicators of attack (IOAs).

An XDR system can tell you what happened at an endpoint, as well as where a threat came from and how it managed to spread across multiple endpoints. XDR can then isolate the threat, stop necessary processes, and delete or restore files.


Email is one of the biggest and most often used attack surfaces. This makes it a soft target, and XDR solutions may help limit the risks that come with an email system. Even though email security can also be handled with a managed detection and response (MDR) system, XDR pinpoints email security specifically.

As part of the triage process, XDR can detect email threats and identify accounts that have been compromised. It can also detect users that are frequently attacked, as well as patterns of attack. XDR can investigate who is responsible for the threat getting by security protocols and who else could have received the email in question.

To respond to the attack, XDR can quarantine email, reset accounts, and also block the senders responsible.


Analyzing the network for attacks and attack opportunities is an important step in aggressively tackling security issues. With network analytics, events can be filtered, which helps identify points of vulnerability, such as unmanaged and Internet-of-Things (IoT) devices. Whether threats tend to stem from Google searches, email, or well-orchestrated attacks, network analytics can pinpoint the underlying vulnerability.

XDR can detect the problematic behavior within the network and then investigate details about the threat, including how it communicates and how it travels across the company. This can be done regardless of a threat's position on the network, from an edge services gateway (ESG) to a central server. XDR can then report to administrators information about the scope of the attack, so they can quickly find a solution.

Servers and Cloud Workloads

Protecting servers and cloud infrastructure involves steps that, at a high level, are similar to those used to secure endpoints. The threat has to be examined to figure out how it arrived in the network, as well as how it was able to spread.

XDR gives you the ability to isolate threats that are custom-designed to focus on servers, containers, and cloud workloads. XDR then investigates how the threat is affecting the workload and examines how it is propagating across the system. It then isolates the server and stops the necessary processes to contain the threat. Threat isolation is a key component of reducing the mean time to recover from attacks.

For example, if a threat gained access to your cloud network through an IoT endpoint, XDR can ascertain where it came from. You can then address the reasons behind the security breach and use that information to come up with a plan of attack. 

XDR can also be an effective addition to a suite of security products because it assists in figuring out how the threat affected the server's workload. If it slowed down processing or corrupted data, XDR can tell you to what extent this happened. Then XDR can stop any processes that could facilitate the threat spread. In a cloud environment that supports a vast array of connection points, stopping processes may prevent large data losses or the complete suspension of crucial segments of your operations.

Servers and Cloud Workloads

An XDR system can feed information into a data lake—a centralized repository of raw data—and sterilize it. It first initiates cross-layer sweeping to detect threats, then hunts them down, investigates, and eliminates them.


XDR vs. Traditional Threat Detection

XDR differs from traditional threat detection in that it aims specifically at solving problems created by a silo approach. One way XDR “de-silos” a system is by segmenting the attack surfaces into their primary categories. This way, you get a relatively comprehensive solution for email, networks, servers, and cloud workloads. 

XDR is different in how it seeks to not just detect and identify threats but also respond to them. Some threat detection systems only detect the threat without taking decisive action to eliminate it. Depending on your needs, this aspect of XDR may not be useful, particularly if you want to have more leeway as to how you respond to threats.

XDR can be a useful tool for managing alerts as well. A security system may be inundated with a range of alerts, and managing them can sometimes take as much work as addressing the threats themselves. An XDR system can consolidate alerts that, while desirable, may not contain actionable information. This helps administrators focus on the alerts that necessitate definitive steps.

Because XDR not just detects but also responds to threats, a security team could save time and resources with XDR implementation. For example, if the IT team knows how they want to respond to each threat, and the XDR solution has that capability, they can cover several bases at once, using XDR to identify and isolate threats, as well as shut down the problematic processes involved.

XDR vs. Endpoint Detection and Response (EDR)

EDR is different than XDR in that the “E” refers to endpoints specifically, whereas the “X” in XDR indicates it handles network and cloud data as well.

If you already have a security solution for your network and cloud infrastructure, you may be better off using an EDR solution like FortiEDR. An XDR system may be difficult to interface with your current network security solution, and the redundancy may result in more obstacles than opportunities.

XDR vs. Network Traffic Analysis (NTA)

Both XDR and NTA can detect threats. NTA focuses on pattern recognition, and it can therefore provide an instant response to data packets that violate the expected pattern. For example, if a server usually gets traffic from the U.S., Canada, and Brazil but suddenly starts receiving traffic from Russia, an NTA system can be used to eliminate the potential threat. 

NTA may therefore be a better solution than XDR if the threats your organization faces can be isolated using this kind of pattern detection.

XDR vs. Security Information and Event Management (SIEM)

XDR differs from SIEM in that it comes with response solutions. Although SIEM can work with a response solution, it focuses on detecting threats, not responding to them. If you want to custom design how you respond to threats, then a SIEM solution like FortiSIEM may be a better choice than XDR.

In some cases, XDR may detect and respond to a threat automatically even when it does not pose a real danger. A premature response like that can hurt your organization. With SIEM, you are free to decide how you respond to each threat, which can prevent you from stopping or halting operations unnecessarily.

XDR vs. Security Orchestration, Automation, and Response (SOAR)

While XDR does a good job of focusing on detecting and responding to threats within its own ecosystem, SOAR can do much of the same thing but also be used to help orchestrate security policy and reporting.

If your immediate response to threats is effective but you need a system that helps with the general implementation of security policies, a solution like FortiSOAR may be a better choice than XDR. Implementing an XDR solution on top of an existing, effective threat response system may require more time than you have available, without guaranteeing results better than your existing solution.

Get Total Attack Visibility

FortiClient enables you to discover risks, monitor them, and assess how much exposure they result in. This can be done for a variety of endpoints, giving you the flexibility to tailor your security approach to the needs of your organization.

Further, FortiClient provides a defense against advanced threats, and as a central component of your telemetry, it can automatically communicate information about the threats it eliminates. Because it integrates seamlessly with the Fortinet Security Fabric, you can incorporate policy-based automation that can contain threats and prevent their spread. If you already have a Fabric-Ready security solution in place, FortiClient can work with it to make your enterprise's security solution even stronger. Whether things have slowed down due to COVID or are starting to pick back up, now is a good time to get integrated detection and response with FortiClient.