Cybersecurity teams are under growing pressure to do more with less: The skills gap, now at an estimated 3.4 million workers according to an (ISC)² 2022 Cybersecurity Workforce Study, continues to widen. The challenges of effectively managing multiple tools in the security stack stress this gap further. Today’s organizations face an onslaught of security threats but often lack the capabilities to detect and respond to them with efficiency. Security practitioners know too well the evolving challenge of threat detection and response as organizations adopt new technologies and expand their attack surface. Many have begun a journey towards extended detection and response (XDR). Unlike endpoint detection and response (EDR), which collects only endpoint security telemetry, XDR collects data from native and third-party security domains including endpoints, cloud workloads, identities and more, then aggregates and applies relevant context so security teams can effectively triage and prioritize threats.

The expected result is more comprehensive visibility of threat activity, a shorter response time to address incidents and a stronger security posture overall. At a time when organizations lack visibility and continue to expand into complex IT environments, XDR aims to shed light on threats across the organization so they can be addressed before they become bigger problems.

But while XDR tackles the enterprise security challenge of threat detection across a diverse attack surface, it can also create new issues. For organizations that buy, implement and use XDR solutions, a lack of proper resources or operational planning can dramatically decrease their effectiveness.

Below are the top challenges for businesses looking to implement XDR:

Technology Integration: As security teams have invested in new tools in an attempt to bolster detection and prevention capabilities, the challenge of providing a consistent, centralized view for SOC analysts to rapidly understand, triage and remediate issues has quickly grown. Integration and centralized management challenges typically drive alerts, including false positives, and increase staff workloads when bringing XDR into an environment. XDR implementation can be complicated, costly and time-consuming.

Staff Requirements: An Enterprise Strategy Group (ESG) report found that 47% of organizations believe they don’t have adequate skills for security operations. This lack of expertise can make it difficult to adopt and properly operate tools such as XDR, especially for smaller businesses that struggle with resource constraints. Optimizing the use of XDR requires more than the technology itself. Organizations need skilled staff to manage the platform, ensure it’s working correctly and verify that identified threats are contained and eradicated quickly.

Effective Strategy: An XDR strategy should include specific requirements to align with your business’ security needs. From this, you can determine which tools you have to support your XDR strategy and where you may need additional support. Once XDR is in place, an XDR management plan can help ensure you’re getting the full value out of the platform. This should include any necessary upgrades, configurations and incident response measures.

While it can seem like an intimidating project at the start, there are several steps that organizations can take to ensure XDR is properly implemented and managed. Below are the most important “dos and don’ts” to keep in mind:

Do – Gain Visibility Into Data Sources: Organizations often struggle to gain full visibility across the IT and security data sources they need to identify and address threats. The data streamed into an XDR platform may come from SaaS applications, custom-built applications, security tools and other resources. It’s important to gain a full view of these data sources to understand where information is coming from and which data is most relevant to improving your security posture.

Do – Ensure Proper Integration: XDR relies on the proper integration of security tools including EDR, network detection and response (NDR) and security incident and event management (SIEM) systems to work effectively. The process of implementing and using XDR will have fewer obstacles if the platform integrates with your existing IT and security stack. Test an XDR platform before deployment, so you can address any potential issues before doing a full rollout.

Do – Create a Response Plan: With XDR, security teams should be able to better detect cross-domain attacks that may otherwise fly under the radar — but they still need a plan to investigate and remediate those threats. XDR guides these remediation efforts with detection information so security teams can take action to contain threats and prevent future incidents. It’s important to both ensure the XDR solution you consider has built-in capabilities to streamline remediation actions (not simply send an alert) and establish a process and workflow to implement these remediation actions in the event of an incident.

Do – Consider Outsourcing: Businesses that invest in XDR, but don’t have the time or resources to fully deploy and optimize it will only end up hurting themselves in the long run. If your organization can’t optimize its use of XDR with in-house staff, look to managed XDR services to reduce complexity and cost while optimizing resources and improving threat detection.

Don’t – Neglect Data Quality and Retention/Storage Requirements: When it comes to XDR, low-quality data leads to low-quality results. An XDR platform needs accurate and high-quality information to effectively detect and respond to threats. Using incomplete or inaccurate data can lead to false positives or negatives, compromising the effectiveness of your XDR platform. The compliance demands and costs to retain log data continue to rise. Make sure you know what you need to keep, and for how long. Talk to your service providers/vendors about the most effective means to achieve the best results for your business.

Don’t – Overlook Proven Expertise: While XDR does the heavy lifting of processing and analyzing data, it still requires a skilled person to handle alerts, respond to incidents and ensure XDR is properly implemented and running. Lack of proven expertise can lead to misconfigurations in the product, mishandling of alerts or delays in response.

Don’t – Forget to Plan for the Future: As your organization grows and adopts new technologies, your IT and security needs may change. Failure to plan for future scale and capacity can lead to poor performance, resource limitations and lower effectiveness in your XDR platform.

Don’t – Automate XDR: While automation in cybersecurity is important, adversaries will outsmart machines. Relying too much on autonomous capabilities in an XDR platform can result in false positives, which leave security teams sifting through low-fidelity alerts. This can lead to a huge amount of work to investigate threats and drive alert fatigue.

XDR is evolving to become a critical component of security strategy for organizations of all sizes, across all industries — but how XDR looks and functions may be different depending on the requirements and security stack of each business. Before jumping into XDR implementation, take a step back, consider your existing security tools and speak with board members, stakeholders and potential partners to determine which approach will work best.