Falcon XDR: Why You Must Start With EDR to Get XDR

Since we founded CrowdStrike, one of the things I’m proudest of is our collective ability to work with customers to lead the industry forward. Leadership is more than just being the loudest voice or making wild marketing claims. It’s about listening and working with customers to help them solve their hardest problems to achieve a common goal: stopping breaches.  

This week with the GA release of Falcon XDR, I’m proud to say that CrowdStrike is once again leading the industry forward by cutting through the hype and delivering the next generation of automated XDR. Using our same single, lightweight agent architecture, Falcon XDR enables security teams to bring in third-party data sources for a fully unified solution to rapidly and efficiently hunt and eliminate threats across multiple security domains.

Best of all for our customers, Falcon XDR is an extension of the industry’s leading EDR. Why does this matter? It’s plain and simple — if you don’t start with EDR, you don’t have XDR.

How We Got Here

In March 2021, in the aftermath of the SUNBURST supply chain attacks that rocked the industry and still reverberate today, I provided testimony to the U.S. Senate Select Committee on Intelligence about the attack, and more importantly, the keys to a strong cybersecurity posture that would help organizations stop sophisticated attacks. In my testimony, I highlighted XDR as a critical innovation that security teams required to keep pace with the sophistication of today’s adversaries: 

“Security teams demand contextual awareness and visibility from across their entire environments, including within cloud and ephemeral environments. The XDR concept seeks to apply order to a sometimes chaotic array of security tools by deriving actionable insights wherever they exist within the enterprise. As this Committee will appreciate, XDR generates intelligence from what otherwise may be no more than an information overload.” 

In the year since I delivered this testimony, the industry has heard just about every promise about XDR from the more than 30 vendors (and counting) that went on to claim XDR capabilities. At the same time, adversaries have continued to become more sophisticated, more adept at exploiting architectural limitations in legacy systems, and craftier in using stolen credentials and identities to advance their attacks.  

The problem for our industry is that many XDR marketing claims fail to live up to the promise — or even deliver a product. Security teams continue to struggle to transform disparate security data into the high-quality detections needed to identify, hunt and eliminate today’s complex threats. Breaches keep happening at a prolific pace. 

I believed then and I believe today that XDR can deliver massive benefits to the understaffed security teams fighting the good fight on a daily basis. But it has to be rooted in reality and it has to solve the specific problems security teams face, not exacerbate them.  

Filtering the Noise: Moving from Hype to Reality 

Security spending isn’t unlimited, and every investment matters. But selecting the right XDR solution is more than just fiscal responsibility — it could mean the difference between stopping the breach or becoming a headline. That’s why it’s important to separate what XDR truly is, and what it’s not. 

XDR is not about simply integrating data into a single console. This is doubling down on the failed promise of SIEM. Do security teams really need another stagnant data lake to wade through in hopes of finding a correlated detection? Adding on even more events just creates a bigger mess for security teams to search through and makes threat hunting even harder. Security teams have a hard enough job as it is, and this approach makes it even tougher.  

XDR is not a rebranding effort. We’ve seen this time and again … and again … and again. Many vendors have jumped on the hype cycle and repackaged existing products to boost their valuation or try to make them fit into the various and differing analyst definitions of XDR. These rebranding efforts have rarely been followed by actual product release. Calling an old product by a different name doesn’t magically change what it is. You can pull all first-party product event data into one location, or pool data from lots of products into a central location, but it doesn’t mean you’re delivering XDR. You need to do something with the data. XDR doesn’t just consolidate existing alerts — it generates new ones.

This isn’t XDR, it’s a double-down on the failed practices of yesterday that threaten to make the problems security teams face even worse by flooding them with more data, more alerts and more complexity. Additionally, it creates more noise in the market, which then falls to the customer to try to figure out what’s real and what’s not. How does this help the customer? 

At its core, XDR is the evolution of EDR, and as I said earlier, it needs to start with EDR technology and build upon that foundation. XDR must give security teams relevant telemetry from systems and applications from across an organization’s entire IT security ecosystem to enhance and accelerate visibility, detection and response actions beyond the endpoint, enabling security teams to stop breaches faster. XDR also needs to deliver proactive, automated responses to threats across the security stack. 

Falcon XDR: Setting the Industry Standard 

With the GA release of Falcon XDR, we’ve raised the bar by delivering a solution that lives up to the promise and gives security teams the ability to rapidly identify, hunt and eliminate today’s most sophisticated threats. With Falcon XDR, we’ve listened to our customers and delivered: 

XDR extended from the industry’s leading EDR technology. CrowdStrike invented EDR and continues to be the undisputed leader in modern endpoint protection. The Falcon platform was purpose-built in the cloud to harness the vast telemetry of the CrowdStrike Security Cloud and use cloud-scale AI to detect and automatically remediate everything from malware to highly sophisticated attackers. For years, our customers have been leveraging “XDR-style” use cases. We didn’t jump on this as an opportunity for rebranding, we used this as an opportunity to continue innovating and deliver more of what our customers need. 

XDR that makes sense of structured and unstructured data. We’re not creating another data lake that security teams have to search through, and hope and pray that they find a relevant detection. With the power of Humio, customers can seamlessly ingest third-party security data from the broadest range of sources, including network security, email security, identity, cloud infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), cloud access security broker (CASB) and more. And to ensure that customers have the most relevant telemetry, we continue to build out the CrowdXDR Alliance, working with industry leaders to create a common standard for data sharing.

The best of native and hybrid XDR. Sophisticated attackers are constantly evolving their attacks to avoid detection. Eighty percent of breaches are now identity-driven, and attacks in the cloud continue to rise. XDR success requires telemetry that aligns with adversary tactics, their targets and critical areas of enterprise risk. Falcon XDR delivers this, with its unique best of native and hybrid approach. Falcon XDR collects native telemetry from across all of the Falcon modules (including cloud, identity, vulnerability and more) and extends and correlates this data with third-party (hybrid) sources. This gives security teams a clear, unified picture of an attack path to rapidly identify and eliminate threats.

XDR with fully automated response. Falcon Fusion, our SOAR framework, is built natively into the Falcon platform and is provided to customers for free. This enables customers to build real-time active notification and response capabilities, along with customizable triggers based on detection and incident categorizations. And best of all, it alleviates security team fatigue by increasing efficiency and agility. 

We believe that Falcon XDR lives up to the hype and gives security teams exactly what they need: the richest combination of first- and third-party security data with no friction, the ability to produce custom detections with rapid search and automated response, and a better way to hunt threats and stop breaches.

Our CTO Mike Sentonas has a companion blog post that dives deeper into showing how Falcon XDR accomplishes this. I encourage you to read it to see the CrowdStrike difference.  

We’re excited for you to try Falcon XDR. But in true CrowdStrike fashion, this is just the beginning. We’ll continue to stay focused on your most pressing problems and deliver the market changing innovations that solve them.  

George Kurtz is Chief Executive Officer and Co-founder of CrowdStrike.

Additional Resources

Article Link: How CrowdStrike Falcon® XDR Sets the Industry Standard | CrowdStrike