Why XDR is Not a Replacement for SOAR

Extended Detection and Response—commonly abbreviated to XDR—was first coined in 2018 and has since become an exciting buzzword in the cybersecurity world. Many vendors now offer XDR, which combines several of their products into one integrated offering. XDR grew out of Endpoint Detection and Response (EDR), so EDR is the cornerstone of these solutions, but they also comprise some combination of Firewall, Email/Web Gateway, Data Loss Prevention, Cloud Access Security Broker, Identity Access Management, and other tools.

There is a wide range of capabilities in the current XDR market, but most vendors position their solutions as providing an integrated system for detection and response that reduces complexity in alert handling and brings some automation to incident response. Because XDR is a set of tools from a single vendor, it is also theoretically easier to configure and integrate than other tool sets.

As you can likely see from that description of XDR, there is some overlap with the benefits of Security Orchestration, Automation, and Response (SOAR). However, because XDR can refer to a lot of different solutions, there is significant confusion about how the two solutions relate to each other. In this blog, we’ll look at the similarities between XDR and SOAR, the differences, and areas in which they can work together.


The Similarities Between XDR and SOAR Tools

The modern security operations center (SOC) simply has too many tools producing too much data, with not enough integration. The similarities between XDR and SOAR begin with the fact that they both aim to solve this problem through connectivity and automation. Both XDR and SOAR integrate security tools and data feeds and offer some level of automated response to threats. Both also aim to fill the gaps in the traditional SIEM-based security architecture, namely the lack of threat detection and response, intelligence enrichment, and analysis features.

While they differ in core competencies and capabilities, XDR and SOAR are both security tools that integrate across the environment. As you will see in the following sections, the most important differences come down to two factors: workflow orchestration and vendor-agnostic (or vendor-specific) integrations.


The Differences Between XDR and SOAR Tools

While they work toward similar goals, there are significant differences between how XDR and SOAR function. XDR is almost always an assembly of a single vendor’s tools. This enables intra-operability, but limits the options of security teams who are too busy to rip-and-replace—or simply prefer point solutions. It’s also an issue for security teams who are absorbing responsibility for new security operations, for example through mergers or acquisitions.

Conversely, SOAR platforms integrate with as many different tools as possible, typically hundreds of tools with support for additional custom integrations. This necessitates that SOAR vendors work closely with their technology partners to develop and maintain strong integrations. If they fail to do so—or are integrating with a vendor who sells competitive products—some integrations might be limited to public APIs.

Another difference is the capacity for incident response. SOAR platforms focus on this area, with use-case-based playbooks that orchestrate response actions across the environment, assign tasks to personnel, and incorporate user inputs to augment automated actions. XDR solutions typically lack this ability, instead automating single actions in response to analysis of incoming data. This is the reason why many XDR vendors maintain separate SOAR solutions in their offerings.

Some XDR vendors promote their ability to go beyond the features of SOAR by incorporating behavior-based signs of compromise gathered from across the integrated environment. This is a difference between XDR and most SOAR platforms, but D3 actually offers behavior-based incident response through MITRE ATT&CK correlation and monitoring.


Industry Views on XDR

One of the major strengths of XDR is its access to APIs across a single vendor’s products. While SOAR solutions now offer hundreds of integrations, it is still a challenge for vendors to maintain integrations across many different products, as discussed in the previous section. On the other hand, Gartner speculated in its 2020 Innovation Insight for XDR, a combination of SOAR and SIEM can potentially integrate best-of-breed components as well as XDR, without the downside of vendor lock-in.

Gartner also considers XDR to be more connected to detection activity than SOAR, presumably because of XDR’s close connection with EDR and other tools. However, Gartner also points out that efficiency isn’t efficacy; XDR might be faster than some alternative solutions, but that doesn’t necessarily mean it’s more effective.

XDR is also a very new product category and capabilities vary between vendors. This contributes to the perception that for many potential buyers, XDR will need to be managed externally. Research done in 2020 by Enterprise Strategy Group found that more than half of respondents to a survey were interested in fully managed XDR.


The Place of SOAR in the Modern SOC

For the reasons we have covered, XDR is not a simple replacement for SOAR. The previously mentioned ESG survey found that 55% of respondents expected XDR to integrate with SOAR for security process automation, and this has happened in some cases. While XDR offers fast analysis and response, only SOAR offers fully customizable, end-to-end playbooks for investigating and resolving the full spectrum of security incidents and breaches. While some have criticized SOAR for being technically demanding, this configurability is highly desirable to most enterprise and MSSP security teams. Innovations like D3’s codeless SOAR playbooks and unified configuration/testing view make SOAR easier and more intuitive than ever.

Gartner describes the alternative to XDR as modern, SaaS-based SIEM and SOAR that are optimized for threat detection. Part of the selling proposition for XDR is that it is cloud-based, while SIEMs are still often on-premise. By using a SaaS-based SOAR platform that can orchestrate across on-premise and cloud-based systems from a single workflow, buyers can bring security orchestration to the cloud without needing XDR.

Ultimately, proponents of XDR often seem to be competing against a straw man version of SOAR: one that has limited integrations, can’t scale, and doesn’t handle cloud workflows. But the market remains bullish on SOAR, largely because products like our own NextGen SOAR has none of those shortcomings. We offer the ease-of-use, interoperability, and analytic power that security teams need, while maintaining a completely vendor-agnostic platform.

If you want to learn more about what sets D3 NextGen SOAR apart, schedule a one-on-one demo and see for yourself.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.