CrowdStrike has been on an extended detection and response (XDR) tear in recent months, scooping up Humio, partnering with Google Cloud and Zscaler, forming an XDR Alliance, and now extending its machine-learning based threat detection and response across third-party data to help prevent attacks.

Still, the endpoint security vendor has a complicated relationship with XDR. “I cringe a little bit when people talk about XDR because they are using it incorrectly,” CrowdStrike CTO Mike Sentonas said. “XDR is a term that gets thrown around and really badly abused by the industry because it’s a hot topic.”

XDR extends threat detection and response beyond the endpoint, he added. This newish and buzzy security segment combines elements of security information and event management (SIEM); security orchestration, automation, and response (SOAR); endpoint detection and response (EDR); and network traffic analysis (NTA) in a software-as-a-service (SaaS) platform to centralize security data and incident response.

But while vendors talk about collecting data from multiple sources into one location for threat hunting or compliance reporting, “ultimately, at the end of the day, that’s just log management or SIEM,” Sentonas said.

Although Sentonas says CrowdStrike “has been doing what a lot of the industry aspires to do with XDR for a number of years now,” the vendor didn’t start talking about XDR until its Humio acquisition in February. And it didn’t formally announce its XDR module until last week.

Earlier this year, CrowdStrike paid $400 million for Humio, which provides cloud log management and observability technology. At the time, Sentonas said Humio would allow CrowdStrike to “redefine true XDR” by integrating Humio’s ingest pipelines and cloud log management with CrowdStrike’s Falcon platform, which spans endpoints, identities, applications, the network edge, and the cloud.

And then last week at its Fal.Con 2021 event, CrowdStrike announced Falcon XDR. The newest Falcon module uses Humio’s technology, which essentially replaces the SIEM, and ingests data from third-party sources including the network, email, public and private clouds, SaaS, and cloud access security brokers. It then correlates this data with CrowdStrike’s cloud-based threat intelligence, and applies machine learning and artificial intelligence to the data to detect threats and stop breaches across an organization’s security stack.

Also at the event, CrowdStrike unveiled a homegrown SOAR product and launched a free version of Humio’s log management that allows users to ingest 16 gigabytes of data per day and retain the data up to seven days.

With Falcon XDR, customers can extend CrowdStrike’s EDR beyond the endpoint for better visibility, real-time threat detection, and automated response, Sentonas said.

“Our goal with XDR is to enable customers to bring in third-party data sources to enrich the endpoint,” he said. “It’s taking data from specific other third-party technologies to enrich the endpoint data to allow you to solve use cases that you can’t with just the endpoint. But the important point is for that to be a critically effective strategy, you need to be able to take that third-party data source in a structured way that allows your existing products to leverage that data.”

This means that the machine learning CrowdStrike uses to prevent attacks across its own products and telemetry sources should also work across outside sources, he explained. “We should be able to do threat hunting and workflow across third-party data. We’re quite unique from that perspective. Everything that’s made CrowdStrike unique in terms of our ability to do hunting will work across CrowdStrike and now third-party data.”

Also during Fal.Con 2021, CrowdStrike announced the CrowdXDR Alliance with launch partners Google Cloud, Okta, ServiceNow, Zscaler, Netskope, Proofpoint, Extrahop, Mimecast, Claroty, and Corelight.

The group aims to develop a common XDR language for data sharing between security tools and processes, and it builds on CrowdStrike’s goal of shared telemetry for threat hunting while using that data in a structured way.

“The big thing with third-party sources: Just putting it into one location is log management,” Sentonas said. “The thing we look at is bringing in the data in a structured way, in a schematized fashion that allows products to work with each other. And if you don't do that work, then you'll never be able to do that true integration. So part of the CrowdXDR Alliance was to work with industry leaders and do that work of analytical and schematization so that the data can come into the ecosystem, and we’ve got a common framework, a common language, so that our products can work together.”

While CrowdStrike claims this ability to ingest third-party data makes its XDR unique, it faces tough competition. Nearly every other security vendor has also launched an XDR product over the past year and wants to own the $40 billion market.

It seems to be on the right track, however. According to Forrester’s inaugural XDR research, CrowdStrike is a “strong performer” along with Palo Alto Networks. For the record: Forrester named Trend Micro and Microsoft as the two XDR market leaders.

Forrester gave CrowdStrike high marks for its product security and planned enhancements. “With the acquisition of Humio and rate of integration of their identity and cloud offerings, the vendor is well-positioned to bring a more compelling and differentiated XDR offering in the next year,” the report says.