Cisco, Palo Alto Networks, and Microsoft were among the established security vendors that made progress in extended detection and response (XDR) last year along with newcomers including VMware. While no single provider achieved the “holy grail of security” in 2020, several made strong moves in their quest, and others formed partnerships that put them in good positions to advance this technology in 2021.

XDR is a newish approach to threat detection and response that Gartner called a top security and risk management trend of 2020. It combines elements of security information and event management (SIEM), security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), and network traffic analysis (NTA) in a software-as-a-service (SaaS) platform to centralize security data and incident response. This improves and speeds up detection and response because it correlates threat intelligence across security products and visibility across networks, clouds, and endpoints.

It also favors larger security companies that have multiple technologies they can integrate into one cloud-delivered platform.

“As it comes to XDR, those companies with more assets in security have an advantage,” IDC Program VP Frank Dickson said. “The theory is that XDR is going to provide context democratization in that I’m going to take telemetry from every part of my security architecture to bring it in and enhance alerts with context.”

But the reality, he continued, is that vendors start with their own security products and services before moving on to third-party alerts and tools. “Right now, vendors are really focused on integrating their own stuff, and other people’s stuff is on the roadmap," Dickson said. "The people who are going to have [XDR] in the short term are those with more stuff.”

Zeus Kerravala, principal analyst at ZK Research, first wrote about XDR in 2018 after a discussion at a Palo Alto Networks analyst event. “We were talking about the flaws of EDR and I sort of jokingly said there really should be an XDR because EDR alone doesn’t provide enough value because you can’t see enough just from the endpoint.”

As the security market moved toward a more centralized platform approach, so too should threat detection and response, Kerravala explained. EDR only provides a view from the endpoint, but security operations teams need data from across the network, cloud, and even third-party feeds to comprehensively and quickly hunt for threats and stop them from spreading.

“So the thesis behind XDR is that security platform or winds up being your detection and response system,” Kerravala said. “And so when you think of whose capable of pulling that off, it’s the companies with broader security platforms. That would be Palo Alto, Fortinet, Cisco, McAfee, VMware.”

Indeed, all of these vendors pushed into XDR last year. While Palo Alto Networks’ arguably has the most mature XDR approach and platform with its Cortex XDR, Cisco started shipping its SecureX platform in June, and McAfee launched its in October.

And while VMware only just announced its XDR strategy at its VMworld event in October, it’s been laying the foundation for over a year. “VMware has an underrated ability to do this,” Kerravala said. “They have Carbon Black, but they also have a lot of visibility into the hypervisor layer and into the network now with their SD-WAN offering. So I think they’re one that’s interesting to watch.”

Additionally, Fortinet’s XDR “is largely underrated,” Kerravala said. That vendor started integrating all of its security and networking products into its Security Fabric five years ago. “That gives them the same kind of data structure across all of their products because all their products have the same silicon, the same operating system,” he added. “So from that standpoint, they have a stronger offering than the market understands.”

Because XDR is a natural extension of EDR, many security vendors that started as EDR vendors such as McAfee, Symantec, CrowdStrike, and TrendMicro are shifting their focus — and product names — from EDR to XDR whether or not they provide all of the XDR capabilities. Some of the smaller EDR companies like Cybereason partner with other SIEM and SOAR vendors to provide those pieces, and offer open APIs to pull data from customers’ existing security tools, while focusing on the detection and response parts of XDR.

Additionally, Dickson points to CrowdStrike’s partnership with Proofpoint, Netskope, and Okta.

And “the big one here is Tanium and Google Chronicle,” said analyst Jon Oltsik, who founded ESG’s cybersecurity service. This one combines Tanium’s threat response with Chronicle’s security analytics platform into a single product sold by Tanium.

Other security vendors in 2020 built out their partner ecosystems with an eye on XDR.

Netskope also announced its Cloud Threat Exchange partner ecosystem in 2021, with its initial partners including EDR and email security vendors — two services that Netskope doesn’t offer — that will allow its customers to build out XDR capabilities.

And in May, VMware Carbon Black SVP Patrick Morley announced the Next-Gen SOC Alliance between VMware and leading SIEM and SOAR vendors. “We were foreshadowing a little bit of what we’re doing here [with XDR],” said Tom Corn, SVP of VMware’s Security Business Unit, in an earlier interview.

“The interesting angle here is whether organizations will go single vendor or demand some type of heterogeneous architecture,” Oltsik said. “We’ll see.”

Kerravala expects to see more partnerships happen in 2021 along with mergers and acquisitions to boost XDR.

“Certainly security has always been a good market for M&A,” he said. “And as data becomes the underpinning of aa company’s XDR strategy, I think you’ll see companies acquire less for capabilities and more for the ability to have augmented data sets. And that means you have the machine learning algorithms to analyze the data. There are certainly hundreds of machine-learning based security companies, and I think you’re gonna see a real rise in those types of companies and some M&A activity there this year.”