Building Blocks for Your XDR Journey, Part 5 | Why an XDR Solution Needs to Be Open XDR

This is Part 5, the concluding part of our multi-part XDR (eXtended Detection and Response) blog series.

If you haven’t read the earlier posts in this series yet, we recommend checking out the following:

  • Part 1 discusses why organizations need to extend protection beyond the endpoint to stay ahead of adversaries
  • Part 2 discusses why Endpoint Detection and Response (EDR) is a foundation and a cornerstone for any XDR strategy.
  • Part 3discusses why identity security is a cornerstone of an XDR strategy
  • Part 4 discusses the importance and value of security data for detection and investigation.

In this post we discuss the importance of why an XDR solution should be Open XDR.

The State of Security Operations Center

The only constant in security is change. New exploits are met with new defenses. The more we integrate technology into society, the more opportunities attackers have to hack for power or profit and so both sides keep innovating.

When attackers took to the supply chain and to lifting legitimate credentials from phishing and breaches, defenders moved further into vulnerability management, Zero Trust, and invented new Identity Threat Detection and Response (ITDR) tools. As attackers increasingly leverage crimeware  markets to grab off-the-shelf malware and lower the skill level needed to run an attack, defenders increasingly look to smarter tools and XDR Marketplaces to integrate tools and run automation that is a force multiplier for their team, turning disparate tools into connected defense networks sharing IOCs, risk levels, and coordinated response.

In Cybersecurity, Effectiveness Counts

Before we can talk about what good Open XDR systems do, we need to acknowledge why they’re here. Behind all of this are customer buying behaviors. Some of the world’s largest tech companies have long tried to convince customers that they can get all their security software from one vendor. The market evaluated that offer and decided the compromise in quality was too great and most have continued buying best in class tools from disparate vendors.

Convenience and cost drives some buyers to reduce the number of vendors but most have put security first and that is a good thing. We are all members of banks, we are all scanning our fingers and faces to get into our phones, and we’re all online, putting our data into databases almost. As consumers and members of societies that are under constant attack, we should be happy knowing that most organizations we buy from still choose better tools over streamlined buying and support or a deeply discounted EA package.

Throughout history we see that battles are a measure of numbers, training, and equipment quality. Armies don’t win by buying planes and ships from the same vendor to get a good deal. CISOs and SOC Managers know that they can’t afford as many personnel as they need and can’t find the people with the level of training and expertise that they need. There has been a skills shortage for years and it’s not getting better. Instead, CISOs and SOCs coming up on their EPP/EDR renewal are asking questions about automation and AI. Tooling has to make the difference.

Where Open XDR Diverges from Other Security Tools Like the SIEM and SOAR

Before XDR, data often lived in two places: in the SIEM and in the EDR database. EDR data is too voluminous to send to most SIEMs without selling the headquarters to pay for it, so the data stayed separated. This meant searching, rule writing, dashboarding, and reporting all had to be done in two places.

It’s important then to realize that any SIEM that hasn’t solved the data silo issue is still just a SIEM, not XDR. If the SIEM hasn’t extended to cover all critical parts of the stack, there’s no “X”. Most XDR vendors solve the data separation issue by bringing all data to the EDR database. At the same time, some XDR vendors have acquired indexless database companies, making log ingest cheaper than it was with SIEMs.

XDR also solves the SOAR problem. SOARs were too expensive and complex for most teams so market penetration was low. XDR had to solve this because automation is the backbone of XDR. Instead of a complicated solution that requires writing a large check every year and adding headcount to build and maintain the playbooks, XDR delivers turnkey automation as part of existing or slightly higher packaging. Where SOAR was expensive shelfware, XDR is automation for the masses.

Where Open XDR Comes In

Beyond the centralized data and automation is one common thread: X. If it doesn’t extend, it’s just Detection and Response. If it’s not all the data, it’s by definition only part of the picture.

This is where XDR buyers need to look more closely and understand, is this native or open XDR? It’s important to know that behind the scenes, some vendors don’t want connected ecosystems, Native XDR vendors are focused on their portfolio. Open XDR vendors are investing in integrations with vendors that customers indicate are important. SentinelOne’s Singularity XDR has native coverage across workstation, mobile, OT, cloud, and identity but every month rolls out new integrations with third parties or updates to existing integration with security partners, many in those same areas.

This benefits customers in several ways.

  • Leverage Existing Investments: Open XDR helps maximize the value of your security investments. While a native XDR requires the vendor to supply all the required sensors for typical use cases, an Open XDR works with what’s in place today, with minimal disruption or change.
  • Vendor agnostic: With Open XDR, companies are freed from being locked into specific solutions, letting SOCs customize their stack to the tools that are best for their industry and to evolve with it as new vendors innovate and disrupt. With Open XDR it’s even easy to integrate with multiple threat intelligence vendors, multiple firewalls, multiple clouds, or all of the above.
  • Scalable Solution: Open XDR makes it straightforward to onboard new security tools and technology, as well as easily integrate and connect these tools with each other. For example, our multi-tenancy means you can install one identity integration for one part of your organization and a completely different integration for another part of your organization. Scopes make that easy. Our open IOC database means your intel can work together too. You can push in threat intel from anywhere you’d like and it’s combined into our database to use for enriching, alerting, mitigating, writing custom rules, or firing automations.


A successful defense cannot be won with sheer numbers, no security team has enough people for it. Even the teams with the best budgets, with the best firewalls and threat intel, are still searching for a centralized, automated, intelligent tool that’s going to continually make their teams the defenders of tomorrow. Can your threat intel trigger a detection that triggers a Slack notification? Can a high enough threat intel score trigger a true positive or kick a detection into remediation mode? Can those be enabled with a few clicks and no code? Last week OpenAI proved to the world that AI may be closer than we think. This week is a great time to ask whether your tools are built for tomorrow.

If you would like to learn more about SentinelOne Singularity XDR platform, contact us for more information or request a free demo. Also join and listen to the XDR webinar to learn more about best practices and building blocks for an enterprise looking to adopt XDR.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.