All posts

How does your XDR solution compare?

How SE Labs tests XDR

How SE Labs tests XDR

How SE Labs tests XDR (and why you should care). Extended Detection and Response (XDR) is a combination of security products working together. Its goal is to provide defenders with a coherent response to attacks. This joined-up approach can help defenders identify different stages of each attack without scrambling around using many different tools.

XDR is supposed to make things simpler for defenders, providing a dashboard (a ‘single pane of glass’) that provides complete insight into a network’s security situation.

SE Labs has produced the first comprehensive method of testing XDR solutions. The components of an XDR solution under test can be sold by the same company or different security vendors.

For example, we can test a solution that combines a Cisco email security gateway with endpoint security from CrowdStrike. And we can test a Cisco email security gateway alongside Cisco’s own endpoint security.

An SE Labs XDR test can assess combinations of cloud services such as email and identity alongside on-site firewalls, endpoint protection and Internet of Things (IoT) security products. If there is an XDR integration available, we can test it.

XDR in detail

There are plenty of definitions of XDR in the market. At SE Labs we define an XDR solution as a combination of at least two products, each of different types.

The products deployed do not need to be from the same vendor.

They must either talk to each other or a third management system, which provides the overall dashboard for detection and response.

Here is a list of products that can make up an XDR solution. They can be variously installed on-site or in-cloud:

  1. Cloud Access Security Broker (CASB)
  2. Cloud Email Server Protection
  3. Cloud Workload Protection (e.g. container security)
  4. Endpoint Security
  5. Identity as a Service solutions (e.g. MFA, SSO, IdP)
  6. Internet of Things (IoT)
  7. Network Detection and Response (NDR, IDS, IPS)
  8. Next Generation Firewall (NGFW)
  9. Security Information and Event Management (SIEM)

How SE Labs tests XDR

The SE Labs testing team behaves like a real customer, allowing security vendors to provide and configure their products exactly as they would in a production environment. The testing team then change roles, behaving as attackers. It runs attacks from the beginning to the end of the attack chain, while also monitoring the security system for detections and other behaviour.

As the testers know every stage of the attack in detail, they assess how completely the products (and, more importantly, the combination of products) detect the different parts of the attacks as well as the entire attack episode.

In this way, the SE Labs testing team tests like hackers and analyses like defenders. The results are useful and realistic.

Who should care?

The results are useful, but for whom?

There are two main groups that benefit from SE Labs XDR testing.

Security sellers

The first group comprises the security vendors themselves. They can identify areas where detection is weaker and needs improvement. They may also discover areas where integration between different products could be better. The SE Labs test provides a good opportunity to make changes and strengthen the products, which means stronger protection for their users.

When things work well, security vendors can use SE Labs’ test results to highlight their successes in the market.

Security buyers

Secondly, but no less importantly, security buyers can use either public or bespoke test results to help choose the most appropriate products for their own organisations. Having real test data, showing how products handle threats in the real world, reduces risk and improves value for money.

Not every product works equally well, and that applies not only to general security effectiveness but also integration with other products. Security testing results are always an important resource before investing in a product. They are doubly so when looking to buy or build an XDR solution.

XDR Examples

Here are some examples of XDR implementations. We’ve chosen vendors and products randomly, but sensibly. For example, it makes sense to combine endpoint and email security solutions with a central data repository like a SIEM. It also makes sense to combine products from different market-leading providers, or to use all of the products from a single one.

Infer no judgement about the suitability of specific vendors from this example list:

  • Microsoft Defender (endpoint); Microsoft Defender (email); Splunk Cloud Platform (SIEM)
  • SentinelOne Singularity XDR (endpoint); Mimecast (email)
  • Cisco: XDR; Secure Endpoint; Email Threat Defence; Umbrella (web); Network Analytics

In the first example we have combined the detections and other data from two Microsoft products (endpoint and email) and sent them to a cloud-based platform that claims to provide insight into all activity.

In the second example, a simple setup combines the detection capabilities of endpoint and email threat detection products from different vendors.

Thirdly, some security companies are able to provide products for many different areas, such as firewalls, endpoint, email and web security. In this example, one vendor provides and manages all the components of the detection system.


All posts

Protection starts with the first installation

To reboot or not to reboot?

Protection starts with the first installation

“Turn it off and on again.” This global IT support advice is known to everyone, from Peppa Pig (Mummy Pig at Work) to The IT Crowd (every episode). But why? Why does rebooting a complex computer system solve so many problems? And why am I referring to British TV comedy in a serious report about computer security? We will answer one of those questions here.

Continue reading “Protection starts with the first installation”
All posts

Realistic attacks for useful results

Critical Endpoint Protection Evaluations

Realistic attacks for useful results

Endpoint protection is a critical component of any organisation’s cybersecurity strategy. And if it’s critical then you should test it and additionally, have others run assessments too.

Continue reading “Realistic attacks for useful results”
All posts

Endpoint Detection Compared

We compare endpoint security products directly using real, major threats

Endpoint Detection Compared

How can you test and judge endpoint protection products? SE Labs tested a variety of Endpoint Detection and Response products against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.

EDR products require advanced testing

An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.

Continue reading “Endpoint Detection Compared”
All posts

Top five antivirus myths busted

And why do we still believe them?

Top five antivirus myths busted

Anti-virus, or endpoint security plays an essential part in protecting Windows PCs. Whether you are working in the world’s largest enterprise, or using a small personal laptop, you need a last line of defence against attacks that use malicious code to steal or damage your data.

Are you a believer?

Some people have doubts about how useful anti-virus can be. Their opinions might be out of date, or they might believe marketing claims designed to push new products and discredit the competition.

At SE Labs we test endpoint security all the time, so we know what’s true and what belongs in the post-truth world. Here are the top five antivirus myths, busted!

Continue reading “Top five antivirus myths busted”
All posts

Early protection systems

Can EDR really stop advanced targeted attacks?

Early protection systems

SE Labs tested Coronet Cyber Security Coro against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.

Full attack chain EDR test

There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.

Continue reading “Early protection systems”
All posts

Ransomware detection using hardware

Computer processors get the final word when running programmes. Can they judge bad code from good?

Ransomware Detection Using Hardware

Is ransomware detection using hardware possible? We look at Intel’s approach to improving ransomware detection.

All malware has to run on a target to achieve its goal. Whether it’s a remote access Trojan, a wild internet worm or devastating ransomware, malware is most likely software that has to run on a PC of some sort. The anti-virus software industry tries to detect and stop these threats, but news headlines suggest it’s not winning the war.

Continue reading “Ransomware detection using hardware”
All posts

Cyber Security DE:CODED – Full attack chain testing

“Because we test realistically, sometimes bad guys come onto our test network and mess with us”

Show notes for series 2, episode 9 (final episode of series 2)

What is the attack chain? Why is it good to test using full attack chains? And what are some of the alternative approaches, with their pros and cons? We’ll try to answer all of these questions and more in this special presentation episode recorded at the AVAR conference in Singapore in December 2022.

Continue reading “Cyber Security DE:CODED – Full attack chain testing”
All posts

Cyber Security DE:CODED – Cheating in security testing

“If they chose the best products by rolling a dice then they should say so”

Show notes for series 2, episode 8

If we’ve given the impression that we’re at the heart of the security world, working with the organisations that spend billions on security – and with the companies that make billions by selling security products – you’d be right. And that puts us in an awkward position. Because we want to make security better for everyone. And sometimes that means speaking some uncomfortable truths.

This episode is the uncomfortable truth episode.

Continue reading “Cyber Security DE:CODED – Cheating in security testing”
All posts

Choose your reviews carefully

Three reasons our security tests are the most trustworthy

Choose your reviews carefully

This security report compares anti-malware products. Its job is to help you make informed buying decisions. We applied advanced testing techniques to ensure that the results are meaningful. The same cannot be said for many other tests. I’d say you’ve picked a good one to read, here. Let’s prove that.

Security report checklist

There are a few questions you should ask when you look at a security report. These are all very important but in random order here they are:

Continue reading “Choose your reviews carefully”

Contact us

Give us a few details about yourself and describe your inquiriy. We will get back to you as soon as possible.

Please enable JavaScript in your browser to complete this form.

Get in touch

Feel free to reach out to us with any questions or inquiries

info@selabs.com Connect with us Find us