What differentiates XDR platforms is the type of data collected and how it is used.
An XDR platform built primarily on its own native security stack has the advantage of a deeper understanding of the data. This enables the platform to collect precisely what is needed to optimize analytical models for correlated detection, in-depth investigation, and threat hunting.
Vendors who primarily pull data from third-party products unfortunately begin with a lesser understanding of the associated data. These vendors are likely missing the type and depth of telemetry needed to understand the full context of a threat.
Although it is common practice to look at telemetry, metadata, and NetFlow, this alert data actually does not provide related activity information required to run analytics and drive actionable insight.
Understanding the way telemetry is structured and stored is as important as understanding the telemetry collected. Depending on the activity data, different databases and schemas are better at optimizing how the data is captured, queried, and used.
Using network data as an example, a graph database would be the most efficient, but for endpoint data, the open search and analytics engine Elasticsearch would be preferable.
Having various data lake structures set up for different telemetry can make a significant difference in the data’s efficiency and effectiveness for detection, correlation, and search.