If complexity is the enemy of security, then organisations around the world appear to have gone out of their way to embrace that enemy.

The unfortunate truth is that the unrelenting growth in the variety and velocity of attacks means defenders have had little choice other than to turned to an ever-increasing range of tools to defend their environments.

The search for a means to bring clarity and simplification to the plethora of services they operate has given rise to a category of cyber technology called extended detection and response (XDR).

These solutions supersede older concepts such as security information and event management (SIEM) and endpoint detection and response (EDR), collecting data from services including network security devices, cloud services, and identity and email security services, as well as from EDR systems to provide a unified security incident detection and response capability that makes it easier for cyber professionals to quickly detect, analyse, and mitigate threats.

The idea appears to be catching on, with Grand View Research estimating that the global XDR market will grow in value from US$754.8 million ($1.17 billion) in 2022 to reach US$3.41 billion ($5.2 billion) by 2030, although some research houses put this figure much higher.

Grand View Research finds that this growth is fuelled by the realisation that network environments are only likely to become more complex over time, especially as organisations incorporate more services and new endpoints such as IoT devices, effectively increasing the surface through which attacks can be launched.

One of the keys to the effectiveness of XDR is its increasing utilisation of AI, and specifically of machine learning and dynamic analytics processing to detect patterns within the enormous volumes of data that XDR collects.

This means that XDR solutions can ingest and analyse these large data volumes to reduce false positives, alleviating the need for human teams to examine each and every potential threat, and focus their efforts accordingly.

Because XDR analyses data from numerous systems it can detect threats at different points, meaning that should an attacker defeat one layer of security there is still a high chance that it be detected by the next one.

Over time it is expected that XDR solutions will come to depend more on sophisticated AI/ML services for both detection and remediation, with greater use of automation to not only generate alerts, but to take action to limit potential damage.

The result today is that most cybersecurity providers now offer some form of XDR, although the capabilities of the individual tools that feed data into these centralised analytic engines vary greatly.

Hence buyers are faced with the choice of opting for a single supplier model or taking a best of breed approach to the selection of third-party tools that feed data into the XDR.

There is also the likelihood that XDR will increasingly be offered as a service, especially to small and medium businesses. These managed XDR (MXDR) services may be essential for protecting organisations that lack the skills to manage a comprehensive XDR solution.

Whatever decision an organisation opts for, it seems the challenge of reducing complexity within cyber defence is one that is still some way from being solved.

Chemist Warehouse has gone down the route of utilising a managed detection and response (MDR) service. The service makes use of both an AI-powered XDR platform and skilled specialists in an external SOC. The result - according to CISO Nigel Hedges - is “a higher fidelity way of detecting, investigating and responding to incidents” in Chemist Warehouse’s environment.

The service pulls together telemetry from across multiple sources into a security data lake, where - using AI, together with human oversight - it’s analysed to produce a shortlist of “high-quality, high-fidelity security incidents” that require addressing.

The model enables Chemist Warehouse to focus its finite internal cyber security resources where they are most effective, reducing mean time to detect and respond to cyber threats.

Northern Beaches Council is working towards a future state where it has a single view across its complex environment, enabling it to “deal with known threats in a predictable way and unknown threats quicker,” CISO David Griffiths said.

The council operates many business units that underpin the delivery of over 50 distinct services to residents and businesses. Its technology environment supports multiple sites and operational facilities, as well as home- and mobile-based workforces.

The security operations capability is relatively small but has “enormous responsibility, including third party security assessments.”

Given the disparate services and locations under its watch, maintaining visibility is crucial to security.

“We want the ability to treat the environment holistically and have assurance that threats are detected and acted upon as quickly as possible irrespective of their source or location,” Griffiths said.

“Our goal is to deal with known threats in a predictable way and unknown threats quicker, and with better information. The ability to gain intelligence through observations of attacks would help us to focus on real threats and eliminate the noise from external sources of threat information.”

The council has some components of an XDR solution in place today, but that still means some manual effort is required to correlate, investigate and respond to events and incidents.

“With increased digital services, increasing threats and better detection, we need to free up our people for human-essential tasks. An ideal future state would be a single view of the various disparate environments, and synergy between human and machine decision making.  We are currently mapping capabilities across our team, partners and technology to design the future state,” Griffiths said.