RESEARCH ON THE EFFECTIVENESS OF XDR SOLUTIONS FOR DETECTING AND ELIMINATING THREATS

Abstract

In the context of digital transformation, when organizations’ dependence on IT infrastructure is rapidly increasing, the
level of cyber threats is also increasing. According to current data, the number of cyberattacks on organizations in 2024 increased
by 75% compared to the previous year, reaching 1876 incidents per week. In response to these challenges, the evolution of
protection tools is taking place - traditional solutions are being replaced by comprehensive XDR (Extended Detection and
Response) systems. The study focuses on a comparative analysis of XDR and EDR (Endpoint Detection and Response)
solutions, revealing their fundamental differences and practical effectiveness. XDR platforms provide advanced data collection
and analysis from various sources (network events, cloud services, email) instead of being limited to only end devices, which
allows you to form a holistic picture of the organization’s security. Special attention is paid to mechanisms for automating
memory forensics in XDR systems: it was investigated that modern platforms are capable of automating data collection from
RAM and deploying specialized DFIR utilities through the "remediation" mechanism. A practical comparison of the detection
of the same EDR and XDR threats was conducted using the example of a multi-phase phishing attack using LOLBINs, which
demonstrated the significant advantages of XDR in response speed and accuracy. It was established that XDR solutions
demonstrate higher efficiency due to the correlation of events from different sources, the use of machine learning and behavioral
analytics. The main XDR solutions on the market (CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender, Elastic
Security) and their features in the implementation of protection mechanisms were analyzed. The results of the study confirm
that the integration of XDR with additional systems (network devices, cloud services, authentication systems) creates a comprehensive protection system, significantly increasing the ability of organizations to counter modern complex cyber threats.
Additionally, the study found that XDR systems effectively detect hidden fileless attacks and rootkits, which traditionally pose
the greatest challenge for conventional defenses. Another important aspect is the ability of XDR solutions to reduce the number
of false positives through contextual analysis of events, which reduces the burden on security teams and increases the overall
efficiency of SOC operations. Despite the significant advantages of XDR, the study emphasizes that for full-fledged protection
of critical infrastructure, it is necessary to combine automated XDR solutions with deep expertise of DFIR specialists, especially
when analyzing new and unknown threats.
Keywords: XDR, EDR, CrowdStrike Falcon, Microsoft Defender, malware, memory forensics, LOLBINs, fileless
attacks, cybersecurity, integration of defense systems.

References
1. Check Point Research Reports Highest Increase of Global Cyber Attacks Seen in Last Two Years – a 30%
Increase in Q2 2024 Global Cyber Attacks. URL: https://blog.checkpoint.com/research/check-point-research-reportshighest-increase-of-global-cyber-attacks-seen-in-last-two-years-a-30-increase-in-q2-2024-global-cyber-attacks (дата
звернення: 10.05.2025).
2. Microsoft Digital Defense Report: 600 million cyberattacks per day around the globe. URL:
https://news.microsoft.com/en-cee/2024/11/29/microsoft-digital-defense-report-600-million-cyberattacks-per-dayaround-the-globe/ (дата звернення: 10.05.2025).
3. «XDR: The Evolution of Endpoint Security Solutions – Superior Extensibility and Analytics to Satisfy the
Organizational Needs of the Future» [Електронний ресурс]. Режим доступу: https://www.researchgate.net/ publication/
354190628 _ XDR _ The_ Evolution_ of_ Endpoint_ Security_ Solutions_ Superior_ Extensibility_ and_ Analytics_to_
Satisfy_the_Organizational_Needs_of_the_Future.
4. «Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid
Response and Osquery for Threat Detection» [Електронний ресурс]. Режим доступу: https://www.researchgate.net/
publication / 358697816 _ Performance _Evaluation_of_Open-Source_Endpoint_Detection_and_Response_Combining_
Google_Rapid_Response_and_Osquery_for_Threat_Detection.
5. «Evolution of Endpoint Detection and Response (EDR) in Cyber Security: A Comprehensive Review»
[Електронний ресурс]. Режим доступу: https: // www.e3s-conferences.org / articles / e3sconf / pdf / 2024/86/e3sconf_
rawmu2024_01006.pdf.
6. Demystifying Behavior-Based Malware Detection at Endpoints» [Електронний ресурс]. Режим доступу:
https://arxiv.org/html/2405.06124v1.
7. XDR: The Evolution of Endpoint Security Solutions -Superior Extensibility and Analytics to Satisfy the
Organizational Needs of the Future [Електронний ресурс]. Режим доступу: https://www.researchgate.net/publication/
354190628 _ XDR _ The _ Evolution_of_Endpoint _ Security _ Solutions _ Superior _ Extensibility_and_Analytics_to_
Satisfy_the_Organizational_Needs_of_the_Future#:~:text=XDR%3A%20The%20Evolution%20of%20Endpoint,Organ
izational.
8. Antivirus vs EDR vs XDR: Key Differences and Benefits. URL: https://www.threatintelligence.com/blog/
antivirus-vs-edr-vs-xdr (дата звернення: 10.05.2025).
9. Extended Detection and Response (XDR). CrowdStrike. URL: https: // www.crowdstrike.com/en-us/cybersecurity-101/endpoint-security/extended-detection-and-response-xdr/ (дата звернення: 10.05.2025).
10. Microsoft 365 Defender integration with Microsoft Sentinel. Microsoft Learn. URL: https://learn.microsoft.
com / en-us / azure / sentinel / microsoft-365-defender-sentinel-integration?tabs=defender-portal (дата звернення:
10.05.2025).
11. Block C2 communication with Defender for Endpoint. URL: https://jeffreyappel.nl/block-c2-communicationwith-defender-for-endpoint/ (дата звернення: 10.05.2025).
12. Fake CAPTCHA websites hijack your clipboard to install information stealers. Malwarebytes. URL:
https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-informationstealers (дата звернення: 10.05.2025).
13. Fileless malware threats: Recent advances, analysis approach through memory forensics and research
challenges: [Електронний ресурс]. Режим доступу: https: // www.researchgate.net/publication/364769363_Fileless_
malware_threats_Recent_advances_analysis_approach_through_memory_forensics_and_research_challenges.
14. A Malware Detection Approach Based on Deep Learning and Memory Forensics: [Електронний ресурс].
Режим доступу: https://www.mdpi.com/2073-8994/15/3/758.
15. Microsoft Detection Tools Sniff Out Fileless Malware: [Електронний ресурс]. Режим доступу: https://
www.trendmicro.com / vinfo / us /security/news/cybercrime-and-digital-threats/microsoft-detection-tools-sniff-out-fileless-malware.
16. The Role of Anomaly Detection in XDR: Enhancing Threat Visibility and Response: [Електронний ресурс].
Режим доступу: https://fidelissecurity.com/cybersecurity-101/xdr-security/anomaly-detection-in-xdr-solutions/.
17. Cortex XDR IOC rule details: [Електронний ресурс]. Режим доступу: https://docs-cortex.paloaltonetworks.
com/r/Cortex-XDR/Cortex-XDR-Cloud-Documentation/IOC-rule-details.
18. XDR Threat Investigation: [Електронний ресурс]. Режим доступу: https: // docs.trendmicro.com/en-us/
documentation/article/trend-vision-one-xdr-threat-investigation-whatsnew.
19. Perks of Sigma and YARA rules in an EDR: [Електронний ресурс]. Режим доступу: https://harfanglab.io
/blog/product/perks-sigma-yara-edr/.
20. What Are SIGMA Rules: [Електронний ресурс]. Режим доступу: https://socprime.com/blog/sigma-rulesthe-beginners-guide/.
21. What is a C2 server? [Електронний ресурс]. Режим доступу: https://www.portnox.com/cybersecurity101/what-is-a-c2-server/.
22. Offensive WMI – Active Directory Enumeration [Електронний ресурс]. Режим доступу: https://0xinfection.
github.io/posts/wmi-ad-enum/.
23. DKIM, SPF and DMARC Guid [Електронний ресурс]. Режим доступу: https: // www.mimecast.com/
content/dkim-spf-dmarc-explained/.
24. Block C2 communication with Defender for Endpoint: [Електронний ресурс]. Режим доступу: https://
jeffreyappel.nl/block-c2-communication-with-defender-for-endpoint/.
25. How Cortex XDR Global Analytics Protects Against Supply Chain Attacks: [Електронний ресурс]. Режим
доступу: https://www.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-global-analytics-protects-againstsupply-chain-attacks/.
26. Antimalware Scan Interface (AMSI): [Електронний ресурс]. Режим доступу: https://learn.microsoft.com/
windows/win32/amsi/antimalware-scan-interface-portal.