The further the road… the more XDR
Can we accurately respond to a cyberattack? Can we fully remove the adversary without causing undue business downtime? Today more than ever, organizations need a new approach to detecting and responding to threats. An approach that involves understanding and adapting to the modern enterprise, which includes: devices, identities, network and SaaS.
The answer seems to be XDR (Extended Detection and Response),a new trend defined as “a vendor-specific threat detection and incident response tool that combines multiple security products into a secure operating system” . By design, XDR is expected to improve security operations in the following areas:
- SCOPE: endpoints, network, cloud instances and critical applications (SaaS applications, email, etc.) and open architecture for easy integration of third-party technologies.
- BUILT-IN THREAT INTELLIGENCE: XDR solutions must provide timely and detailed threat information and do so in the context of security alerts and the organization’s infrastructure, industry, location, etc.
- ANALYTICS: XDR solutions must provide accurate cross-domain analytics to detect cyber attacks across the entire chain of adversary activity.
- AUTOMATION: XDR must help automate processes in areas such as threat intelligence, IR and risk mitigation.
- DETECTION AND INCIDENT MANAGEMENT: XDR needs to provide visibility and common UIs for different SOC analyst roles and use cases.
In today’s article, we will answer some of the questions most often asked by customers interested in implementing XDR. Frequent questions include:
“What products are integrated within XDR?”.
Despite appearances, it is not easy to find the answer to this question. Most reports talk about “platform” and detection capabilities in “cloud, network and on end devices.” Considering the above 5 points – an exemplary XDR should have:
- Detection and prevention technologies: EDR, NDR, SWG, CASB, ZTNA, ESG
- Analytics: SIEM, Threat Intelligence, Machine Learning, AI
- Automation: SOAR, UEBA, UAM, Triage & Incident Response Management
The above should be considered as functionality more than a point solution from the same vendor integrated within the XDR. The XDR should de facto combine the functionalities of the above technologies in a way that allows a given enterprise to achieve the highest value from its implementation. That is, the highest possible degree of IT risk mitigation.
“How is XDR different from SIEM?”
Unlike SIEM or log management tools, XDR promises an experience focused on the value of security – better detection, easier investigation, faster response. These are the advantages of an operations-focused approach. Thus, XDR can distinguish itself by:
- better access to internal documentation
- familiarity with strange, non-standard log formats
- use of internal APIs.
According to Gartner, the main difference is that it is natively integrated with products, usually from the same vendor, which helps provide better detection and response capabilities. If we take a closer look at native integration – “out-of-the-box” – with other security products … it means two things in the context of security:
- how you collect data (logs, telemetry, activity)
- how you perform response actions (locking, disabling, shutting down, creating tickets, etc.).
If all security products are from the same vendor, XDR will be easier to configure and will provide fewer false positives. Here it is worth adding that SIEM projects often fail at this very stage. In the industry, we have encountered the statement that XDR is the “next-gen SIEM” – and this is true to some extent. However, while SIEM is a detection tool and that was its quality, XDR adds “Response” and competes on that front as well.
“Is XDR suitable for deployment in a medium-sized enterprise, without a dedicated SOC?”
Of course, it depends. However, the information that XDR is a tool only for deployment by huge corporations is somewhat exaggerated. Large and medium-sized enterprises that have a security unit in their IT department – can successfully operate XDR. After all, one of its key values is the automation of investigative activities. Other reasons why SMEs may be interested are:
- SMEs often lack the resources – both human and systems – to effectively manage alerts generated by several point solutions.
- The aforementioned lack of resources translates into a lack of adequate correlation between security alerts – making the following triage and incident response phases difficult
- The high cost, complexity and ongoing maintenance of SIEM and SOAR systems make them virtually unattainable for the SME sector.
Nevertheless – for SME where analyst is most often one of the roles of a general systems administrator… XDR is usually too much (while we have seen cases where the budget allowed to buy several solutions – and then the automation provided by XDR actually supported the client’s security team).
Despite the promise it holds, there are still doubts in the industry as to whether XDR is the best way to maximize efficiency from security and also whether the XDR products currently available fully live up to the hype surrounding them. Implementing XDR with confidence brings the following benefits:
- Eliminate silos to gain visibility into all data sources – in the cloud and on the local enterprise infrastructure
- Unifying workflows to ensure a seamless user experience for IT security personnel
- Automate repetitive activities for faster and more efficient incident investigation and response
To summarize – XDR is an ecosystem of solutions (it doesn’t have to but can be, for example, a single product in the sense of a catalog item) to: collect data, correlate, learn from and respond to. Combining everything into a single package makes updates and integration between different pieces of software much easier to manage, especially if you were previously using multiple security solutions. Having a single interface to view the various network components also makes it easier for IT security staff to maintain control in the organization’s environment. With only one tool at their disposal, rather than multiple separate software packages from different vendors, cyber security activities can be conducted more efficiently.