Part 1: What is XDR?

If you are looking to understand the basics of XDRs and what they do, this blog is for you. More to the point, if you need an effective detection and response capability that goes well beyond endpoint to protect modern, cloud-based infrastructures. This is part one of a seven part series.

‍

What is XDR (eXtended Detection and Response)?

‍XDRs consolidate findings and telemetry from individual security solutions and up level findings beyond the alerts to storyboard attacks developing across the infrastructure. As a result, kill-chains that would otherwise get missed or buried by individual security tools can be detected with far higher efficacy. Consequently, SOC teams can focus their efforts on investigating these high value incidents and stop chasing noisy alerts. Finally, XDRs significantly reduce MTTR and improve SOC efficiency with unified incident response capabilities through integrations with incident management and security product orchestration capabilities. 

‍

What problems do XDRs solve?

Modern attacks focus on finding the weakest link in your security ecosystem and gaining an initial foothold in an enterprise network. Once in the network, they move laterally, patiently focused on achieving their mission. Thus, security is no longer just keeping the bad people out; it also requires the ability to detect and track every step an attacker has taken to search and traverse the network in pursuit of their goal.

Point security tools provide SOC teams with a series of disorganized snapshots instead of a concise, streaming narrative. Attacks today are a sequence of many, seemingly unrelated, steps along the cyber kill chain. Individual detections are probabilistic weak signals--often proving un-actionable. Unless attack signals are deterministically combined as a sequence, today's sophisticated attacks cannot be detected, let alone blocked. For CISOs and SOC analysts, this new environment brings specific hurdles that stand in the way:

Problem #1:  Data overload decimates SOC productivity

With a rapidly growing surface and data sources, security teams must incorporate too much data that fail to provide context to show how attacks unfold. Security teams are unable to obtain/draw critical insights from the large amount of data generated daily from their infrastructure--putting SOCs permanently one step behind attackers. A recent survey cited several challenges security teams face as data requiring analysis continues to proliferate:

• 49% said it is because of an overwhelming volume of data
• 33% aren’t collecting the data they need because they don’t have the right systems
• 30% say it didn’t work because the data is stale when it finally gets to a cyber security manager.
• 37% of IT security professionals face >10,000 alerts/day (Ponemon Institute Study 2017)
• 45% say their SOC is understaffed (Exabeam State of the SOC Report 2018)
  

Consequently, SOC team efficiency is at an all time low. Security teams suffer from digital exhaust as thousands of alerts are sent to their SIEM dashboard. Understaffed, security teams are unable to triage each alert, succumbing to the belief that most of the alerts received are actually false-positives.

Problem #2:  The bad guys do their best to look normal

Low and slow attacks have become the new norm--even in DDOS attacks. Cyber-criminals purposely take their time, spreading their malicious activity over the course of days, weeks or months to avoid detection. By using the noise generated by benign operational activity as a backdrop, cybercriminals can blend in day to day activity without ever getting noticed. As a result, security teams are unable to stitch together a meaningful attack progression of undergoing cyber-campaign within their organization from malicious alerts that can be sent over a span of days, weeks or even months.

Problem #3:  Rapidly expanding attack surface

Today, enterprises have endpoints, mobile devices, email, hybrid cloud and on prem. How do you lock it all down? With today’s tools, locking everything down requires a complex, tedious and error-prone process that compromises security, compliance and business agility. Worse, different attack surfaces require different domain expertise making it impossible to to adequately cover everything. With the rise of cloud, new security challenges arise from software-defined compute/storage/network, orchestration, self-provisioning and new workload form factors like containerization. 

How do you know if XDR is right for you?

‍

• Have you invested in best of breed security tools that are not integrated with each other? XDRs unlock value from your investment by integrating results from your tools and giving you a holistic security posture of your environment.

• Does your Security Operations team struggle with analyzing alerts from different security tools? XDRs process every alert from your tools and make sure even low fidelity compromise indicators are captured, leaving your Security Operations team more time to focus on high value initiatives.

• Are you investing in centralized Incident Response tools like ITSM or SOAR? XDRs provide a centralized detection framework which can integrate with IR tools, instead of building an integration for each security tool independently. 

• Does your Incident Response team have to spend time manually stitching together suspicious activity in your environment? XDRs specialize in stitching events and alerts from multiple sensors and security tools in your environment. This helps IR teams focus on faster remediations without wasting time on event analysis.

• Are you considering engaging an MSSP to deal with the security monitoring load? XDRs can automate security monitoring for your environment.

Part II coming next week:  The Six Pillars of XDR.