XDR: The Cybersecurity X-Factor

The “X-Factor” is defined as a circumstance, quality or entity with a strong but unpredictable influence. Simply put, the X-Factor is an enigmatic force that upsets the existing equilibrium. XDR, or extended detection and response, is the X Factor in cybersecurity. Still quite new, XDR is frequently dismissed as merely an extension of EDR (endpoint detection and response); however, the scope, power and value of XDR extend far beyond the endpoint and traditional EDR.

XDR lets enterprise cybersecurity teams “punch above their weight” through the integration of advanced security operations capabilities. In particular, XDR promises to address today’s snowballing threatscape by amplifying the speed, scale and scope of attack detection, connecting the dots across sparse data sources and siloed telemetry.

XDR is also well-suited to today’s cybersecurity business environment, where many organizations face a shortage of technical talent, new logistics challenges and exposure from the COVID-19 response and an ever-growing onslaught of attacks and breaches.

Gartner defines XDR as a “unified security incident detection and response platform that automatically collects and correlates data from multiple security components.” Operationally, XDR takes a holistic approach to cybersecurity, leveraging big data, ML and analytics to deliver on the promise of integrating best-in-breed components. Proprietary XDR implementations limit themselves to one vendor’s product portfolio; open ones combine the best of the cybersecurity ecosystem and avoid vendor lock-in.

XDR in the Enterprise

To understand the place of XDR in today’s enterprise, let’s unpack the main attributes of XDR and their value to IT security organizations.

Multiple Telemetry Sources: While legacy cybersecurity offerings focus on single-point attack surfaces or network elements, XDR spans a broad scope and life cycle, scaling to encompass diverse threat telemetry and events from EDR/EPP to email and web gateways, to identity/access management and beyond, on-premises, via SaaS and in the cloud.

Best-of-Breed Components: Cybersecurity vacillates between integrating third-party components (vendor-agnostic “open XDR”) and tightly bound (closed) single-vendor approaches. Integration across sundry vendors is easier said than done, but single-vendor offerings seldom accommodate in-house tools, provide finite/fixed functionality and almost never scale to meet changes in the threatscape.

To meet the best-of-breed challenge, an open approach to XDR looks to big data to normalize data formats, architectures and connectivity, avoiding man-years of integration effort. To extract value from those components, XDR turns to cloud-based ML and analytics.

Cloud-Native Architecture: XDR can represent more than a generational leap from EDR. By being a creature of the cloud, XDR can meet the requirements of security teams for scalability across storage, analytics and machine learning.

Autonomy: Enterprise defense requires speed and scale. Multipronged attacks can occur in the blink of an eye, outstripping overloaded security teams. To match this velocity, XDR solutions must act autonomously, even pre-emptively, to discover indicators of ongoing attacks versus addressing threats post facto. Ideally, XDR solutions “think” like adversaries and use ML to grow a base of attack narratives.

Domain Expertise: The tenets of XDR are, “You don’t know what you don’t know,” and, “Expect the unexpected.” XDR shines in applying domain expertise and lessons learned to detect unknown threats and novel combinations of known ones.  Growing a base of attack narratives is key to reducing signal-to-noise ratios to find real and imminent threats in the deluge of telemetry.

Empowering the SOC: XDR proactively transforms the nature and life cycle of warnings reaching the SOC. Instead of just passively logging and forwarding alerts SIEM-style, it qualifies and presents actionable findings, amplifying “weak signals” to empower security practitioners to do more than just alert triage. XDR enables SOC teams to focus on investigating imminent threats and value-added remediation.

In delivering actionable findings to the SOC, XDR can also complement, supplement and even supplant SIEM and SOAR tools. In this regard, it can provide more effective detection and response, especially to targeted attacks, by integrating a broad selection of inputs to trainable behavior analysis, profiling and analytics.

Actionable Analysis

To consume this babel of threat information, the XDR “funnel” converts raw data and threat intelligence at the top into manageable, actionable warnings at the bottom in five stages:

  1. Threat Signal Extraction, employing big data and AI techniques to distill “leads” from terabytes of data, guided by real-world attack intel and by the MITRE ATT&CK Framework.
  2. Feature Extraction uses AI/ML to find common threat attributes.
  3. Lead Investigation and Correlation takes prioritized threat leads and correlates them across the disparate sources often employed in concert (e.g., suspect phishing email followed by malware downloads across SEG, SWE and EDR).
  4. Scoring leverages multiple ML algorithms, letting XDR systems score leads on a range from suspicious activities to benign ones.
  5. Attack Narrative Creation combines qualified leads and finds correlations among them, enabling XDR systems to construct narratives of probable attacks, including targets, paths, timelines and impacts.
  6. Escalation of actionable attack narratives reported to the SOC leveraging existing workflows (e.g., SIEM, SOAR, ticketing systems, etc.), resulting in more immediate remediation and better outcomes without burdening security analysts with irrelevant warnings and false positives.

The X-Factor

XDR truly represents the cybersecurity X-Factor and embodies a real shift from point approaches to best-in-breed integration across vendor boundaries. As you and your team emerge from COVID-19 isolation, the “new normal” will be more diffuse, less deterministic and more vendor-agnostic. XDR can help you and your team confront new technical and resourcing realities and meet ever-growing threats to your organization and assets.

Avatar photo

Uri May

Uri May is CEO and co-founder of Hunters, the industry’s first autonomous threat-hunting solution. Uri began his career in cybersecurity in the prestigious Unit 8200 of the IDF intelligence corps reaching the rank of Commander. Later, Uri worked as a commercial software developer and went on to co-found Maximize. Today, in addition to building and managing Hunters, Uri advises YL Ventures as part of their Insights program.

uri-may has 1 posts and counting.See all posts by uri-may