XDR at the Center of the New SOC

by Yael Macias on November 30, 2020

Key Takeaways from ESG’s most recent survey report “The Impact of XDR in the Modern SOC”

ESG’s new survey “The Impact of XDR in the Modern SOC” is out, and one thing looks clear: Extended Detection and Response (XDR) has become the catalyst for redefining security operations by making them more accurate and agile.

The survey addresses the main gaps for CISOs and SOC analysts in threat detection and response, including: data processing and analytics for exponentially growing telemetry generated by siloed security products, as well as different perceptions around XDR. As cautious and varied as these perceptions may be, ESG’s research found that XDR adoption is moving fast, with 93% of organizations either working on an XDR project already or looking to do so in the next 6-12 months.

ESG surveyed 388 North American IT and cybersecurity professionals responsible for evaluating, purchasing, and managing detection and response strategies, processes, and technologies.

Sponsorships Available

For the busy security professional like yourself, here are five insightful takeaways from the report you should know about:

1. Automation Can Fasten Detection and Response
Detection and response has been a slow, siloed process so far. Besides the intrinsic problem that this entails from a cybersecurity perspective – attackers’ dwell time is too long – SOC efficiency is not optimized and business agility is lacking. Setting a new standard for decision-making and improving mean time to respond to threats (MTTR) can be enormously facilitated by adding automation to the picture. Automation can free up time from analysts to focus only on real attacks and reduce dependency on highly skilled analysts for time-consuming tasks that can be automated, according to 33% of organizations. Moreover, 42% of respondents believe that getting a simplified, 360 degree view of the entire attack can significantly speed up detection and response.

2. Managing and Analyzing Massive Amounts of Data is a Challenge
Security products generate a tremendous volume of data spanning across many different, typically disconnected sources such as EDR, firewall, threat intelligence, e-mail, web proxy logs, and other telemetry sources. This leads to an overwhelming quantity of security alerts which prevent analysts from filtering the real ones from the noise. As a result, it is hard to act upon the existing data since, once the analyst has succeeded to process and stitch it all together, it’s probably all too late. That’s why 40% of respondents believe they can be more effective if they have a pipeline that allows them to ingest real-time security data and analyze attacks across multiple security controls.

3. Detection of Complex Attacks is a Priority for Security Teams
The hybrid IT environments within organizations and the disconnected point solutions lead to siloed detection as well. This is particularly true for the cloud, where organizations claim to have less and less visibility all the time with the migration to cloud-based workloads and SaaS applications, and suspect that attacks are missed due to these blind spots. The lack of expertise and the necessary tools to correlate data across different sources often leads to the reactive elimination of point threats without understanding the broader campaign. Without interconnecting data sources, single-sensor security solutions are most likely going to miss advanced threats, especially those that move laterally in the corporate network. Not surprisingly, organizations believe that deploying an XDR solution that can deliver advanced analytics and is capable of correlating signals from various sources, can help them detect, identify and understand complex attacks across the entire cyber kill chain. It is worth noting that 39% of respondents would prioritize adding more comprehensive analytics capable of recognizing complex attacks by processing signals across multiple security controls.

4. The SIEM (by itself) is Not the Right Tool for the Job
According to the survey, SIEMs are among the three key most valuable security tools, and yet there is also a consensus on the fact that these solutions are very costly, especially when used as a detection tool since it requires feeding them with too much data, and the correlation and analysis fall under the analyst’s responsibility. SIEMs are also complex and resource-consuming to maintain and manage: they just require too much heavy lifting. Moreover, while most agree that it serves well for detecting known threats, when it comes to detecting unknown ones it is simply not enough according to 30% of organizations (and we all know that attackers typically don’t use signature-based malware to breach a corporate network).

5. Managed Services Are a Good Companion
An important takeaway from the report is that organizations are looking to enhance their security teams or simply externalize the management of their detection and response to MDR services, with 73% of organizations either already using an MDR provider or actively working on a project to adopt it. Whether it’s to overcome a skill shortage or to augment their existing skills and capacity, security professionals are looking for hands-on help with their detection and response operations and are in most cases looking at their MSSP or security partner to handle them.

With these takeaways in mind, it is not surprising to see that XDR adoption is moving fast. Organizations need powerful data processing and analytics, security automation, the ability to detect complex threats where tools like SIEM are not delivering, and having the right partner to provide them with MDR services. The promise is that, with XDR modernizing the SOC by creating a new standard for decision making, analysts are finally empowered with a tool they can rely on.

Download your complimentary copy of the e-Book “The Impact of XDR in the Modern SOC” to read the full findings by ESG Research