An Introduction to Extended Detection and Response (XDR)

Extended Detection and Response (XDR) has become the buzzword in the cybersecurity world. In this post, I explore why XDR is seen as a core component of a modern cyber defense posture and how it can help your security team continuously improve your security posture and reduce risk to your enterprise.

Challenges Facing Security Teams

Cyber attacks have steadily grown increasingly stealthy, are very hard to detect, and even harder to prevent. The ‘Adaptive Security Architecture’¹ proposed by Gartner for Security Operations is based on the sound principles of continuous learning and continuous improvement of security posture, towards the goal to continuously reduce the risk to the enterprise. The core requirements to accomplish this are:

A Security Operations Center and team that is tasked with the objective of securing the enterprise is composed of people, processes, and technology. A general trend over time has been that more is asked from this team in terms of scope of work and expansion in processes with limited growth in the personnel that is not commensurate to the increase in scope. And security stacks have been growing over the years to address new threats, with each new capability bolted on to address that specific threat.

The explosion of security technologies and categories has resulted in organizations with a stack of 70 or more products from different vendors. Many of these products are either under-used, duplicative, or are not well integrated with other vendor products. Security analysts are left to piece together what is going on across multiple tools in their workflow and processes. Therefore, teams are spending their time upgrading, integrating, and training their teams rather than detecting, resolving, and hunting for threats.

In addition, the attack surface only grows larger and more diverse as businesses expand to support digital transformation, remote work forces, and mobile devices, while the attacks have become more stealthy and sophisticated. These trends result in overwhelmed security teams finding it difficult to effectively operationalize the cycle of Adaptive Security in order to attain a low-risk security posture. So how does one operationalize adaptive security effectively, and in a holistic manner?

What is Extended Detection and Response, and how does it help?

Gartner defines² Extended Detection and Response (XDR) as a security incident detection and response platform that automatically collects and correlates data from multiple security products.

XDR provides integration and correlation of sensor data collected at multiple points within your enterprise: endpoints, external network boundaries (north/south traffic), internal network boundaries (east/west traffic), cloud workloads, and adaptive decoys. The capabilities of XDR start with the foundation of pervasive visibility into network traffic, endpoint behaviors and user activity. The visibility coupled with real time and retrospective threat intelligence, use of analytics / Machine-Learning, and use of advanced deception leads to detections as well as the ability to investigate and hunt for attackers and insider threats or non-malicious misconfigurations. XDR enables alerts to be integrated and correlated, which increases the accuracy and actionability of alerts and can lead to earlier detection of attacks. XDR also enables hunting and investigation of incidents based on rich historical data correlated from different data sources in a single-pane-of-glass. The analytics and machine learning capability not only enhance the detections and investigations but allow for the predictive capability to look for abnormalities and anomalies based on specific threat driven models of deviations from baseline. The pervasive visibility, detections and ingrained support for response (manual or automated is the core of this process. XDR also enables threat hunting, asset detection, and risk assessment, to allow for the fortification of the preventive posture base..

The “Response” in Extended Detection and Response

The continuous learning and adjustment of security posture towards better prevention and protection is a necessary part of the operations that constantly seeks to reduce risk. The Response in Extended Detection and Response is the differentiator: it enables responses like updated detections, automatic configuration changes for preventive posture, faster investigations and resolution, automatic deception paths, and more. When possible, responses can be automated to improve the efficiency and speed with which security teams are able to identify potential cyber incidents, investigate and validate anomalous activity, and then ultimately respond to a cyber incident. This allows for continuous adjustment in security posture to implement policy controls, reduce the attack surface and mitigate impact of attacks – thereby reducing risk to enterprise continuously.

About Fidelis Elevate XDR

Fidelis Elevate XDR is an integrated and automated XDR platform that helps in operationalizing the security team’s objectives, and fulfilling the core requirements of adaptive security architecture. Learn more about Fidelis Elevate XDR and read what the experts have to say about the Fidelis platform.

‘Adaptive Security Architecture’: from Gartner¹

References

1. https://www.gartner.com/smarterwithgartner/build-adaptive-security-architecture-into-your-organization/
2. https://www.gartner.com/en/documents/3982247/innovation-insight-for-extended-detection-and-response