How XDR Addresses Today’s Security Challenges
The cybersecurity industry loves new, buzzy acronyms, and the latest one gaining attention is XDR, otherwise known as extended detection and response. No doubt, you’ve already read an article, watched a webinar or listened to a podcast from any one of the dozens of vendors positioning against XDR.
The Evolution of XDR
Cybersecurity research firm Enterprise Strategy Group defines XDR as: “. . . a method for bringing controls together to improve security telemetry collection, correlation, contextualization, and analytics. There’s also an operational side of XDR to help coordinate response and remediation across multiple controls simultaneously.”
However, when it comes to emerging—or in this case converging—security categories, everyone has an opinion. And it’s no different for XDR. Ask 10 different people in the industry for a definition, you’ll likely get 10 different answers. For example, endpoint vendors will say XDR is the next evolution of endpoint detection and response (EDR), while network security vendors will likely say it’s an evolution of security analytics, user behavior analytics or SIEM. Then, on the other hand, SOAR vendors will say it’s an evolution of their technologies. This is likely the source of the industry confusion around XDR today.
Modern Day Complexities Signal Need for XDR
In reality, XDR is not necessarily a new category. Rather, think of it as an evolution of current capabilities in threat detection and response. As organizations globally continue to expand and evolve their digital footprint, security staff are struggling to adapt operations quickly enough to ensure effective monitoring and response to incidents in their environment. This is made even more challenging with limited staff and expertise.
In addition, security operations teams are facing new complexities that are contributing to the rise of XDR, due in large part to constantly evolving hybrid architectures and the need to:
- Secure workers where they are (in the home, at the office or even on their boat!)
- Ensure the security of new business initiatives around edge computing
- Launch new or temporary remote locations, such as a pop-up store or remote health clinic
- Spin up (or down) cloud environments as needed by the changing demands of the business
- Secure access to internal and external apps, with near-ubiquitous adoption of SaaS
These changes are driving requirements to adjust, expand and evolve how organizations approach security and protect the business overall, including how they monitor and address threats.
Organizations moving into the next era of computing cannot use the “same old tools” for threat detection and response. They need more telemetry, better analytics and improved automation to sift through the deluge of data coming into their dashboard, so they can quickly and accurately detect, investigate and mitigate incidents before those incidents turn into full-blown disasters.
The Security Analyst’s Best Friend
For the security analyst, XDR can be an important tool for efficiency and success throughout the day by improving on the following:
Visibility and context—Security analysts need information about the environment and assets being protected across on-premises, cloud, edge and even operational technology (OT) environments. This requires ingesting the appropriate data about that environment from the right places, including endpoints, mobile and IoT, network assets and flows, applications, SCADA/ICS systems and more. Additionally, that data needs to be continuously updated and deposited in a central location where it is standardized so it can be used for correlation, investigation and more.
External information and context— Security teams need information about adversary behaviors and tactics. They need to understand which exploits are active in the wild and who is targeting a particular industry. How are criminals changing their tactics or infrastructure, and what modifications are being made to the malware they are using? Ideally, these teams are getting that updated information continuously and automatically fed into whatever systems they are using.
Correlation for detection and investigation— Teams need to be able to combine the information they’ve gathered about their organization with what they know about adversaries and their behaviors in an accurate and efficient way. Today, it is impossible to be effective at scale with manual processes, especially as SOC teams are monitoring diverse environments that are continuing to grow and increase in complexity. Analytics and machine learning are essential, as is automation for some of the upfront work on root cause analysis.
Automation or orchestration for response—Once security analysts have been alerted to an incident, they need to take quick action to respond, whether through mitigation or remediation, and recover. To do this, they need to collaborate and communicate with multiple stakeholders. For the actions they can take, it’s ideal if they have “push of a button” capabilities within their dashboard that allows them to isolate infected endpoints, change security policy to block threats, block a user who is demonstrating suspicious activity and more.
Easily report on incidents and actions—They also need to be able to report quickly on what happened, what actions were taken and how the incident was resolved. This means sending reports with as little effort as possible, so they can focus on core duties of monitoring and responding, which are critical to success.
Ability to actively hunt threats—Finally, security analysts may not be actively threat hunting on a day-to-day basis, but someone on their team likely is. That individual will need a similar toolkit for the context needed in their analysis and the ability to easily detect deviations from known baseline activity.
The outcomes XDR can deliver are powerful, which is why many expect XDR to become an even more established category in the industry. However, let’s not get caught up in definitions and buzzwords; what is most important are the potential outcomes that XDR can deliver, essentially making it easier for the security operations team to do their day-to-day job of protecting the business against always-changing and always-on threats. If industry vendors effectively educate security professionals on those potential outcomes, XDR has the potential to live up to its promise.
