MANAGED DETECTION & RESPONSE
Summary
SecOps teams need to detect, analyze and respond to threats as quickly and efficiently as possible. This was never easy, and it’s getting harder. Traditional point solutions like EDR are no longer adequate the task. The new Extended Detection and Response (XDR) paradigm offers a solution. XDR takes a holistic approach, ingesting and analyzing threat data from multiple systems. It enables a coherent, cross-system response to threats. Below we explore how XDR works and delves into the advantages of implementing the model with a Managed XDR (mXDR) service provider.
What is XDR and how does it work?
XDR’s goal is to break down traditional security silos like EDR, emails security, network log analytics and so forth. Instead, XDR takes a holistic approach and delivers detection and response across all relevant data sources, whether they are security- or operations-based. For an XDR solution, any data source that can help with security should be monitored and analyzed for presence of threats.The major technology analyst firms have commented on the rise and appeal of XDR, with Gartner referring to XDR as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.” Forrester Research provided a more extended analysis, saying, “XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more.” From Forrester’s perspective, XDR comprises a cloud-native platform “built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation.”
What Problems Does XDR Solve?
XDR addresses this issue by providing the security analyst with broader, real-time awareness of security situations. It avoids alert fatigue and helps alleviate the previously time-consuming and complex processes of incident response and investigation, both of which required deep expertise. XDR speeds up the time it takes to detect a breach and then respond to it. An XDR solution makes the security analyst feel as if he or she has a higher degree of control over what’s happening. There are fewer surprises and security incidents that spiral out of control because no one connected the necessary dots before the situation burst into view.
XDR solves a number of problems facing security teams. At a high level, the technology addresses, if not perhaps totally solving, the problem of cyber risk exposure created by point solutions and incomplete security countermeasures. XDR helps bolster security posture through better visibility and more coherent responses to alerts. Done right, XDR enables a proactive approach to threat detection and response. It provides visibility across all data, including data generated by endpoints, networks and cloud infrastructure. Through constant analysis of these broad data streams, XDR is able to identify stealthy, sophisticated threats on a rapid, proactive basis. An XDR solution can then track threats as they move through the enterprise. Given the serious risk exposure caused by malicious actors’ lateral movements, this is a positive capability.
XDR is a welcome alternative to standard reactive approaches that rely on a wide assortment of separate tools, like EDR, User Behavioral Analytics (UBA) or Network Detection and Response (NDR). With these scattered point solutions, visibility gets scattered and analysts either can’t see or lose track of critical security event information. Instead, with XDR, the security team can collect and correlate data from all sources. As a result, they can detect, triage and investigate threats. They can also do threat hunting and respond to threats on a timely basis. In terms of security operations, XDR goes a long way toward solving the problem of people and productivity. XDR enables an organization to consolidate its overall security policy management, along with monitoring and incident response across its entire network, all endpoints and cloud environments in a unified console. This leads to increased efficiency to for the SOC. This efficiency is badly needed because cybersecurity is a notoriously difficult area for the recruitment and retention of qualified people. Even if one has the budget, and that’s seldom the case, it is hard to find good security operations people—and keep them. It’s exhausting and stressful to serve as a security analyst in a Security Operations Center (SOC). People get burned out and quit.
XDR also enables an organization to get greater return on their investments in security technologies. This may not seem like a major issue, but it is, especially for the person who wrote the check, or asked for the investment. For board members and other financial leaders, security is simply one of many areas of investment and return on assets in a corporation. XDR contributes to better outcomes in this regard.
On day-to-day basis, the benefits of XDR include being able to block malware, exploits and fileless attacks using threat intelligence powered by artificial intelligence (AI). With XDR, the SOC gains the ability to detect the most sophisticated attacks on a 24/7 basis. The SOC can also detect and stop advanced attacks, including insider attacks and zero-day malware.
A further benefit arises from XDR’s potential extension of detection and response to third-party data sources. For example, an XDR solution can run behavioral analytics third-party firewalls logs and integrate alerts from third parties into a single view of security events.