Cybersecurity and acronyms tend to go hand in hand. The latest is XDR, otherwise known as extended detection and response. If you haven’t heard of it you will, as it promises to help security operations improve their ability to detect and respond to threats across increasingly complex, diverse, and growing IT environments.
Security vendors of all types — from endpoint to SIEM and beyond — are making acquisitions and marketing to XDR. In fact, according to 451 Research, between March and August 2021, there were 17 deals driven by vendors looking to build out their XDR capabilities.
Definitions can vary widely for XDR, depending on what a vendor is selling, and this is creating confusion amongst even the most seasoned security pros. However, at its core, XDR is essentially an approach that combines multiple security tools used in threat detection and response to expand and improve data collection, correlation, contextualisation, and analytics for the purpose of improving and coordinating detection response and remediation, as well as threat hunting. XDR does this in three, key ways:
1) Ingesting and centralising more data across an organisation’s environment, beyond on prem and multi-cloud to endpoint and even IoT and OT
2) Using advanced analytics and machine learning to improve analysis, contextualisation, and correlation of that data
3) Coordinating response and remediation across those environments using multiple controls and automation
XDR represents the evolution of current capabilities in threat detection and response - something increasingly required given the rapid rise in digitalisation among businesses and predicted explosion of endpoint and IoT.
For example, the past 18 months have seen enterprises of all sizes increase their digital footprint, thanks in part to the pandemic as well as the acceleration of digital transformation or modernisation. This has heaped added pressure onto security personnel who are struggling to keep systems secure with limited resources and a skills shortage. Changes in the business are creating new challenges for security operations, especially as it relates to monitoring more complex environments arising from things like:
· A workforce that is everywhere
· Business innovations, especially those that involve edge computing
· New office sites, including temporary or remote locations
· The spinning up (or down) of cloud environments as needed by the changing demands of the business
· Rising adoption of SaaS for both internal and external business applications
In addition, hackers have access to commercialised malware, and they can quickly change their attack methods, often with the push of a button. To keep up, security professionals need better and faster access to the right data. This includes having the telemetry and analytics necessary to detect threats across diverse environments and make quicker, more informed decisions leading to mitigating threats before they impact the whole system.
XDR’s importance for Security Analysts
Because of its “expanded” capabilities, XDR promises to be a critical tool for security analysts as they look to improve security operations, including in the following ways.
Increased visibility and context: Having as much visibility of an organisation’s environment, including where sensitive information and critical assets are located, is pivotal to effectively detecting and responding to threats. Security monitoring platforms need to ingest as much data as possible, across on-prem, multi-cloud, OT, and all connected endpoints (including IoT). This stream of data will need to be continuously updated so analysts can act upon it in real-time to address potential security incidents.
Automatically updated threat intelligence: The threat landscape is continually changing, with adversaries quickly evolving their tactics, techniques, and procedures (TTPs). New variations of malware are easily created which and used to attack organisations repeatedly and threat actors are regularly modifying the infrastructure used in campaigns, for example. XDR provides organisations with continuously updated threat intelligence automatically fed into a platform, and this added context aids in the ability to easily detect deviations from known baseline activity and investigate events.
Analysis and correlation of data for response: With increasing amounts of data being sent to threat monitoring platforms, SOC teams today must make use of things like automation, analytics, and machine learning for analysis, correlation, and to support response. For example, if a system or device has been infected, they can automatically isolate it as needed, proceed to mitigation or remediation, and then to recovery (ideally back to a normal state) within a single dashboard.
Ease of reporting: After an incident has occurred, having detailed, easy-to-consume reports is key to understanding what happened, how the team responded, and the overall outcomes of the team’s efforts. These reports are also essential for compliance mandates and communicating to executives. XDR gives analysts enhanced reporting capabilities because the information can be at their fingertips, already contextualised and automated.
Bottom line: XDR’s appeal is that it can deliver improved outcomes within security operations, including creating greater efficiencies and improving security monitoring, investigation, response, and proactive threat hunting. In addition, by merging several existing security controls, XDR can help to eliminate overlapping capabilities within the security stack, potentially saving money that can be used to drive efficiencies elsewhere in the business. If you haven’t considered this approach, now is the time.