The incident response (IR) function within security teams has changed significantly over the past two years. The shift to a remote and hybrid work environment and the increased use of employee-owned mobile devices at many organizations have both dramatically broadened the attack surface. The conventional definition of "enterprise perimeter" is laughable in the new (and expanding) digital landscape.
IR teams can no longer rely on legacy methods and tools that functioned well in the pre-pandemic days, when most employees were working in company offices and using company-owned devices. Legacy solutions are largely designed for on-premise devices that are all running the same OS, the same apps and run on the same time schedule.
As the remote workforce grows, the limitations of legacy IR solutions becomes more apparent. For incident response to function at its best, employees need access to tools that are better suited for a varied and more complex digital environment.
One of the latest trends is a move to extended detection and response (XDR), a cloud-based threat detection and incident response tool that integrates multiple security products into a cohesive system.
XDR collects and correlates data across a variety of network components such as servers, cloud workloads, and endpoint devices. These systems analyze the correlated data, providing visibility and context to it, and exposing potential threats. Teams can then prioritize, analyze and categorize threats so that they can mitigate them.
An XDR solution can help an organization gain a higher level of incident awareness, enabling cyber security teams to find and eliminate vulnerabilities wherever they might be.
The key is having visibility. If the security team can’t see what’s happening on the network, how can it effectively respond to incidents? This is even more important in this time of remote work, where employees could be working from anywhere and on any kind of device.
XDR doesn’t care whether the user or device is in a corporate office, a home office, or a Starbucks. It enables the tracking of the device and the reaction to an incident regardless of location. This makes it ideal for the remote/hybrid work model that is becoming so prevalent today.
Research firm International Data Corp. (IDC) noted at a March 2022 event that XDR software “could be the panacea that brings in telemetry from endpoint, logs, web/email, and threat intelligence on one dashboard.”
A solution such as FTK Enterprise from Exterro provides deep visibility into live data directly at the endpoint, helping IR teams conduct faster, more targeted enterprise-wide post-breach investigations.
Such solutions address the challenge organizations face when more of their employees are working remotely and not connecting to the company VPN network. It allows IR teams to collect and analyze data from remote Windows endpoints that are outside the corporate network with no VPN connectivity by using a feature such as, in the case of FTK Enterprise, Site Server Integration.
This enables agent-based data collection to a secure, encrypted forensic container, which ensures data integrity during the transfer from endpoints to the server where it’s collected.
For more on how XDR enables a more effective incident response, check out the CyberRisk Alliance Business Intelligence report “XDR Poised to Become a Force Multiplier for Threat Detection.”