By correlating threat telemetry across multiple attack surfaces, XDR – Extended Detection and Response – promises to address today’s harsh threat landscape by amplifying the scale, speed, and scope in which security pros can detect and remediate attacks.
We call it the X-Factor. Now, XDR automates manually intensive big data investigations, which will help security teams offset the talent skills gap and meet new logistics challenges brought on by COVID-19.
XDR takes a holistic approach to cybersecurity analytics to deliver on the promise of integrating security telemetry to reduce alerting and false positives. Proprietary XDR implementations limit themselves to one vendor’s product portfolio. As more organizations migrate to SaaS tools, it’s not realistic to think that organizations will only use one security tool. Open tools leveraging XDR combine the best of the cybersecurity ecosystem – and avoid vendor lock-in.
To understand the place of XDR in today’s enterprise, let’s unpack the main attributes of XDR and its value to IT security organizations:
Multiple telemetry sources. While legacy cybersecurity offerings focus on single point attack surfaces or network elements, XDR spans a broad scope and life-cycle, scaling to encompass diverse threat telemetry from EDR/EPP to web and email gateways and via SaaS in the cloud. With the attack surface more threatening than ever, successful detection and response today requires this kind of integration.
Best-of-breed components. Cybersecurity vacillates between integrating third-party components and tightly bound single-vendor approaches. While integration across security vendors requires some technical know-how on the part of XDR vendors, the single-vendor offerings seldom accommodate in-house tools, offer finite/fixed functionality and almost never scale to meet the changing threat landscape. An open approach to XDR leverages big data to normalize data formats, architectures and connectivity. This avoids years of integration effort on the part of security teams.
Cloud-native architecture. XDR can represent more than a generational leap from EDR. By being a creature of the cloud, XDR can meet the requirements of security teams for scalability across storage, analytics and machine learning.
Autonomy. Multi-pronged attacks can occur very quickly on overloaded security teams. To match this velocity, XDR products must act autonomously – even preemptively – to discover indicators of ongoing attacks vs. addressing threats after the fact. Ideally, XDR software “thinks” like an adversary and uses machine learning to grow a base of attack narratives.
Domain expertise. The tenets of XDR are “you don’t know what you don’t know” and “expect the unexpected.” XDR shines in applying domain expertise – the ability to understand how hackers operate in certain environments -- to detecting unknown threats and novel combinations of known ones. By growing a base of attack narratives, security teams can reduce signal-to-noise ratios to find real and imminent threats in the telemetry.
Empowers the SOC. XDR proactively transforms the nature and lifecycle of warnings reaching the SOC. Instead of just passively logging and forwarding alerts the way traditional SIEMs do, XDR qualifies and presents actionable findings, amplifying “weak signals” to empower security practitioners to do more than just alert triage. So instead of an alert saying “X happened on Y and the company needs to look into that,” the systems says “X type of attack took place on Y and here’s the attacker’s path and what to do about it.” The focus shifts from predicting an imminent threat to value-added remediation.
In delivering actionable findings to the SOC, XDR can also complement, supplement, and even supplant SIEM and SOAR tools. XDR can offer more effective detection and response, especially to targeted attacks, by integrating a broad selection of inputs to trainable behavior analysis, profiling and analytics.
XDR Takes Organizations Past the COVID-19 Period
XDR represents a real shift from point approaches to best-of-breed integration across vendor boundaries. As organizations emerge from COVID-19 isolation, the new normal will be more diffuse, less deterministic and more vendor-agnostic. XDR can help companies confront new technical and resourcing realities and meet ever-growing threats to the organization and its assets.
Uri May, co-founder and CEO, Hunters