Incident Response

How to address the gaps with Open XDR sensors

Credit. Getty Images

For many experienced security professionals, they would meet the idea of the “new normal” with a healthy dose of “what exactly does that mean?”

On one hand, the new normal connotes a world where the predominant or increasing number of applications, resources, and infrastructure is public-cloud-based, employees work from home or remote locations and the traditional WAN and LAN idea has been on a sharp decline. It reflects data breaches becoming almost commonplace and perimeter security somewhat antiquated. On the other hand, we really don’t have a normal, because both resources and attack techniques are constantly changing. Everything is new—applications, user devices, third-party involvement and integration and external sites, as well as all the new ways that attackers can gain a foothold and get to data or assets.

In either case, newness and change inevitably bring about gaps in either an organization’s protective security or its ability to achieve visibility and understanding into its own resources and potential attack activity. The attack surface changes. An organization’s assets and infrastructure change. Attackers evolve their tactics. Each of these factors mean that the tools and procedures put in place at one point in time may no longer suffice or are even valid. Each addition or modification likely means new holes or, at least, an unmonitored area.

While it’s good to add tools, update rules or change procedures, all three can slow implementation and are not always practical. It’s not always possible to address some gaps by existing means. These holes or gaps are usually unavoidable, but we also must swiftly and decisively address them. Keep in mind that organizations are only as strong as the weakest link. In the “front door, back door” analogy, why heavily fortify the front door of a building or home when the back door is completely unsecured? We must face the gaps.

Security teams can address gaps temporarily or permanently by deploying sensors as additional sets of inputs for existing Open XDR systems. The best Open XDR systems are designed with a “the more the merrier” philosophy, so that more inputs mean better visibility and greater accuracy. Various security tools, networking systems, and log resources already feed Open XDR systems. We need data from sensors to augment or extend existing visibility and fill gaps.

Sensors have evolved significantly. Most, if not all, of the difficulties or trade-offs in using sensors have been overcome. Recent advances with sensors make them a viable choice for most organizations. Lightweight, passive sensors present no operational risk, and security teams can easily manage them. Some sensors offer modularity of functionality, enabling the organization to determine what they want the sensor to detect and report. Increasing the number of functions or services makes for “heavier” sensors with some potential impact on performance. Services might run from virus and malware detection (which tends to have a performance impact, as it does on other computing devices) to the collection of meta data or monitoring of API connectors. In many cases, sensors do not cause any discernable performance hit.

In considering a new generation of sensors, organizations should also look at how sensors integrate with Open XDR platforms. Is any kind of integration work needed, or are they generally plug and play? Is there a need for normalizing data or processing it in some way to make it usable by the Open XDR platform? If one plans on using sensors, make sure that the Open XDR platforms are well suited to their use.

Security teams implementing an Open XDR environment must also consider whether they can deploy the sensors or have access to any portion of the company’s ever-changing infrastructure. Most teams opt for virtualization as the approach for putting sensors in cloud-based resources. Look at how this gets done with each Open XDR system being considered.

With the rate and range of change continuing to increase, sensors are a strong option for organizations to augment and extend the coverage and intelligence from an Open XDR platform. Even if sensors were ruled out in the past because of their overhead or complexity, it’s time to reconsider them. The new generation of sensors could prove extraordinarily important in addressing the inevitable gaps.

Sam Jones, vice president of product management, Stellar Cyber

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.