Detection and response was based on a time when resources and assets were mainly on-premises and attacks were minimally progressive and linear and targeted a single portion of the attack surface. Today, those conditions have changed, and individualized detection and response generally impedes—rather than helps—organizations that are overworked and understaffed with too many unimportant or imprecise alerts.
The idea of each security system generating its own alerts has become antiquated and has not proven to help organizations curtail a data breach. Teams get overburdened by too many non-productive alerts. It has led to a condition with practically a foregone conclusion that data breaches just happen, and there’s nothing anyone can do about it. Detection and response as we have known it, is dead.
Security teams still need detection, but not as isolated silos. A new way of approaching the problem has resulted in Extended Detection and Response (XDR) and the more recent, Open XDR. Both XDR and Open XDR now address the new modes of attack and the realities of how cybercriminals, rogue insiders and other parties operate, and what they go after. Rather than each individual tool or system conducting its own monitoring and detection and issuing its own alerts, Open XDR systems can combine the data from all of these to gain a full vantage of attack surfaces and resources. We must integrate data covering all portions of the attack surface, all users, all resources, applications and assets in a centralized way, and then correlate it to find meaningful behavioral anomalies within a true understanding of context. Rather than issuing alerts this new perspective enables data to focus into precise incidents ready for action.
Combining and correlating all of these sources provides both breadth and depth in the ability to uncover attack activity and stop it early. Security teams require breadth not only to find an indication across the entire attack surface, but also to see progression. Attacks have a starting point, but then they progress, using reconnaissance and lateral movement, in addition to command and control and exfiltration. Attackers land somewhere in an organization’s infrastructure and then mostly work in the dark to understand what exists and how to get there. They need to find the most valuable assets and see what they can commandeer to get to them. This usually requires many steps over a period of time. It’s important to see and understand this progression to uncover an attack.
Having depth has become an integral part of gaining such understanding and fidelity. Think of depth as akin to finding the forest for the trees. Individual trees do not convey or confirm the presence of a forest until they are considered in total. In the case of security, multiple data points build a sharper, more accurate, more complete picture of what’s actually happening—has an attack really happened, or is it just a false alarm?
Open XDR does not negate existing security tools and systems, but rather builds upon them, extending them to offer a faster and more precise way of finding an attack. We need to combine detections from each and augment them with other data from such sources as logs, threat intelligence and sensors to provide the most robust picture of attacks. Clearly, the present way has not worked to defeat attacks, but it does not negate the value and investments in security tools and systems. New realities merely necessitate combining data from all these sources to provide necessary breadth and depth for effective intelligence.
Top-notch security teams have the skill to combine and correlate these findings to make determinations manually, but it’s time-consuming, requires the ability to examine and remember every data point and consider them as a whole for patterns, corroboration and clarity. If a team needs to “divide and conquer” such a large task, they must have near-perfect communication and sharing of insights between members so they can combine one person’s observation with those from others to rule out some signs or bring clarity and precision to others. While it’s not practical to have such a manual approach, the problem is well-suited for machine-learning-based XDR. It also frees security professionals from the drudgery and demands of monitoring and analysis to concentrate on response, threat hunting and proactive security.
Too often security gets managed in a piecemeal fashion. Individual detection and response from each tool and teams trying to make sense of all the alerts are not a practical strategy for the modern age. Today, we use detection that’s integrated and correlated holistically and analyzed in total. Individual dots no longer bring the necessary clarity or intelligence. We need to connect the dots.
Sam Jones, vice president of product management, Stellar Cyber
