6 minute read
DEMYSTIFYING XDR
from SMART HOTEL
by cxoinsightme
YOSSI NAAR, CHIEF VISIONARY OFFICER AND COFOUNDER, CYBEREASON, DEBUNKS XDR MISCONCEPTIONS FLOATING AROUND
Extended Detection and Response (XDR) is everywhere today, and it seems that every company is rolling out a strategy and products to meet the growing demand.
Advertisement
According to the industry analyst firm
Gartner, XDR is “a SaaS-based, vendorspecific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
Notwithstanding XDR’s tremendous growth in adoption, more than a few misconceptions about XDR remain, so let’s debunk three of those myths here:
Myth 1: XDR is all about Endpoint Security
No, that’s what Endpoint Detection and Response (EDR) does, which is just one aspect of what XDR delivers. EDR solutions focus solely on the endpoint, and they don’t correlate intelligence from the cloud and other parts of an organisation’s infrastructure.
In fact, most EDR platforms are not even capable of ingesting all of the relevant endpoint telemetry and are forced to “filter out” intelligence without even knowing if that information is critical to making a detection because the solutions cannot handle the volumes of data generated.
Indeed, there are vendors that simply cannot ingest all available telemetry for EDR, yet they profess to be able to deliver an XDR solution that ingests endpoint data plus an array of telemetry from numerous other sources on the network and in the cloud.
Data filtering negatively impacts the ability to proactively thwart attacks because it omits telemetry that could allow for earlier detection of malicious activity. When broadened to include non-endpoint sources, data filtering can further distort an organisation’s visibility into the threats confronting them.
XDR does not suffer from these limitations. It extends continuous threat detection and monitoring as well as automated response to endpoints, applications, cloud workloads, and the network…all without data filtering. This helps to ensure the high fidelity of a threat detection yielded by XDR.
Myth 2: XDR Should be Augmented by a SIEM
It’s true that XDR delivers some of the same functionality as SIEM (Security Information and Event Management) tools. Chief among their similarities is the ability to aggregate and correlate data from a variety of sources spread across an organisation’s infrastructure, thereby
providing the required visibility for threat detection, investigation and response.
But there are several key factors that hold SIEMs back: SIEMs are nothing without the data lake structure and cloud analytics they need to centralise security events. Those resources vary in the types and quality of data to which they have access, a reality which affects the value and effectiveness of a SIEM.
There are also the costs, time, and other resources involved with building, tuning, and maintaining a SIEM. Tuning is an especially common pain point with SIEMs. Indeed, these tools frequently generate false positives and an overwhelming volume of alerts.
Such noise contributes to “alert fatigue” in the organisation, motivating infosec personnel to overlook the deluge of alerts coming in and miss opportunities to launch investigations at the earliest signs of an incursion. Simultaneously, SIEMs don’t do much to help security teams with executing a response beyond generating a lot of alerts that need to be manually triaged.
XDR, by contrast, doesn’t require any data lake structure. It correlates alerts across disparate network assets to deliver actionable intelligence that works to reduce alert fatigue. What’s more, XDR enables security teams to build automated playbooks using the platform itself, thereby streamlining response.
Myth 3: All XDR Platforms Are Created Equal
No. Consider the fact that there’s hybrid/ open vs. native XDR. The latter only offers integrations to other security tools developed by the same vendor. This can lock customers into an agreement with a vendor that might not offer the security capabilities they need to protect their systems and data. It also means existing investments in solutions from other vendors cannot be fully realised.
In contrast, Open (or hybrid) XDR takes a collective approach that leverages multiple security tools, vendors, and telemetry types to meet organisations’ needs from within a single detection and response platform. There’s no vendor lock-in here. Security teams are free to choose the vendors and tools they want, allowing them to get the most out of their XDR platform, and the DevOps and API integrations enable personnel to bring these tools and telemetry sources together.
There’s also an argument to be made about what defines a truly mature XDR offering versus pseudo-XDR solutions that are basically nothing more than an EDR tool with a cloud integration. All XDR platforms integrate with threat intelligence to spot known Indicators of Compromise (IOCs), but only an advanced XDR solution can detect based on Indicators of Behavior (IOBs).
IOBs are the more subtle signs of an attack in progress which include otherwise benign activity one would expect to see occurring on a network. When these “legitimate” behaviors are chained in certain sequences, they produce conditions that are either exceedingly rare or represent a distinct advantage for an attacker.
This is where the context-rich correlations across endpoints, the cloud, application suites and user identities that a mature XDR solution delivers are critical for detecting malicious activity at the earliest stages of an attack.
Take ransomware attacks for example: most security solutions are focused on detecting the exploit and blocking the ransomware payload, or rolling back the encryption after the attack was successful. But the detonation of the ransomware executable is the tail end of what is actually a much longer attack sequence, with weeks or even months of detectable activity from initial ingress, to lateral movement, to credential abuse and privilege escalation, to name a few.
An AI-driven XDR solution can make the necessary correlations to detect that activity long before the ransomware payload is delivered, reducing a potentially devastating attack to the level of an intrusion attempt or similar.
Additionally, the ability to leverage AI/ ML to correlate telemetry from across an organisation’s infrastructure is a key aspect of a mature XDR solution. The application of AI/ML allows Defenders to move from a detect and respond mode to a more proactive “predictive response” posture where the next steps an attack can and would take are instantly anticipated and blocked, eliminating the opportunity to progress the attack to the next stage.
This predictive capability is the key to the future of security, enabling organisations to “defend forward” by understanding attacks from an operation-centric approach, where analysts are freed from chasing alerts that point to individual elements of an attack in favor of a holistic view of the entire attack story from root cause to every affected device, system and user. And only an AI-driven XDR solution can deliver this “predictive response” capability that will shorten detection and remediation periods from days or weeks down to minutes.
The AI-Driven XDR Advantage
An AI-driven XDR solution enables organisations to embrace an operationcentric approach to security that delivers the visibility organisations require to be confident in their security posture across all network assets, and the automated responses to halt attack progressions at the earliest stages.
This approach also provides Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces and more.
