How does XDR improve enterprise security in the face of evolving threats?

Cybercriminals will never run out of ways to breach the security protocols enterprises put in place. As security systems upgrade their defenses, attackers also level up their attacks. They develop stealthier ways to compromise networks to avoid detection and enhance the chances of penetration.

Adversarial machine learning, for example, emerges as one of the stealthy cyber threats the security community should watch out for. This attack is barely detectable as it targets the machine learning algorithm itself to weaken its ability to detect intrusions or, worse, to manipulate the system to allow attacks to proceed instead of blocking them.

To counter sophisticated threats similar to adversarial ML, enterprises need to adopt more advanced solutions. Standard Intrusion Detection Systems (IDS) will not cut it. Reactive approaches such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA) do not have the ability to see through concealed attacks. They are good at providing layered visibility into threats, but they are practically inutile against stealthy cyberattacks.

What organizations need is something more proactive. It has to be a solution capable of identifying hidden complex threats quickly. It needs to create visibility not only into specific threat instances but into data across networks, endpoints, as well as cloud infrastructure. It has to be a cross-layered detection and response (XDR) solution.

XDR: An overview

XDR is a method of gathering and automatically correlating information across several security layers to enable rapid threat detection. It monitors threats across different sources or locations within an organization.

Attacks can tuck in between security silos created as a result of disconnected solution alerts and gaps during security triaging and attack investigations. These successfully remain hidden because of the disconnected and limited attack viewpoints of most security analysts.

XDR eliminates security silos through a comprehensive and holistic detection and response strategy. It collects information and matches the relationships of deep activity data across many security layers including those configured for endpoints, servers, emails, cloud, and workloads. Automated analysis of various data is undertaken to detect threats faster and for security analysts to have enough time to conduct thorough investigations.

The banes of traditional reactive approaches

EDR, NTA, and security information and event management (SIEM) are by no means weak security solutions. However, the way they work creates opportunities for unrelenting attackers to exploit.

One of the biggest problems with traditional security systems is alert overload. EDR and other strategies are known to generate high volumes of alerts that lack a meaningful context. These security notifications are often incomplete or don’t have enough information to make sense to security professionals.

According to data from an IDC InfoBrief, only 21 percent of organizations collect information that can be considered adequate to take decisive action. Most organizations (56 percent) say that the information they gather through their security systems only allow them to have a broad grasp of what the problem is about. They cannot specifically pinpoint the issue and implement appropriate solutions.

A whitepaper by Solarwinds helps illustrate the alert overload problem. Accordingly, a company with around a thousand employees can have up to 22,000 events per second registered in their SIEM systems. This number translates to nearly 2 million events in a day. Even the best security operations center (SOC) analysts would struggle to handle the overwhelming amount of alerts produced by this number of events.

Other issues that plague traditional security systems are the need for specialized expertise and time-consuming investigations, which can take several months. With EDR, for example, breach identification time reportedly takes up to 197 times, while containment can take up to 69 days.

Also, the technology-centric nature of the tools used in traditional systems takes away the focus on operational needs to address technology gaps. As presented in the IDC InfoBrief, 23 percent of companies say that their security teams spend more time maintaining and managing security tools instead of conducting actual security investigations. Meanwhile, 19 percent of companies report fragmentation or the lack of integration in their security product portfolio.

XDR addresses these drawbacks with its comprehensive approach in collecting deep activity data and cross-layer sweeping, hunting, and investigation routines. With the aid of artificial intelligence and advanced analytics, XDR spots actual threats in the midst of security alert overload.

Threat evolution outpacing solution improvements

Again, this article does not intend to invalidate or downplay the value of EDR. Many companies continue relying on it for good reasons. However, its capability is constrained because of its inherent design, which is to focus on managed endpoints. Likewise, it is restricted in the scope of threats it can identify and block and the identification of entities affected and the best responses to an attack.

Similarly, it would be incorrect to say that NTA has become useless. Network traffic analysis remains important, but it requires a method to break away from its network and monitored network segment limitations. NTA systems generate enormous amounts of logs that make it difficult to detect correlations between network alerts and other relevant data that contextualize security events.

There have been attempts to update EDR and NTA, but these improvements have been implemented as individual solutions or added security layers. As such, the data siloing problem remains. XDR provides the preferable holistic method of upgrading detection and response systems. It augments SIEMs by cutting down the time needed by SOCs to examine relevant alerts and assess which ones merit attention and action. XDR does not replace SIEMs but enhances it to make sense of the abundance of security logs and notifications it produces.

In other words, XDR serves as an alternative to the evolution needed among traditional security systems to match the perpetually evolving attacks of cybercriminals.

Extended detection and response

XDR makes it possible to pinpoint hidden threats and track them regardless of their source or location. This advanced system results in increased productivity for the organization’s IT team and improves the speed of security investigations. It provides multiple security layers that go beyond endpoints to broaden detection and response scope. Moreover, it creates an integrated and automated platform that enables complete visibility across security layers.

Cisco refers to it as extended detection and response, which makes complete sense considering how it goes beyond the mere identification and handling of a threat. XDR also makes it possible to determine how a user got infected, what the first point of entry was, how the attack managed to spread, and how many other users have been exposed to the threat. Additionally, its integration with SIEM and Security Orchestration, Automation, and Response (SOAR) systems allow analysts to use XDR in a broader security ecosystem.