XDR: Unifying incident detection, response and remediation
According to IBM’s Cost of a Data Breach Report 2020, the average time it took a company in 2019 to identify and contain a breach was 279 days. It was 266 days in 2018 and the average over the past five years was a combined 280 days. In other words, things haven’t gotten much better. It’s clear that time is not on CISOs’ side and they need to act fast.
What’s holding organizations back when it comes to detecting and remediating data breaches?
Let’s consider the top challenges facing security operations centers (SOCs). First, there are too many alerts, which makes it difficult to prioritize those that deserve immediate attention and investigation.
Also, there’s no unified view of the security information generated by the layers of tools deployed by most large enterprises. Finally, these problems are compounded by the fact that organizations are using hybrid on-premises and cloud architectures, as well as purely cloud environments.
Another major obstacle facing SOCs is that threat hunting and investigations are still manually intensive activities. They are complicated by the fact that the data sources SOCs use are decentralized and must be accessed from different consoles.
SOCs also lack visibility into a very significant component of threat hunting: identity. It has taken an even more prominent role now that so many people are working remotely due to COVID-19.
The analysis, control and response planes in current security architectures are not integrated. In other words, analytics are separated from the administration and investigation stack, which is also separated from the tools used to intercept adversaries and shut down an attack.
A new architecture has emerged called XDR, which stands for “extended detection and response.” Research firm Gartner listed XDR as one of its top 9 security and risk trends for 2020. XDR flips the current security model on its head by replacing the traditional top-down approach with a bottom-up approach to deliver more precise and higher fidelity results.
The primary driver behind XDR is its fusing of analytics with detection and response. The premise is that these functions are not and should not be separate. By bringing them together, XDR promises to deliver many benefits.
The first is a precise response to threats. Instead of keeping logs in a separate silo, with XDR they can be used to immediately drive response actions with higher fidelity and greater depth knowledge into the details surrounding an incident. For example, the traditional SIEM approach is based on monitoring network log data for threats and responding on the network.
Unless a threat is simple, like commodity malware that can be easily cleaned up, remediation is typically delayed until a manual investigation is performed. XDR, on the other hand, provides SOCs both the visibility and ability to not just respond but also remediate. SOC operators can take precise rather than broad actions, and not just across the network, but also the endpoint and other areas.
Because XDR seeks to fuse the analysis, control and response planes, it provides a unified view of threats. Instead of forcing SOCs to use multiple interfaces to threat hunt and investigate, event data and analytics are brought together in XDR to provide the full context needed to precisely respond to an incident.
Unlike the SIEM model, which centralizes logs for SOCs to figure out what’s important, XDR begins with a view of what’s important and then uses logs to inform response and remediations actions. This is fundamental to how XDR inverts traditional SIEM and SOC workflows.
Another important benefit of XDR is that it provides SOCs the ability to investigate and respond to incidents from the same security technology platform. For example, an alert or analytics indicator might be generated from the endpoint which initiates an investigative workflow that is then augmented with network logs or other system logs that are part of the XDR platform for greater context.
Instead of moving between different consoles, all the data sources are in one place. XDR enables SOC operators to resolve and close out a workflow on the same technology platform where it was initiated.
Currently, most organizations have tools that can initiate a workflow and others that can augment a workflow, but very few that can actually resolve a workflow. The goal of XDR is to provide a single environment where incidents can be initiated, investigated and remediated.
Finally, by fusing analytics, the network and the endpoint, SOCs can respond to incidents across a variety of control planes, and customize actions based on the event, the system criticality, the adversary activity, etc.
What XDR makes possible
With XDR, SOCs can force a re-log on, or a log off through the integration with IAM tools. They can contain a host because they are directly connected to the end point. Using network analysis and visibility XDR can provide deeper insight and context into threats, including whether they are moving laterally, have exfiltrated data, and more.
Ultimately, XDR makes it possible for SOCs to respond to incidents in ways that were not possible in the past, such as taking more surgical network-based remediation actions.
Making XDR a reality requires implementing a horizontal plane that connects all existing security silos to unify analysis, control, and response – which won’t happen overnight. The benefits of XDR, however, are well worth the effort.