Over the past year, there’s been a movement growing in the industry towards Extended Detection and Response, or XDR. While a few offerings represent broad portfolio consolidation and convergence towards packaging multiple solutions into one, there’s an undeniable demand for a more outcome-oriented approach to threat detection and response.
While most attacks continue to compromise and persist on the endpoint, today’s adversaries don’t really care if they need to traverse between endpoints, SaaS solutions, identities, or if the underlying assets are on-premises or cloud hosted. All that matters is achieving the mission target, whether that’s data exfiltration, disruption, or stealthy persistence.
XDR is a better way to achieve the outcome of stopping threats, especially when compared to the traditional method of “let’s throw everything into a data lake and hope value magically emerges.” XDR solutions are cloud-native and follow behaviors across endpoints and beyond, so they’re best for SOC teams with businesses investing in cloud adoption and SaaS.
In particular, consider XDR if your team is trending towards these three signs:
- Your team seeks a sustainable approach to detection that minimizes alert fatigue, rule-tuning, and data architecture work
- Your employees must have the option to “work anywhere” securely and quickly
- Your company is investing in cloud-based infrastructure or services
Let’s break down these three scenarios and share how XDR is positioned to help.
XDR vs data lake
The common thinking is that a path to security maturity involves collecting massive amounts of data and placing it in a SIEM, where analysts and experts can sift through it and hunt for hidden threats. This approach requires too much expertise and manual labor and is out of reach of most organizations. Teams not only need to write and perform complex searches, but also interpret the results and work with other teams to implement change.
Most XDR solutions today are threat-focused, collecting the most relevant data required to make true-positive convictions. By eliminating the need for analysts to learn proprietary search languages, XDR provides the ability to filter and pivot between data sets at a much faster pace. With the XDR market incorporating automation and orchestration, this reduces human effort, human errors, and can directly impact time to respond if the XDR console allows orchestrated, real-time response.
Tip: Consider red teaming or penetration testing with your deployment to confirm that XDR is more effective than an existing log management system.
Protecting a “work anywhere” attack surface
As our corporate perimeters change, so does our attack surface. Our endpoints – desktops, laptops, and servers – continue to be the backbone of our network, but in many cases we are interacting with third-party cloud servers and hosted services that are not under our control.
For example, our incident response team frequently sees attackers stealing and abusing cloud credentials after compromising an endpoint. The promise of XDR is to break what previously was siloed – endpoint, on-premises, cloud – and bring them together into a multi-dimensional view. That means that whether the attack starts on the endpoint or not, XDR can find it and even stop it.
Tip: Not all XDR vendors have the same depth of integrations. Choose an XDR vendor that supports your ecosystem and has a shared vision as your IT strategy.
If you’re increasing spend in cloud services or infrastructure, you may already be investing in security tools to protect the cloud. Many newer technologies include user and entity behavior analytics, which help identify anomalous and suspicious activity. This provides great visibility but can get tricky when trying to understand the broader context. For example, if Alice’s logon to Okta or another identity provider is “suspicious,” how do we understand if it’s actually a stolen credential?
XDR can bridge the gap here, fusing together device and identity context to find otherwise missed attacks. For example, if XDR is connected from cloud services to endpoints to email, it’s possible to see the complete scope of a phishing attack, including email recipients, infected endpoints, and compromised user accounts.
A path to XDR
Our IT networks are constantly changing to better support remote workers, faster collaboration, and secure development. At the same time, adversaries are abusing this expanded attack surface by stealing user identities and lurking behind siloed threat detection tools.
The traditional approach of centralizing data and generating alerts on individual “bad” events can work, but puts the focus on data collection, maintenance, and hunting. If you’re looking for an outcome-focused approach to finding and ending attacks, especially as your company IT network rapidly changes, consider Extended Detection and Response.