I first mentioned the term eXtended Detection and Response (XDR) about 18 months ago. Since then, all security vendors (both major and small and medium-sized security companies) have joined the XDR trend and embraced this concept.
Some vendors have access to XDR internally from the endpoint, while others have external access from the network. The premise of XDR is that security shifts from a set of point products to a single platform for enterprise-wide threat visibility, so both approaches work. Data is collected and then analyzed at various enforcement points in order to detect threats faster and respond quickly to contain the damage radius.
Traditional security tools, such as Endpoint Detection and Response (EDR), look for threats, but often do not know where they originate, so corrective action cannot be taken. This is why most detection and response tools are effective for 'D' in EDR, but not in 'R'. XDR solves this problem.
Five key features of the XDR solution
XDR goes through all layers of security. This is why so many vendors have voted for XDR. The number of security vendors to choose from is confusing, and there is a mix of true XDR solutions and solutions that are only named XDR. When judging a solution, it will be helpful to consider the following five key criteria for XDR:
1. Visibility of the overall security scope
The 'X' in XDR stands for 'eXtended'. So, while XDR tools should have broad visibility by default, the expectation that one vendor will have security products at every point in the threat landscape is unrealistic.
But if you're an XDR provider, you should at least provide endpoints, clouds, and networks, then absorb third-party data feeds for areas like email and application-specific data. The ideal form would be for the XDR supplier to own these three axes, but it is also possible to procure functions through partnerships. It can be difficult to link responses across multiple systems, but it is possible.
2. Machine learning-based analytics
Security systems generate vast amounts of data. It is so large that even the best forensics experts cannot analyze it manually. Machine learning (ML) algorithms can capture even the smallest anomalies that can indicate infringement. Despite that need, some security experts hesitate to give sight to the machine.
But machine learning is the only way to realistically implement large-scale XDR. In the healthcare industry, for example, a few years ago, doctors felt uncomfortable seeing an MRI with an ML system, but they soon discovered that ML allows them to spend less time looking at data and more time looking at patients. The same is true of the relationship between security and XDR.
3. Automated response
Like ML-based analysis, a leap of trust is required to respond to security incidents using automation. Some people find it risky to automate threat responses, but the fact is that manual processes can slow them down, and if breaches are ongoing, delays can cost businesses millions of dollars.
An effective intermediate step is when the XDR system recommends a change, and the security team validates and implements the change. It's similar to Tesla's self-driving system. The driver must keep his hand close to the steering wheel, but the vehicle controls it.
4. Coordinate responses
The lack of coordination of responses between network endpoints and the cloud has been the security team's Achilles heel since the emergence of cybersecurity. Threats can be detected and removed from the network side, but they are not notified to the endpoint team, and as a result, some malicious code spreads in-house.
XDR calls for an integrated response system that allows security teams to remove the network, cloud, and endpoint threats from a single dashboard. This will enable rapid response and contain and control the impact of threats.
5. Simple workflow
There is a saying that “less complexity” is in the field of security, but it is definitely correct for XDR. Today's siled security tools generate seemingly endless alarms. These alarms are too noisy to use.
In many of the major breaches that have occurred in the past decade, all security companies claim to have detected the incident, but the fact that the security team did not respond is a proven fact. If there are too many alarms, it is like no alarms. The XDR system should provide a complete picture with an easy way to investigate, making it easy to find the root cause, sequence of events, and threat details from a variety of sources.
The last point for companies considering XDR deployment is: There are many powerful solutions, but the effectiveness of a solution is entirely dependent on the team using the solution. A successful XDR strategy requires breaking down silos between different security groups such as the cloud, endpoints, and networks. The XDR deployment proceeds top-down from the CISO, requiring each security group to cooperate beyond their own silos. XDR has made a lot of progress since the term was first coined two years ago. People and processes must evolve accordingly.
0 Comments