Given the volume, sophistication, and potential harm of today’s cyberthreats, it is essential (and unfortunately, also impossible) for security teams to leave no stone unturned in the discovery of potential security attacks and breaches. In an ideal world, this effort would include such tasks as inspecting every URL embedded in every blocked email, every file hosted by every blocked website, every login request allowed or blocked, and so on.
However, the average organization uses a dozen (or more) security tools, often from a variety of vendors. These solutions already generate thousands of alerts each day that need to be reviewed. And most of these tools operate in isolation, which means that chasing down these alerts often involves hand-correlating events between different management consoles. As a result of this complexity, security teams already often respond too slowly to alerts, have time for fewer investigations, and run a greater risk of missing an attack in progress.
So it’s not surprising that nearly half of security leaders report the “complexity of their environment as among the most challenging aspects of security.” Worse, over three-quarters of organizations admit their security architectures are disjointed due to nonintegrated security products. And given the rate that the digital footprint of most organizations is expanding, there are simply not enough hours in the day, nor enough security experts in the industry, to investigate each and every alert.
One new security concept understandably capturing the attention of cybersecurity professionals is XDR. Gartner defines Extended Detection and Response (XDR) as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” The challenge faced by most security solutions is that, while they may be effective within their own sphere, the scope of their capabilities is limited. For example, a firewall may be world-class, but it can only provide a snapshot of traffic moving across a particular point in the network. However, defending against today’s sophisticated threats requires visibility and control that spans the entire distributed network.
XDR represents a new security paradigm in which individual security controls see, share, and correlate data as part of a coordinated security platform to more effectively detect threats and to then deliver a coordinated response that covers the entire attack surface. Simple, right? Actually, it is quite complicated.
The idea of enabling different technologies to work together as a single, integrated system provides powerful advantages for the detection of and response to threats—which is why so many vendors are jumping on the XDR train. But most XDR solutions suffer from one of three challenges.
The first is that many vendors only cover one or, best case, a few attack vectors—endpoint, email, network, or cloud. But the promise of XDR is multiple solutions collaborating together. So, the value of their XDR solution is entirely dependent on other vendors developing to their technology. Which means the scope of your XDR solution may be limited to only a portion of your organization and its attack surface.
Second, for those vendors that offer a full suite of security solutions, delivering an effective XDR solution may still be a challenge. Just because a company offers multiple products doesn’t necessarily mean that they have invested the resources needed to integrate them. Especially when components were acquired through large acquisitions, the requirements that accompany large install bases can dominate development resources and block substantial changes that are needed for integration. In these cases, XDR functions as a thin overlay to compensate for the fact that these tools don’t really interoperate and that there are significant limitations in the way they can function, which can create serious challenges for IT teams.
Third, most all vendors seem to focus on extended detection and extended response, skipping over the middle stage of investigation and validation. As a result, human security professionals still have significant effort ahead of them—especially as threat and alert volumes continue to grow.
For XDR to be effective, you need broad attack surface coverage, deep integration, and a focus on all three steps—detection, investigation and response.
When selecting an XDR solution, it is important to assess its three foundational functions.
1. Extended Detection: XDR needs to be able to collect data from across the organization, then correlate and analyze it in order to reduce a huge volume of raw information into a smaller amount of high fidelity details about potential incidents. The more attack vectors for which you have threat telemetry, the more likely it is that you will be able to find an active threat. Of course, collecting data is only half of the process. Any examination of an XDR solution also needs to look carefully at the analytics being used to detect the incidents.
2. Extended Analysis: Once a potential incident is detected, an investigation needs to take place. Is this a real threat or a false positive? Is this an indication of a larger threat? If so, what is the scope? These days, many cyberattacks are multi-stage, with components disappearing after they serve their purpose. Just because you no longer see certain indicators that triggered an alert doesn’t mean your organization is safe and your team is “out of the woods.”
Most XDR solutions simply hand this step over the (human) security team to conduct an investigation. But given the volume of alerts and limitations being generated, and resource constraints due to the cybersecurity skills gap, many security teams are simply not resourced to chase down every potential incident. An experienced security analyst must look at the potential incident, determine how to investigate and verify it, and then decide the right response steps to remediate and return to safe operation. This takes time, which many organizations simply don’t have available.
Instead, organizations should look for an XDR solution that has been augmented with artificial intelligence (AI) trained to automatically investigate alerts. That AI system should be able to establish the context of a potential incident, perform a thorough investigation, identify its nature and scope, and ideally provide enough detail to speed response. (A well-trained AI system can perform this function in a matter of seconds, and scale much easier and affordably than finding and relying on scarce human investigators.)
3. Extended Response. Of course, investigation and validation needs to trigger an effective response to mitigate the incident. First, it needs to be able to marshal as many resources as possible to mount an effective, coordinated response based on the full scope of the attack. Second, it needs to be pre-defined and repeatable—to not only make the response more efficient, but to also intervene at any step in an attack that is in progress. And third, it needs to be able to help close those gaps in the existing security framework that allowed the threat into the network.
XDR represents a significant step forward in the ability of organizations to detect, investigate, and respond to threats. (Despite the acronym, don’t overlook the unnamed middle step!) But as with any new technology entering the marketplace, there is a lot of hype, and buyers need to be wise. The reality is, not all XDR solutions are alike.
Addressing these and similar questions is the best way to ensure that any XDR solution you select can help you safely compete in today’s increasingly complex, and risky, digital marketplace.