Security professionals are inundated with thousands of alerts per day generated by a growing number of cybersecurity tools. Investigating and connecting individual alerts to events often takes days. Seeing the proverbial forest for the trees is an ongoing struggle. And, once threats are discovered, the time required to understand the breadth of the attack and ultimately remediate the threat is now measured in months. IBM’s Cost of a Data Breach Report found the mean time to identify a malicious attack is 230 days; the mean time to contain the attack is 84 days. This is why breach incidents continue to increase, despite rising cybersecurity investments.
Smaller organizations suffer the most from runaway cybersecurity complexity, but many simply cannot afford the wide array of security solutions needed to provide visibility into impending threats across their environments. The cybersecurity stack has become so complex and unwieldy that the skillset required to maintain and operate the solutions is beyond what these organizations can handle. Indeed, only the largest corporations have the available staff to address these issues.
Seeing the Forest
A new class of security tools is emerging that promises to greatly improve the effectiveness and efficiency of threat detection and response. Gartner defined a new solution category that aggregates and correlates telemetry from multiple detection controls and then synthesizes and automates response actions – extended detection and response (XDR).
Businesses typically deploy multiple prevention and detection technologies to defend points of entry and movement, such as endpoints, networks, users and data. While these tools generally do a fine job preventing and detecting the vast majority of cyberattacks, they continue to miss the edge cases – the sneaky attacks that slip through the cracks of point solutions. Visibility across the environment and understanding the context of security data and alerts is the first step to solving the complexity problem.
Many organizations have turned to endpoint detection and response (EDR), endpoint protection platform (EPP) solutions and next-generation antivirus (NGAV) solutions for enhanced protection beyond the commonly used antivirus (AV) platforms. The EDR/EPP/NGAV solutions have proven highly valuable in preventing and detecting many forms of endpoint attacks. However, cybercriminals are finding ways to bypass these endpoint-centric approaches with increasingly stealthy attacks. Confirmed breach levels have continued to rise despite massive investments in cybersecurity solutions and resources.
Based on the dwell time cited in IBM’s study, the real challenge in security today is finding the threats that bypassed first-line defenses as quickly as possible. Something that may seem innocuous by one security solution suddenly becomes cause for concern when intelligently paired with information from other security solutions. Consolidating prevention and detection technologies into a single solution can coordinate threat signals to paint a more accurate picture of the attack landscape.
Another important step for simplifying security lies in automating response actions to address the real threats identified through better visibility and context. Security teams today spend significant time investigating false-positive alerts. Confirmed threats then require access to multiple controls through multiple consoles and presentation schema for investigating the full breadth of the attack. Remediating threats also requires far too much effort to plan and coordinate corrective actions across multiple security systems. Security teams are simply overwhelmed by operating and maintaining too many point solutions.
A New Approach to Threat Detection and Response: XDR
XDR helps security teams by consolidating and rationalizing alerts into actionable incidents and automating investigation and response actions. The primary requirements of an XDR platform are threat visibility, incident orientation and response automation.
The basis of XDR is broad visibility across primary prevention and detection components that provide the most pertinent threat telemetry. Combining signals from these components provides the context required to detect stealthy (and otherwise undetectable) attacks while providing far greater detection accuracy (and thereby reducing false positives). Because the components included are part of a single platform, data and alert information can be easily normalized and combined; a feat that is highly difficult when trying to coordinate multivendor point solutions. Deciding which prevention and detection components should be included in the XDR platform is critical. While some suggest including a very broad range of detection and security tools, focusing on tools that cover the primary attack vectors should be prioritized. At a minimum, XDR tools should include signals from the following key components:
NGAV – Next-generation antivirus for basic endpoint malware prevention and detection.
EPP/EDR – Endpoint protection platform/endpoint detection and response for more advanced endpoint protection, detection and response.
UEBA – User and entity behavioral analytics (to detect anomalous user behaviors).
NTA – Network traffic analysis to detect malicious activity on your network.
Combined, the signals from these solution categories provide the broad visibility required to detect the vast majority of attacks across the cyberthreat kill chain. Other data may supplement this core set, but these components have been shown to provide the best value. For example, signals from deception technologies that trick successful intruders into exposing their presence before damage can be done can provide highly valuable signals to an XDR platform. It’s also recommended that as many components as possible are native to the platform. This ensures that all signals are properly normalized and weighted and that all features and policies can be managed from a single interface. It also eliminates the time and effort required to integrate and continuously maintain tools from multiple vendors.
Centralizing the signals from multiple detection tools allows XDR platforms to combine alerts and data into incidents. XDR platforms can intelligently combine seemingly benign signals from multiple sources to uncover threats that were not detected by any single source. The platform can also determine if alerts should be combined and escalated into holistic incidents or dismissed as false positives. The formation of holistic incidents provides far more context to response actions than individual alerts. Incidents include all pertinent alerts and information related to an attack to accelerate investigation, decision and response actions. Presenting threats in a unified incident view is far more efficient than toggling between multiple systems to (hopefully) gather the same intelligence. In this way, XDR platforms resemble SIEM tools, but the data and capabilities are native to the XDR platform.
After formulating a security incident along with all associated details and context, XDR platforms also provide response capabilities to quickly and automatically prevent or minimize damage. Response actions begin with investigation, automatically collecting information associated with the incident, determining the root cause and analyzing the impact of the threat. For example, some XDR tools might automatically list running processes associated with an alert, query a Windows registry, collect environmental variables or run an automated script, among other capabilities.
While much attention has been paid to the detection part of XDR, the response capabilities of the platform can allow organizations to instantly react to real-time threats while minimizing the burden on their security teams. Most XDR tools provide some level of automated remediation actions, such as deleting malicious files, quarantining infected endpoints or killing rogue processes. More advanced XDR platforms expand remediation across the environment and automate more complex response actions that chain various remediation actions into a single flow that runs automatically when a predefined alert is triggered.
Many large organizations are turning to security orchestration, automation and response (SOAR) technology to collect threat-related data from multiple sources and then automate responses to real-time threats across multiple security controls. However, successfully operationalizing SOAR is highly complex and requires a significant management burden, making it accessible to only the largest enterprises. XDR platforms, with multiple native security controls, have the potential to provide SOAR-like capabilities without the heavy lifting required for a full SOAR solution.
The Benefits of XDR
XDR provides a holistic platform that unifies multiple control points to coordinate threat prevention, detection and response. This approach improves detection accuracy while dramatically reducing the complexity and overhead required for comprehensive threat protection.
XDR platforms provide a broader view of incoming threats by natively combining prevention and detection controls from the meaningful attack vectors. This holistic view enables XDR platforms to automatically separate real alerts from noise, as well as uncover subtle threat clues that may have gone unnoticed with siloed detection tools. The visibility and intelligence provided by XDR platforms leads to unprecedented threat detection accuracy.
Security teams spend far less time chasing after false-positive alerts with XDR platforms. Many real threats are automatically remediated with no manual intervention required. Confirmed incidents are either automatically investigated and remediated or accompanied by rich data and context to shorten manual investigation and response actions. The time required to integrate, maintain and threat detection and response on auto-drive, the security staff can focus on other pressing issues rather than ongoing alert-chasing.
Consolidating multiple security products into a single XDR platform provides significant cost savings, both in terms of direct vendor costs and internal support costs. Smaller companies without the full array of prevention and detection controls automatically gain broad and deep threat coverage with the purchase of a single XDR solution. Reducing a large volume of alerts into fewer meaningful incidents, along with automating response actions reduces the time security teams would otherwise spend on these tasks.
The right XDR solution is a holistic platform that unifies multiple control points to coordinate threat prevention, detection and response. This approach improves detection accuracy while dramatically reducing the complexity and overhead required for comprehensive threat protection.