The ability to effectively detect and respond to threats is of paramount importance to modern organizations of all sizes. However, due to a variety of factors including evolving cyber-attacks, widening attack surfaces, proliferation of the cloud and, more recently, vastly extended network environments, approaches to threat detection and response have had to mature and adapt quickly to keep pace with the plethora of risks that now threaten the security of data.
This has given rise to the concept of extended threat detection and response (XDR) – a new approach to threat detection and response deemed a more effective alternative to traditional reactive methods that provide only layered visibility into attacks, such as endpoint detection and response (EDR).
One company specifically situated within the XDR space is Hunters, a group of cyber and technology experts – including veterans of the Israeli Defense Forces’ 8200 unit – with vast backgrounds in adversarial cyber.
It’s mission is to democratize threat hunting to enable organizations to detect stealth attacks and face against the never-ending dynamism of cyber-threats by utilizing XDR.
To learn more about XDR and its role in the current and future landscape of threat detection and response, Infosecurity spoke to Hunters’ CEO and co-founder Uri May.
What is XDR and how has it emerged as the successor to EDR?
XDR is an analytics-based approach for holistic threat detection and response. By normalizing data and correlating existing telemetry and sources across surfaces, it increases detection fidelity while reducing false-positives and triage time.
XDR emerged from EDR, likely because endpoint became a mandatory ‘stopping point’ for attackers – a lot can be found by connecting EDR logs with cloud logs, but it certainly does not stop there. A good XDR should be able to ingest, analyze and prioritize threat signals from across cloud, network, endpoint and even sources like cloud storage or SaaS applications, in order to run thorough correlations. The larger the visibility, and the richer the context, the better detection you’ll get.
“The larger the visibility, and the richer the context, the better detection you’ll get”
Why is XDR different and what does it bring to the IT security stack?
XDR is about pushing existing IT technology stacks to their next level and leveraging different single point solutions in an automatic way. Up until now, fusion of different data and information was done manually and depended on the level of expertise your SOC has. XDR automates that, scales it and makes it a lot more predictable.
How does XDR find the legitimate threat signals while filtering out the noise?
This is the critical part. Attackers nowadays are leveraging techniques that are more about blending in versus staying undetected. By relying on more information (from different products) and with the right ability to process that information at scale, an XDR solution can triangulate threat by combining several weak signals into a meaningful incident. This will be the base of implanting better incident response, threat hunting and event real time detection and triage.
What role will XDR play in the future of enterprise cybersecurity?
It will completely change the way SOCs are operating today, from recruiting to training all the way to detection and response flows. The responsibility model that is shared between customers, service providers and security vendors is changing – more is going to be automated and owned by vendors that are going to be accountable for the results.