The latest buzz term in cybersecurity has everyone talking about advanced threat detection and response. Phil Muncaster investigates what all the fuss is about.
If you don’t like buzzwords, the cybersecurity industry is most definitely not the place for you. There’s a relatively high barrier to entry for the novice, and that bar is comprised of a huge number of opaque acronyms and specialized terminology. Part of the reason for this is the sheer pace at which technology advances. That old metaphor of the arms race between cyber-criminals and ‘white hat’ industry professionals has never been more relevant: they invent a new type of attack, we respond in kind, and so it goes on.
The challenge for CISOs is that, while cybersecurity tools and techniques must evolve, just as IT systems do, there’s also a fair amount of marketing hype in the industry. With scores of product categories already available on the market, how can you judge if the next big thing is right for your organization? As budgets tighten thanks to the impact of the pandemic, it’s never been more important to get this judgement right.
So we come to XDR: a new category of ‘extended’ threat detection and response tools defined by their ability to consolidate multiple controls, analytics, operations and telemetry. They offer much on paper, but how close does vendor hyperbole match up to reality?
"A new category of ‘extended’ threat detection and response tools defined by their ability to consolidate multiple controls, analytics, operations and telemetry"
Stretched to the Limit
We all know that today it’s not a case of ‘if’ but ‘when’ your organization is attacked. Against this backdrop, it becomes increasingly important that CISOs have the tools to hand to detect and respond to threats as early on in the kill chain as possible, before they have a chance to seriously impact the organization. This is what threat detection and response (TDR) is meant to achieve: analysts crunch information and alerts from across the security stack to determine and act fast on the root cause of attacks.
Unfortunately, the upper hand of late has been with the attackers. A 2018 poll by the Enterprise Strategy Group (ESG) revealed that over three-quarters (76%) of organizations felt TDR was more difficult than it was two years previously. An increasing volume and sophistication of threats (34%) and expanding attack surfaces (16%) were cited as the top reasons why.
If a similar poll were conducted today, these numbers may be even higher. Trend Micro alone blocked over 52 billion unique threats in 2019, yet the most sophisticated attacks still go undetected thanks to advanced techniques such as ‘living off the land.’ The results can be seen in the continued epidemic of data breaches, ransomware outages and other security incidents. Meanwhile, digital infrastructure will continue to grow as organizations adapt to a post-pandemic world, offering more endpoints and cloud accounts for attackers to target.
At the same time, security professionals are increasingly stretched to the limit. The industry as a whole is facing a shortfall of over four million professionals and that is rising all the time. Current siloed approaches to TDR make aggregating data expensive and time-consuming. Teams are often overwhelmed with alerts that keep them in constant firefighting mode with little time to get strategic. According to ESG, 36% of respondents claimed their cybersecurity teams spend most of their time addressing high priority/emergency issues and not enough on strategy and process improvement.
“XDR starts at the endpoint, augments endpoint data with other telemetry and then allows for a ‘response-in-depth’ approach"
Where Can XDR Help?
XDR looks to tackle these challenges by overcoming the limitations of traditional TDR, according to Forrester principal analyst, Jeff Pollard.
“When you examine the traditional approaches to detection and response, you discover the detection and analysis plane has been separate from the response plane. In other words, we would collect logs from everywhere to detect things and take rather basic, often network-based actions in response,” he tells Infosecurity. “XDR starts at the endpoint, augments endpoint data with other telemetry and then allows for a ‘response-in-depth’ approach.”
As for what typical capabilities are included in XDR, these will depend on the vendors involved. However, Gartner lists 10 core services: endpoint protection; detection and response; cloud access security brokers; secure web and email gateways; network firewalls and intrusion prevention; identity and access management; data loss prevention; user behavior anlytics; network traffic analysis and threat intelligence.
ESG senior principal analyst, Jon Oltsik, likens XDR to buying a new car, versus choosing to build one from different components.
“[With the latter], you may be able to cobble together a good car, but it’s a lot more work and demands knowledge of every component,” he tells Infosecurity. “XDR unifies detection and response across all technologies, which is really what organizations want. The value is improving the accuracy and timeliness of threat detection and incident response.”
Getting all this from a single unified system rather than a loosely grouped bunch of systems means teams can enhance analytics and streamline operations.
“The keys here are improved analytics with a direct link to security operations processes. If XDR fulfills its potential, it becomes the nexus for all security operations activities,” Oltsik adds.
Forrester’s Pollard also highlights the benefits for firms struggling with current approaches to security analytics, especially traditional SIEM.
“XDR takes a more bottom-up approach to detection – starting at the endpoint and then augmenting with additional log sources, rather than the top-down approach of SIEM, where you start with tons of logs, find ‘something’ and then pivot to various other technologies,” he says. “This means it’s a great way to jump into more advanced analytics without having to worry about the hardware or software required to upgrade or replace a traditional SIEM to get there.”
Getting Started
So how can CISOs begin to drive value from XDR? According to Gartner, it may not be right for all organizations and will depend on factors such as current staffing, productivity levels, risk tolerance, budgets and levels of IT federation. “XDR products have significant promise, but also carry risks such as vendor lock-in,” the analyst notes. “The XDR market is immature and capabilities vary widely across products from different vendors.”
The first step is therefore running a gap analysis between current and hoped-for XDR capabilities, followed by rigorous testing and evaluation. Future purchases and planned retirements must be clearly aligned to the long-term XDR strategy. If in-house teams can’t manage this, there’s the option of outsourcing to an MSSP, Gartner adds.
For ESG’s Oltsik, organizations could take three possible approaches to implementation based on the different models of XDR there are: an integrated platform from a single vendor, a partner model and vendor-agnostic software that sits above existing controls and analytics.
“Vendor-agnostic software options can be deployed on top of the existing security infrastructure and add value right away. Proprietary suites will be deployed over time where organizations will likely replace point tools with a single vendor’s option. This will take time as each tool is likely under a different amortization timeframe,” he explains. “Finally, the partnering model probably will be anchored by a single partner. A Tanium customer may opt to add Chronicle to get XDR coverage and benefits, for example.”
"If XDR fulfills its potential, it becomes the nexus for all security operations activities"
XDR and COVID-19
The good news for organizations concerned about taking the plunge at a time of mass remote working is that, with XDR platforms, the management plane is usually cloud-based. This means that, as long as admins can add endpoint agents remotely, they can start to unlock value straightaway from this new approach to TDR. The only potential roadblock to greater adoption could stem from greater data volumes, according to ESG’s Oltsik.
“It’s likely that the amount of security telemetry will increase as remote work becomes more of a default, while backend applications and workloads move to become public cloud workloads and SaaS applications,” he concludes. “Data volume increases will demand data pipelining improvements to accommodate stream and batch processing. This may hold up XDR somewhat as few security teams have the skills to put this together, but it’s likely that vendors and service providers will fill this void.”
Perhaps the key takeaway for CISOs and IT security buyers is that, as long as careful due diligence is performed, they shouldn’t be put off by the XDR hyperbole currently gushing from the vendor community. As Forrester’s Pollard argues: “Like most things in cybersecurity right now, XDR is both a marketing exercise and an approach that has real value.”
Why XDR? Why now?
CISO Challenges
- Stretched IT teams overwhelmed with alerts
- Siloed products providing limited value
- A widening corporate attack surface
- Growing sophistication and range of threats
XDR Offers
- Unified threat detection that goes way beyond the endpoint
- Accurate and timely alerts to stop threats earlier
- Fewer management/admin overheads
- Fewer higher fidelity alerts to empower stretched IT teams