The benefits of extended detection and response capabilities in the modern cyber threat environment.
Organisations today are frequently under threat from data breaches and cyber attacks. McAfee Labs observed an average of 588 threats per minute, an increase of 169 threats per minute (40 per cent) in the third quarter of 2020 alone. It goes beyond question the imperative to protect business-critical infrastructure from the many existing and emerging cyber attacks on both devices and end users.
XDR, or extended detection and response, has emerged as one of the tools for safeguarding the modern corporate IT infrastructure against increasingly sophisticated attacks. According to Enterprise Strategy Group, more than two-thirds of organisations expect to make an XDR investment in the next six to 12 months and nearly half (48 per cent) would be willing to replace individual security controls with integrated XDR solutions.
As XDR gains momentum, now's an opportune time to discuss the benefits of the unified security incident and response technology platform, and what CSOs and security leaders should consider when evaluating and implementing it for their organisation.
The evolution from endpoint detection and response
Endpoint detection and response (EDR) was the proof of concept for XDR. Its success served as validation that its detection and response capabilities allow security teams to detect threats, perform investigations, and respond in real-time. For example, if a program is acting suspiciously, an EDR tool will flag this with a human operator, who will investigate further as the event occurs.
While EDR provides effective endpoint threat detection, analysis and response, security teams today need to have holistic visibility of where and how issues are occurring, as well as proactively resolving issues as opposed to “after the fact”. This reactive approach jeopardises businesses and their data, relying on human security teams to constantly investigate potential threats only after malicious activity is detected on an endpoint. While the average time to detect and contain a threat has shifted from months to weeks and days, our ability to co-ordinate responses across the security ecosystem still remains disjointed and labour-intensive.
Contrary to EDR, XDR expands both visibility and response beyond the endpoint — providing teams with crucial analytics to inform better security practices and response – all in one, unified platform. Historically, security teams sourced multiple solutions to provide end-to-end protection. This would then typically be complimented with SIEM solutions to detect and correlate patterns across the security investments – a manual and human-intensive task.
In contrast, XDR aims to deliver a single AI driven system that can correlate and surface attacks identified across endpoints, networks and cloud environments and services – without the burden of having to create correlations across the data sets manually. In addition, it provides a concerted framework to co-ordinate responses across the security products to reduce the need for manual human effort.
Staying ahead of adversaries
With the modern security landscape changing, organisations need a platform that brings together all relevant security data to not only identify and respond to threats, but to mitigate threats proactively and stay ahead of adversaries before an event takes place. It is becoming increasingly clear that EDR has its shortcomings, therefore, organisations must look to solutions that leverage larger data sets and can provide a broader set of response actions beyond just the endpoint.
However, simply streamlining detection and response may not alleviate the burden that security practitioners carry due to the skills shortage that continues to affect our industry. According to AustCyber, Australia needs approximately 17,000 additional cyber security workers. To reduce this burden, organisations should also look to shift-left of the attack cycle as much as possible – moving from detection and response, to proactive and pre-emptive practises. This approach reduces the effort and time spent in reactive and remediation efforts, and instead focuses security teams on investing their time in making sure security investments can protect against what is more or most likely to hit the organisation.
To achieve this more optimised outcome, two additional crucial elements are required. Firstly, it requires additional context, such as information about campaigns, adversaries and tools that are most likely to target the organisation – often found in threat intelligence feeds.
Secondly, and even more importantly, it requires having up to date and accurate knowledge about how each security control protects against the various artefacts highlighted in the threat intelligence feed. For example, automatically being made aware that your endpoint controls can detect and stop the tools commonly used in the campaign by having a particular product feature turned on, or that your web filtering solution can block command and control activity to URLs and IP addresses highlighted in the intelligence sources.
Doing this kind of analysis cannot be done manually due to the sheer number of threats and security controls that are deployed across a typical enterprise environment. Today, 66 per cent of security operation centres (SOC) are ineffective due to too many disparate tools.
As organisations look to invest in XDR platforms in the coming year, an emphasis should be placed on ensuring it offers additional internal and external threat context for detection and response — as well as providing a means to surface the preventative security tooling context that will help practitioners get ahead of simply chasing alerts.
Sahba Idelkhani is the director of systems engineering at McAfee