Distinguishing hype from reality: Why XDR is key to protecting against modern, sophisticated attacks

A true XDR solution is able to collect, correlate and analyse security data from a variety of sources across multiple domains.

XDR must deliver real-time threat detection and event analysis, minimise data duplication and false positives, and enable automated and orchestrated response capabilities.

Ultimately, XDR is about obtaining better detection and response outcomes across all the relevant technology domains existing within an organisation.

This is important because what we’ve seen in recent years is an increase in the sophistication of cyber attacks leading to a breakout time that is significantly decreasing.

Breakout time is how long it takes for an adversary to move laterally within an organisation, from the first compromised host to a secondary one.

This is an important defensive metric to track, because once an adversary has moved laterally within an organisation, it is far harder and more expensive to detect and respond to the attack.

The CrowdStrike Global Threat report noted in 2018 that the breakout time was nine hours and 42 minutes in 2018, decreasing to one hour and 38 minutes in 2021.

This is caused in part to the escalation of the threat landscape, new hybrid working models that have come in or accelerated as a result of the pandemic as well as a reliance on legacy security tools by some organisations.

VIEW ALL

In order to protect themselves, we’ve seen enterprises turning to extended detection and response (XDR) solutions – an evolution of endpoint detection and response (EDR) – to ensure they are protected beyond just the endpoints themselves.

Unfortunately, we still see some XDR solutions that fail to deliver on the promise of true XDR, creating uncertainty in our industry and putting organisations at risk.

False XDR is doing more harm than good for security teams

Many of today’s “XDR” solutions compound these issues for security teams by flooding them with more data, more alerts and more complexity.

One misconception is that rebranding an old solution to XDR by adding more network data, security information and event management (SIEM) capabilities, automation, or integration to other EDR solutions makes for an effective XDR solution.

And while such an approach from a technical perspective may seem logical to most people, there is more to it, since adding more data points without helping teams glean actionable insights does not make a solution more effective.

As attacks grow in scale and sophistication, more meticulous work is needed on the backend for security teams to sift through semantic gaps and piece together the full scope of incidents and their protracted trails of lateral movement across every vector and touchpoint.

More and more data by itself is not going to help stretched security teams fill these gaps.

To get to true XDR, first start with EDR

XDR should start with EDR as the cornerstone before integrating and correlating data across the endpoint, identity, intelligence, data security and cloud workloads. It should be able to solve the problem of alert fatigue, not exacerbate it.

Like for EDR, one of Its primary goals should be to cut down the noise and simplify overly complex and resource-draining processes to allow security teams time to focus on the alerts that matter.

The fundamental problem here is that XDR is too often approached without its core tenets in mind.

What many organisations fail to realise is that it’s a natural evolution of EDR, not an entirely new, rebranded solution. That’s the first and foremost thing enterprises need to get right.

When building up to XDR from EDR, a good question to keep in mind is how the proposed solution addresses the challenges of semantic gaps.

XDR is not just about ingesting more data, it’s about connecting a chain of events or activities, it’s about dealing with problems like missing data, reconciling contradictory data from varying sources, and reconciling entity aliases – all in an environment where the data represents rapid changes over a short period.

The compounding benefits of streamlining data intelligence

True XDR actively narrows the scope of the data it needs to ingest and correlates events in a way that makes it simpler for incident responders to see what’s occurring and determine a course of action in real-time.

XDR can significantly relieve security teams who are inundated with new detections and events by triaging across disparate and disconnected security tools and platforms.

The same logical prioritisation concepts that have been traditionally applied to EDR are to be extended to XDR.

This has advantages beyond simply detecting more threats more quickly. Providing your security team with the means to achieve faster and more efficient workflows leads to tertiary benefits such as higher job satisfaction, reduced burnout and improved staff retention.

It also gives security teams – CISO’s included – an opportunity to drive more efficient business outcomes and demonstrate their value to the C-suite.

At a time where cyber security expertise is already stretched thin in Australia, security teams are looking for more efficient ways to conduct their work.

XDR promises to tip the scales of efficiency back in the favour of security teams, but only if approached with the right principles in mind.

It’s 2022, it’s time to get our security fundamentals right.

Fabio Fratucello is the chief technology officer, APJ at CrowdStrike.