Detection and response is necessarily a data-intensive activity, but there’s considerable opportunity to refine current approaches, writes Simon Howe, vice-president, Sales, APAC at LogRhythm.
Data is knowledge, and knowledge is power. Knowledge is also a great leveller, and in cyber security, that’s important because there’s still a lot of levelling to do.
Australian research by PwC shows that growing maturity of cyber solutions and their adoption is helping “to close the wide lead that attackers have long held” over cyber security teams.
In other words, those engaged in threat detection and response are progressively being offered more detailed visibility into the challenges they face.
PwC goes further in identifying where these advantages are coming from, distilling them to “25 new cyber security approaches”. Of those, the study finds considerable enthusiasm for improved visualisation and modern data discovery and management – with between 73 per cent and 76 per cent having at least started making improvements in these areas, or going further towards benefit realisation.
It’s entirely feasible these kinds of improvements could be realised from an extended detection and response or XDR approach.
There’s already anecdotal evidence to suggest that Australian businesses kicked off XDR evaluations last year. In addition, we know that 70 per cent of organisations plan to invest in XDR in the coming year.
It may still be nascent but XDR is firmly on the radar of forward-looking security teams.
A consolidated view
Cyber security analysis is a data-driven profession. However, as colleagues in other data intensive sectors and industries have experienced firsthand, it can be hard to pinpoint signals from within the noise of logs and alerts.
Analysts in the threat intelligence space aren’t the first data-reliant professionals to struggle with data volumes, nor to desire more targeted and tailored solutions to their analytics challenges.
XDR picks up where some of cyber security’s previous data-driven efforts have left off.
Analysts needed a simpler, smaller and more specifically-designed platform to detect activities that may point to the presence of a security threat.
Platforms in the XDR category of security products bring together telemetry signals from endpoints, the network, cloud and users’ behaviour into a central location where they can be correlated, and deep security analysis can be performed.
All of these areas have emerged as critical to threat detection and response. Prior to XDR, however, there were different tools for each of them.
Security analysts used endpoint detection and response (EDR) to recognise and respond to threats against endpoints like computers and servers. If an attacker gained a foothold and started to move laterally, analysts turned to network detection and response (NDR) in combination with EDR.
As threats grew and attacks became more sophisticated, more detection and response tools appeared. With the rapid rush to cloud, threat data and activity started occurring on infrastructure over which the organisation had little to no control. Cloud behaviour analytics and usage activity became important aspects of telemetry to be tracked, requiring even more tools.
But in 2021, it’s not difficult to imagine an insider threat scenario where a user is detected acting abnormally. This may be followed by an EDR alert of a new process being spun up that’s making connections across the network. The user may start to access new cloud-based services or move laterally inside the organisation trying to authenticate to different devices they traditionally didn’t authenticate to.
These are all symptoms – and hopefully early warning indicators – of malicious activity occurring in the network.
Rather than having four tools (or more) to keep track of them, the consolidation of these capabilities under XDR gives organisations and analysts a more complete picture of an unfolding attack.
It provides them with the holistic visibility and deep security analytics they need to identify and remediate these kinds of threats.
More value with a SIEM
An XDR is useful for rapid detection and response to the threat, but at some point, analysts are also going to want to pinpoint the origin of the threat.
To do so, they are likely to encounter limitations with XDR and specifically with the types of data it collects.
This is where a SIEM (security information and event management platform) comes into play. The benefit of having a SIEM is they’re designed to provide a holistic wide view of infrastructure for security and operational monitoring purposes.
More and more security attacks have operational impacts. Attackers may not only breach a web server but also take it offline as well, disrupting customer-facing applications it hosts.
Having a SIEM and XDR combined offers the best of both worlds – high value security data for detection and response, but also a wider dataset that can be used for post-breach analysis.
Simon Howe is the vice-president, Sales, APAC at LogRhythm.