Unravel the XDR Noise and Recognize a Proactive Approach

Tips & Advice

Cybersecurity professionals know this drill well all too well. Making sense of lots of information and noise to access what really matters. XDR (Extended Detection & Response) continues to be a technical acronym thrown around in the cybersecurity industry with many notations and promises. Every vendor offering cybersecurity has an XDR song to sing. Interestingly, some either miss a beat or require tuning since it’s still quite an emerging market.  This can be intriguing and nagging for cybersecurity professionals who are heads down defending against the persistent adversaries. The intent of this blog is to clarify XDR and remove the noise and hype into relevant and purposeful cybersecurity conversations with actions. And observe the need for a proactive approach.

Let’s begin with what does XDR refer to and its evolution. As noted earlier, XDR stands for Extended Detection and Response. “extended” is going beyond the endpoint to network and cloud infrastructure. You will find this cross-infrastructure or cross-domain capability is the common denominator for XDR.  XDR is the next evolution of a solid Endpoint Detection and Response (EDR). Ironically it was a term introduced by a network security vendor with aspirations to enter the emerging Security Operations market.

A Look at the Industry Point of Views

Industry experts have weighed in on this XDR capability for cybersecurity and agree it’s still relatively early to market. Gartner’s definition, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Gartner notes three primary requirements of an XDR system are; centralization of normalized data primarily focused on the XDR vendors’ ecosystem, correlation of security data and alerts into incidents and centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting. If you want to hear more from Gartner on this topic, check out the report.

ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. The cross-vector analytics must be enhanced to track advanced multi-stage attacks.  In addition, implementation guidance such as reference architecture is needed to assure successful integrated workflows.

Forrester views XDR as the next generation of Endpoint Detection and Response to evolve to by integrating endpoint, network and application telemetry. The integration options are native where the integration is with one vendor’s portfolio or hybrid where the vendor integrates with other security vendors.  The key goals include empowering analysts with incident-driven analytics for root cause analysis, offer prescriptive remediation with the ability to orchestrate it and map uses cases MITRE ATT&CK techniques and chain them into complex queries that describe behaviors, instead of individual events.

XDR Themes

The common XDR themes from these XDR discussions are multiple security functions integrated and curated data across the control vectors all working together to achieve better security operational efficiencies while responding to a threat. Cross control points make sense since the adversary movement is erratic.  Emphasis is on removing complexity and offering better detection and understanding of the risk in the environment and quickly sorting through a possible response.  The range of detect and response capabilities also suggest that it cannot be done by one exclusive vendor. Many advocates an integrated partnership approach to unify defenses and streamline efforts across domains and vectors. It’s a more realistic approach as well since most organizations do not fulfil their entire security function with one vendor.  While buying an XDR “suite” from one vendor is easier where most of the security tools come from one vendor, some critical security functions from another vendor should be included to drive a more effective detect and response.  This is not a new concept to connect the security disciplines to work together, as matter fact, McAfee Enterprise has been professing and delivering on Together is Power motto for some time.

One more consideration on this unified and integrated security XDR theme, many vendors may proclaim this but look under the hood carefully. They may have a unified view in a single console but has the data from all the separate vectors been automatically assessed, triaged and providing meaningful and actionable next steps?

Another common XDR theme is the promise to accelerate investigation efforts by offering automatic analysis of findings and incidents to get closer to a better assessment. This makes your reactive cycles potentially less frequent.

Integrating security across the enterprise and control points and accelerating investigations are critical functions. Does it address organizational nuances like is this threat a high priority because it is prevalent in my geo and industry and it’s impacting target assets with highly sensitive data.  Prioritization should also be an XDR theme but not necessarily noted in these XDR discussions.  Encourage you to read this blog on The Art of Ruthless Prioritization and Why It Matters to Sec Ops.

Net Out the Core XDR Functions

After distilling the many point of views and the themes on XDR, it seems the core functions all focus on improving security operations immensely during an attack.  So, it’s a reactive function

 

XDR Core & Baseline functions  Why? 
Cross infrastructure—comprehensive vector coverage   Gain comprehensive visibility & control across your entire organization and stop operating in silos  

Remove disparate efforts between tools, data and functional areas  

Distilled data and correlated alerts across the organization   Remove manual discover and make sense of it all  
Unified management with a common experience   From a common view or starting point removes the jumping between consoles and data pools to assure more timely and accurate responses  
Security functions automatically exchange and trigger actions   Some security functions need to be automated like detection or response   
Advanced functions—not noted in many XDR discussions  Why? 
Actionable intelligence on potentially relevant threats   Allow organizations to proactively harden their environment before the attack  
Rich context that includes threat intelligence and organizational impact insight   Organizations can prioritize their threat remediation efforts on major impact to the organization  
Security working together with minimal effort   Simply tie a range of security functions together to create a united front and optimize security investments  

 

Key Desired Outcomes

The end game is better security operational efficiencies. This can be expressed in a handy outcome check list perhaps helpful when assessing XDR solutions.

Visibility  Control 
More accurate detection   More accurate prevention  
Adapt to changing technologies & infrastructure   Adapt to changing technologies & infrastructure  
Less blind spots   Less gaps  
Faster time to detect (or Mean Time to Detect-MTTD)   Faster time to remediate (or Mean Time to Respond-MTTR)  
Better views and searchability   Prioritized hardening across portfolio—not isolated efforts  
Faster & more accurate investigations (less false positive)    Orchestrate the control across the entire IT infrastructure  

A More Proactive Approach is Needed

McAfee Enterprise goes beyond the common XDR capabilities in the recently announced MVISION XDR and offers unmatched proactivity and prioritization producing smarter and better security outcomes. This means your SOC spends less time on error-prone reactive fire drills with weeks of investigation.  SOCs will respond and protect what counts a lot quicker. Imagine getting ahead of the adversary before they attack.

Solution or Approach?

Is XDR a solution or product to be bought or an approach an organization’s must rally their security strategy to take?  Honestly it can be both.  Many vendors are announcing XDR products to buy or XDR capabilities.  An XDR approach will shift processes and likely to merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.

Is XDR for everyone?

It depends on the organizations’ current cybersecurity maturity and readiness to embrace the breadth and required processes to obtain the SOC efficiency benefits. With the promise to correlate data across the entire enterprise implies some of the mundane and manual efforts to make sense of data into a better and actionable understanding of a threat are removed.  Now this is good for organizations on both spectrums.  Less mature organizations who do not have resources or expertise and do not consume data intelligence to shift through will appreciate this correlation and investigation step, but can they continue the pursuit of what does this mean to me. Medium to high mature cybersecurity organizations with expertise will not need to do the manual work to make sense of data. The difference with mature organizations comes with the next steps to further investigate and to decide on the remediation steps. Less mature organizations will not have the expertise to accomplish this. So, the real make a difference moment is for the more mature organization who can move more quickly to a response mode on the potential threat or threat in progress.

Your XDR Journey

If you are a medium to high mature cybersecurity organization, the question comes how and when. Most organizations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace the XDR capabilities since their efforts are already investigating and resolving endpoint threats. It’s time to expand this effort gaining better understanding of the adversary’s movement across the entire infrastructure.  If you are using MVISION EDR you are already using a solution with XDR capabilities since it digests SIEM data from McAfee Enterprise ESM or Splunk (which means it goes beyond the endpoint, a key XDR requirement.)  Check out the latest award MVISION XDR received amongst the many recognitions.

Hope this blog removed the jargon and fog around XDR and offers actionable considerations for your organization to boost their SOC efforts. Start your XDR journey here.

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *