If you are looking to understand the basics of XDRs and what they do, this blog is for you. More to the point, if you need an effective detection and response capability that goes well beyond endpoint to protect modern, cloud-based infrastructures. This is part one of a seven part series.
XDRs consolidate findings and telemetry from individual security solutions and up level findings beyond the alerts to storyboard attacks developing across the infrastructure. As a result, kill-chains that would otherwise get missed or buried by individual security tools can be detected with far higher efficacy. Consequently, SOC teams can focus their efforts on investigating these high value incidents and stop chasing noisy alerts. Finally, XDRs significantly reduce MTTR and improve SOC efficiency with unified incident response capabilities through integrations with incident management and security product orchestration capabilities.
Modern attacks focus on finding the weakest link in your security ecosystem and gaining an initial foothold in an enterprise network. Once in the network, they move laterally, patiently focused on achieving their mission. Thus, security is no longer just keeping the bad people out; it also requires the ability to detect and track every step an attacker has taken to search and traverse the network in pursuit of their goal.
Point security tools provide SOC teams with a series of disorganized snapshots instead of a concise, streaming narrative. Attacks today are a sequence of many, seemingly unrelated, steps along the cyber kill chain. Individual detections are probabilistic weak signals--often proving un-actionable. Unless attack signals are deterministically combined as a sequence, today's sophisticated attacks cannot be detected, let alone blocked. For CISOs and SOC analysts, this new environment brings specific hurdles that stand in the way:
Problem #1: Data overload decimates SOC productivity
With a rapidly growing surface and data sources, security teams must incorporate too much data that fail to provide context to show how attacks unfold. Security teams are unable to obtain/draw critical insights from the large amount of data generated daily from their infrastructure--putting SOCs permanently one step behind attackers. A recent survey cited several challenges security teams face as data requiring analysis continues to proliferate:
Consequently, SOC team efficiency is at an all time low. Security teams suffer from digital exhaust as thousands of alerts are sent to their SIEM dashboard. Understaffed, security teams are unable to triage each alert, succumbing to the belief that most of the alerts received are actually false-positives.
Problem #2: The bad guys do their best to look normal
Low and slow attacks have become the new norm--even in DDOS attacks. Cyber-criminals purposely take their time, spreading their malicious activity over the course of days, weeks or months to avoid detection. By using the noise generated by benign operational activity as a backdrop, cybercriminals can blend in day to day activity without ever getting noticed. As a result, security teams are unable to stitch together a meaningful attack progression of undergoing cyber-campaign within their organization from malicious alerts that can be sent over a span of days, weeks or even months.
Problem #3: Rapidly expanding attack surface
Today, enterprises have endpoints, mobile devices, email, hybrid cloud and on prem. How do you lock it all down? With today’s tools, locking everything down requires a complex, tedious and error-prone process that compromises security, compliance and business agility. Worse, different attack surfaces require different domain expertise making it impossible to to adequately cover everything. With the rise of cloud, new security challenges arise from software-defined compute/storage/network, orchestration, self-provisioning and new workload form factors like containerization.
Part II coming next week: The Six Pillars of XDR.