In part I, we explored why XDR “is a thing.” Now let’s get into its key components. Last time we explored how XDR fills the gap left by detection and response tools of days gone by which leaves gaps in protecting modern infrastructure from new attacks on new vectors using new tricks. How do you protect yourself? In our experience, there are six major considerations:
XDR must deterministically combine individual findings with causal sequencing of all events across the infrastructure to understand the precise attack progression in real-time, eliminating guesswork. Attacks often involve multiple steps that take place at different points in time (temporal distance); at different parts of the infrastructure (spatial distance) and visible through different sources (visibility distance). XDR must deterministically combine individual findings by causal sequencing of all events across the infrastructure to precisely build the entire storyboard of arbitrary attack progression in real-time. Correlation based approaches build insights across multiple security events leads to probabilistic results that become inconclusive jigsaw puzzles.
XDR must have granular visibility into malicious behavior across hosts, networks, and third-party controls such that the full context of an attack can be created automatically. Risky behaviors of attacks manifest in different vantage points. XDR must have a wide-angle view into any and every event that can be seen. The more you can see, the better equipped you are in identifying bad behavior.
XDR must be able to integrate visibility from these security controls in the infrastructure in the context of server activities. It must have an open API based framework to integrate with results from other security vendors.
XDR must detect sophisticated attackers using file-less attacks, zero-day exploits and living-off the land techniques to bypass traditional signature-based risk analysis. Modern attackers are able to use file-less attacks, zero-day exploits and living-off the land techniques to bypass traditional signature-based risk analysis. XDR must primarily focus on identification of risky behaviors and anomalous actions to determine malicious actions through multiple analytical methods.
XDR must be able to present the attack sequence in a chronological order, without the need to piece together individual tactics and techniques of a multi-stage campaign across the infrastructure. Attacks are not singular events on isolated servers but they are multi-stage campaigns where the attacker progresses through stages of the kill chain navigating through multiple servers in the infrastructure. XDR’s must be able to up level the findings beyond individual alerts to storyboard attacks developing across the infrastructure.
XDR must act as a virtual analyst and precisely connect all attack steps in real-time to pinpoint the presence of an attacker and surgically respond in a proactive and autonomous manner. To be able to respond as the attack is unfolding, manual investigations need to be nearly eliminated. An effective XDR must be able to precisely connect all attack steps in real-time and pinpoint the attacker’s presence so attack can be surgically responded to in a proactive manner.
XDR must work for anyone, regardless of their training or experience, so that every security analyst can focus on response as opposed to investigations. An effective XDR must be deployable in common server workload environments in the most production friendly manner.
We think XDR promises to transform security--but only if the technology brings together these six pillars.
Our next blog will explore our first pillar in greater depth.