With organizations struggling with alert fatigue and disconnected tools for monitoring security controls, it is not surprising that one of the hottest new cyber security technology categories is Extended Detection and Response (XDR). Designed to better integrate security control data and security operations through cloud-driven analytics, detection, and response, the category of XDR is set to drive new efficiencies in the security operations center (SOC).
In a recent survey conducted by IT analyst firm ESG, 70% of organizations expressed that they are already using or considering XDR, or plan to establish a formal budget to invest in an XDR solution in the next six months. What is behind the aggressive XDR adoption plans? The idea of bringing together security data across multiple security controls and the prospect of XDR solutions delivering a turnkey approach, security teams are moving fast to apply enhanced security analytics to help them keep up with advanced threats, while reducing the complexity of aggregating, correlating, and analyzing security data from multiple control points.
True XDR solutions are an integrated set of cyber security products that unify control points, security data, analytics and operations into a single enterprise solution. XDR implies supporting multiple types of security telemetries, which could include endpoint, network and cloud sensors. XDR promises to provide better technology integration between data sources and security operations to accelerate detection and response, all while reducing integration and security engineering headaches that plague SecOps teams today.
Meeting the Security Alert Challenge
The biggest challenge to solve related to the security data and alerts generated by disparate security controls was filtering the noise out of the alerts so that security analysts could focus on the right signals (38% of respondents). This means they could deliver the most important outcome that 40% of respondents currently using or considering XDR want: improve the fidelity and prioritization of security alerts to make it easier to triage and respond to events (leading to improved response time).
What To Look for in an XDR Solution
Here are some key elements when considering an XDR:
- Controls agnostic. The problem with simplifying security operations with an XDR is that most XDRs require organizations to purchase the security controls/sensors (network, endpoint, cloud, mail, etc.) from a single vendor, and often require a rip and replace of the existing technologies. A controls-agnostic XDR enables security organizations to choose best-of-breed technologies while retaining improved detection and response.
- Machine-based correlation and detection capabilities. Machines can comb through large data sets and see patterns faster and more accurately than humans. And it would be nearly impossible for humans to do correlation across EDR alerts, network events, account services, vulnerability scan data, etc., to "triangulate" amongst sensors and more accurately distinguish between true signal and the noise of false positives. If machines can more accurately and consistently find real and actionable incidents, it means less time for analysts doing tier one monitoring, i.e., staring at screens, and more time focusing on their customers and incident response. Which should result in happier analysts and improved job satisfaction. Machine-based detection could also mean 24x7 coverage with the added staffing.
- Pre-built data models. No one wants to write custom rules/content/code in their SIEM and SOAR platforms. It would be a huge advantage to have these complex models work out-of-the-box. This would mean reduced security engineering time and costs, or even better, freeing them to work on more value-added projects. Integrating timely threat intelligence automatically is another important component for determining known bad and relevancy.
- Integration with different SIEMs, SOARs and case management tools. XDR should play nicely with those investments. Key features would be built-in integrations, including automated case creation, scoping new and additional events into a case over time, and feedback being provided from the SOAR to the XDR for model improvement.
A technology-agnostic XDR gives security teams the best of both worlds: analytics that work across a broad range of security technologies and vendors—to provide the true outcome—finding incidents in real time without noisy false positives.