Alert fatigue is real. Think about this: How much time do your security analysts spend chasing false alerts or maintaining security controls? How much time do you spend training new security team members only to have them burn out quickly from the vital, yet mundane tasks of monitoring the network for threats? How often do they move on to another job, leaving you to repeat the hiring and training cycle all over again? Throwing people at the tidal wave of data to investigate an alert before it becomes an incident is not a feasible solution.
Many security operations centers (SOC) already contain a threat intelligence solution, a SIEM, and possibly a SOAR. They’ve got some of the tools, so how can they ensure they are able to stay on top of threats?
Bring It Together Faster With XDR
Threat intelligence is more important than ever. Applying threat intelligence requires having the right context regarding the risks facing your organization. SIEMs and SOARs have under-delivered. These SOC tools collect logs and data, but the promise of using them to find evil in environments has remained unfulfilled. This is due largely to the extensive security engineering required to get the most out of them.
XDR is a hot topic in security operations and for good reason. XDR solutions promise deeper integration with security controls and data to improve detection and response, are deployed in a user-friendly SaaS format, while reducing the pain of expensive and complex security engineering. XDR ultimately represents the opportunity to approach security operations in a better way.
Gartner addresses XDR in their latest report, Innovation Insight for Extended Detection Response. The report contains various insights and highlights the need for XDR in the modern SOC.
Gartner’s recommendations when considering the move to XDR:
- “Work with stakeholders to determine if any XDR strategy is right for an organization based on staffing and productivity levels, level of federation of IT, risk tolerance, and security budget. Develop a gap analysis between existing capabilities and those desired from an XDR solution.
- Conduct thorough product evaluation and testing to ensure outcomes meet the promises of this fledgling capability.
- Develop an internal architecture and purchasing policy that is in line with XDR strategy, including when and why exceptions might be permissible. Ensure that future security purchases and planned technology retirements are aligned with a long-term XDR architecture strategy.
- Outsource to a managed security service provider (MSSP) that can build an XDR substitute if it is likely to be beyond the skill sets of existing staff.”
To assess the need for an XDR solution, organizations need to determine the effectiveness of their existing security detection and response program. Consider the following questions:
- Are you satisfied with the effectiveness of your security control environment?
- Are your SOC teams performing well?
- Are they overworked or unhappy with the number of false positives they must manage?
- Are they able to investigate all of the alerts and events generated from your security infrastructure?
- How burdened is your security engineering team?
- And maybe most importantly, is the investment you’ve put into these systems providing the outcomes you would expect?
The importance of an XDR product evaluation and testing cannot be overstated. Proof of concepts for traditional SIEM solutions were extremely difficult and can be for many native XDR tools. Consider the following questions: Can the vendor stand up an environment using your own tools/data? Do they require a rip and replace? Do they need a ton of professional services to deploy?
Gartner also discusses the importance of aligning the proposed security architecture with future security purchases and planned technology retirements. This is vital for XDR as many require standardizing on a single vendor’s toolset. This can be challenging as it may cause a highly disruptive technology changeover.
The Mandiant Approach
Mandiant’s approach enables choice. We work with many of the leading endpoint and network security vendors, SIEMs and SOAR platforms. This means organizations can choose best-of-breed solutions that work best for them, and they don’t have to rely on a single vendor or get locked into tools that they don’t really like. We also enable organizations to measure the effectiveness of their existing controls and ensure they are configured properly. This means getting more out of existing investments and having the data to determine what future investments will have the best ROI.
Whether to outsource or not is an important decision for organizations. Finding and retaining top SOC talent—particularly security engineering—is difficult. Mandiant is working on solutions that work with the tools organizations have, but eliminate the need for rule writing, content creation and playbook development. Instead, we provide pre-built data science models designed to investigate the way a Mandiant expert does, but operating at machine speed and fortified with timely, relevant threat intelligence. And, if teams do need help, Mandiant managed services are there on-demand or to provide a fully managed threat detection and response solution.