Today’s security teams have concluded that more sophisticated attacks and a rapidly expanding threat surface make it impossible to prevent and protect against every attack. Instead, organizations operate under the assumption that breaches occur, and they should focus on limiting the impact these breaches have on the organization.
As dwell time increases, so too does the risk that the threat is able to cause major disruption and damage to victims. Unfortunately, today’s existing detect and respond solutions make it impossible to quickly identify threats inside the network. This is due to alert fatigue, inefficient manual investigation processes, and an inability to correlate related events.
Security information and event management (SIEM) tools are great at collecting information across different systems and security tools—some would argue that they are too good. Today’s security teams are overwhelmed by a flood of alerts that pop up through SIEM consoles. This makes it increasingly difficult to sort through all the noise to determine which events require intervention and which are just harmless abnormalities. Teams can manually create rules that sort through the logs to better identify and prioritize relevant alerts, but this takes time from even the most experienced senior analyst, who then must manually maintain these rules.
Once a relevant alert is identified, security teams then must manually investigate the event through a variety of tools. Moving from one console to the other is inefficient, creates data silos and puts a lot of pressure on security teams to work quickly to mitigate risk—something that is hard to do across multiple platforms. They then must manually figure out the attack chain and identify the systems that have been breached or impacted by the threat. Successfully stopping the spread of attacks depends on the experience and expertise of a large security team—a luxury that mid-sized organizations often cannot afford.
Extended detection and response (XDR) solutions have stepped up to consolidate visibility across environments and automate routine security tasks, improving the mean time to detection and response.
An evolution of endpoint detection and response (EDR), XDR solutions collect and centralize security-relevant data from endpoints and from multiple other systems and security tools in the organization, leveraging analytics, AI, and threat intelligence to automatically detect, triage, and correlate alerts.
Based on the approach and architecture, there are two main types of XDR solutions: Open or Hybrid, and Native XDR.
The advantage of Native XDR is that it relies on technologies from the same vendor and can provide detections out-of-the-box, while Open XDR solutions are more flexible, but each new source of detection is an integration project that must be performed manually and maintained.
XDR solutions dramatically accelerate incident investigations by improving triage, confirming, and consolidating many alerts into organization-wide incidents. Powered by artificial intelligence (AI) and machine learning (ML), the best XDR solutions can automatically serve up the answers to key questions:
Having the answers to these key questions means analysts do not have to manually dig through mountains of SIEM data, to dive into different SIEM, EDR, NDR and other systems to find the proverbial needle in a haystack and figure out how alerts are related. Armed with this automated information, security teams can act quickly reducing the mean time to detection and response so threats are stamped out before they are able to do real damage.
But not all solutions are created equal. Here are three things to look for when considering a native XDR solution:
Native XDR solutions should be able to tap into millions of interactions to determine the events that are important and the events that are just noise. Using AI/ML, they analyze the alerts generated by the decentralized security stack monitoring email, web browsing, end points, Software as a Service (SaaS) platforms, networking, data center applications, web applications and whatever other access points threat actors are using to gain access to enterprise systems. Prioritizing events and escalating the most critical ones reduces alert fatigue, makes monitoring manageable and focuses analyst time and resources on the events that matter.
AI/ML can then draw connections between disparate events—showing critical insights into the entire threat chain. The information available as a visual storyline or graph provides much needed context that analysts can use to better understand how threats gained access to systems and where and how they spread. Native XDR solutions should be able to analyze these events across various monitoring tools without analysts having to manually connect the dots or guess if an unrelated event is meaningful.
XDR solutions should provide clear, intuitive recommendations for responding to threats and allow analysts to orchestrate responses across the organization from the same interface. Recommended and single-click responses executed from the same XDR solution accelerate incident containment and remediation as even junior security team members can select an appropriate response and apply it immediately across the organization and different tools. For example, analysts might receive response recommendations that include isolating impacted endpoints, resetting user credentials, and deleting Office 365 emails. Having the response recommendations and being able to trigger all these responses from the same interface reduces the time to respond to complex attacks which is paramount to avoiding damage to the organization.
Today’s scattered threat landscape moves rapidly, and the expanding attack surface has caused organizations to deploy a range of security solutions across tackling different threats and attack vectors. Investigating without context, correlating, and responding to hundreds of poorly prioritized alerts across different systems is incredibly difficult and slow, increasing the risk of threats disrupting the business and causing significant impact However, XDR solutions allow organizations to speed detection and response so threats are unable to spread throughout the enterprise network and deliver their payload. As threats continue to grow more sophisticated and use evasive techniques, organizations are going to have to rely on native XDR solutions that can create security operations efficiency through automated detection, context, and response.
Cristian Iordache is a CISSP and Principal Product Marketing Manager at Bitdefender and has spent more than a decade helping organizations address cybersecurity challenges. He loves to highlight security tips and technologies that are proven to improve security operations efficiency and effectiveness against the most elusive attacks.View all posts
Don’t miss out on exclusive content and exciting announcements!