Security operations center (SOC) team members are battling burnout, alert fatigue and information overload in an effort to protect critical systems and data. As new threats emerge, organizations often try to keep up by purchasing additional layers of technology. But this isn’t enough to bolster defenses. In fact, it can have the opposite effect.
While point solutions solve specific problems, they each need to be effectively configured, implemented, and managed. This increases operational complexity and strains understaffed security teams; alerts get ignored, hindering the ability not only to detect threats in a timely manner, but also to defend against attacks. It’s is a perfect storm for threat actors.
Security Decision-Makers Agree
The average security operations team receives over 11,000 alerts per day, and many are never addressed. As technology stacks get bigger and bigger, the potential for security gaps and corresponding breaches grows. According to IBM Security and the Ponemon Institute, a high level of system complexity increases the average cost of a data breach by $2.15 million.
Impact of System Complexity on Average Cost of a Data Breach
Making an Impact with XDR
To empower security analysts and get ahead of threats, we need to reduce the burden of manual work and increase the deployment of security automation with a specific focus on visibility, reporting, analytics, automation, and integration. Extended detection and response (XDR) technology can help.
While you’re likely familiar with the “D” and the “R”, the “X” represents the extension and integration of protection across a variety of security components. XDR automatically collects and correlates data from multiple tools to improve threat detection and incident response. These solutions combine alerts triggered by email, endpoint, and network security controls into a single incident and apply situational security context to reduce noise, enabling analysts to perform more thorough investigations. XDR can extend security information and event management (SIEM) by combining real-time security event data with telemetry from point solutions that integrate with the XDR platforms.
The goal is to increase detection accuracy while providing administrators with options for manual and/or automated mitigation. The net result is an increase in overall ROI for individual security solutions, and greater security operations efficiency. The advantages it offers are so impactful that Gartner named XDR the number one security trend to come out of 2020.
EDR vs. MDR vs. NDR vs. XDR
Endpoint Detection & Response |
Managed Detection & Response |
Network Detection & Response |
Extended Detection & Response |
|---|---|---|---|
|
|
|
|
Approaches
There are two main approaches to XDR:
- Proprietary XDR is characterized by vendors that provide their own suite of solutions on a centralized XDR management platform. The main advantage of proprietary XDR is accelerated time-to-value stemming from off-the-shelf integration and pre-tuned detection mechanisms. However, this approach promotes dependence on a single vendor that may have gaps in their portfolio, and organizations may be forced to “rip and replace” existing controls.
- Open XDR integrates disparate security tools into a coordinated approach to reduce alerts and increase threat visibility. Many security professionals prefer Open XDR because it unifies current, siloed controls and ensures flexibility for the addition of any future solutions that may be required. Built on a cloud-native architecture, Open XDR leverages big data to normalize and correlate more effectively and meet needs for scalability.
To help security teams easily design and implement effective threat detection, investigation, and response (TDIR) capabilities using XDR, a partnership of cybersecurity providers—including Exabeam, Netskope, SentinelOne and others—announced The XDR Alliance during Black Hat USA 2021.
The goals of the alliance are to define an open XDR framework and architecture that works for end users, help SecOps teams integrate and better align with new and evolving applications and technologies, and ensure interoperability across the XDR security vendor solutions set.
The XDR Alliance has developed a three-tier model that focuses on the core components of the XDR technology stack:
- Data Sources / Control Points – This refers to the security tooling that generates telemetry, logs and alerts, and acts as control points for response.
- XDR Engine – This tier is the engine that ingests all the collected data and performs broad threat detection, investigation, and response (TDIR) for SOC operations.
- Content – This tier includes the pre-packaged content and workflows that allow security organizations to deliver on required use cases with maximum efficiency and automation.
“We are at an inflection point with an extremely fragmented industry that requires all of us in the vendor community to come together to strengthen organizations’ SOCs. The XDR Alliance brings together the most forward-thinking names in cybersecurity and IT to collaborate on building an XDR framework that is open and will make it easier for security operations (SecOps) teams to protect and secure their organizations.”
— Gorka Sadowski, Exabeam Chief Strategy Officer
Implementation Challenges
While XDR platforms are a significant improvement over traditional tools, implementation needs to be carefully planned. Here are a few of the challenges organizations may face.
Stakeholder Buy-in: You might find key stakeholders resistant to change. After all, with the average organization using 45 security controls, it can be hard to convince decision-makers that purchasing yet another solution will be worthwhile.
Integration Complexity: If the platform you want doesn’t integrate well with your existing solutions, you should consider alternative options. Native integration enables you to implement a new platform quickly and benefit from immediate protection enhancements, rather than having to perform excessive integration work.
Operational Complexity: XDR platforms are supposed to ease the burden on security teams. This extends to configuration and maintenance requirements; as you weigh a potential solution, consider whether it is difficult to update or does not enable settings to be easily set or changed, which decreases its value.
Lack of Patience: XDR can reduce manual efforts and increase the efficiency of security analysts, but you will not realize ROI overnight. After the initial solution implementation, the machine learning model will need to acquire knowledge and make refinements over time to strengthen detection capabilities.
Simplify Security Operations
As cyberattacks continue to escalate, effective threat detection and response are critical. The average time to identify and contain a data breach in 2020 was 287 days—more than nine months. Detecting threats among alerts generated by disconnected controls is like finding a needle in a haystack. XDR technology helps shrink the haystack, enabling analysts to correlate telemetry, activity data, and threat detection to discover attacks that otherwise would have remained hidden. It’s not a silver bullet, but a carefully planned implementation can free up security teams and provide the visibility they need to conduct deeper investigations and mitigate threats.
