Share Blog Post
What is XDR?
- Instead of just Endpoint Detection and Response (EDR), XDR is aimed at providing any-to-any detection and response capabilities.
- As compared to EDR solutions which are focused on protecting specific devices, XDR takes a broader view to provide integrated visibility and threat management across endpoints, cloud infrastructure, mobile devices, and more.
- The X in XDR represents this approach of providing security integration for threat detection and response across an enterprise network that is comprised of a large number of systems, with different security priorities and threats impacting them.
- An XDR solution aggregates data from across the enterprise network and puts it in the right context to provide detection capabilities for sophisticated and distributed attacks.
- XDR solutions can also help respond to an attack in progress or implement preventative measures to block potential threats before they impact any assets.
Detection in XDR: The Past, Present, and Future
- Siloed approach - Too many cooks spoil the broth. When security teams are using dozens of tools, many with specific use cases and some with overlapping capabilities, it becomes difficult to build a unified approach to threat detection. Organizations need to overcome the silos around different security functions for rapid and effective threat detection across all their assets.
- Lack of correlated detection - Another problem arising from security silos is the lack of correlation between threat data from external sources and internal tools. To detect the most sophisticated threats, security teams need to identify and correlate the different pieces of the threat puzzle by analyzing the activity and data collected across their entire security infrastructure.
- Analyst fatigue - The volume of security alerts generated every day has become a challenge in itself for organizations. Without putting the alerts into the right context and eliminating the noise, security analysts can get overwhelmed and lose focus from the most important issues that require their attention.
- Only IOC-based detection - Traditionally, security teams have relied on tools that detect threats based on Indicators of Compromise (IOCs) such as IP addresses, file hashes, domain names, and so on. While IOCs can help detect known threats, it is easy for threat actors to change their IOCs to bypass such detection mechanisms. Moreover, IOCs are not useful in detecting novel attack vectors.
Current Detection mechanisms
- Data lake or SIEM (via rules) - A Security Data Lake (SDL) or a Security Information and Event Management (SIEM) solution helps organizations ingest, parse, and organize security data from multiple security tools into a common structure.
- Email Gateway - Email gateways can help detect email-borne threats originating from known suspicious domains and block them before they reach the targeted users.
- Network traffic analysis (NTA): NTA is a method of examining network traffic data to identify malicious activity and attribute it to known IOCs..
- Proxies - A network proxy can help organizations safeguard their employees’ online activity by monitoring outgoing traffic from their networks.
- EDR - Endpoint Detection and Response (EDR) solutions are focused on detecting and mitigating threats on endpoints, such as end-user workstations or servers.
- Cloud Monitoring Solutions - Many of the above solutions are also deployed through cloud platforms to enable threat detection over cloud-based or hybrid infrastructure.
- UEBA from SOCs/NOCs - User and Entity Behavior Analytics (UEBA) solutions help organizations model and detect anomalous behavior of humans and machines within their network.
Future of Threat Detection (eXtended Detections)
- Consolidation of Detection - With the prevalence of such endpoint tools for specific use cases, organizations face new challenges in using and getting value from them. While endpoint protection is necessary, organizations need to ensure that it does not result in greater security complexity and a lack of visibility across the entire organization. This is why the XDR approach to threat detection is a step in the right direction, as it allows organizations to gain a single pane of glass view of their threat environment without delving into all the point tools deployed on their systems.
- Contextualization of Detection - Another critical issue that many point tools face is their reliance on low-level Indicators of Compromise (IOCs) like IP addresses, file hashes, URLs/domains, etc. Such IOCs are often linked to only a single attack and can be easily changed by the threat actors, thereby limiting their use in detecting future attacks. They can also lead to more false-positive alerts. The biggest shortcoming of IOC-based detection is that it is reactive, which means that IOCs are only recorded and used for detection after an attempted or successful security breach. IOCs are thus typically linked to specific incidents instead of being threat-centric. It does not help detect entirely new threats that are not linked to any previous indicators. Most of the significant breaches in today’s threat landscape are not isolated incidents, but rather a part of more extensive attack campaigns often conducted by sophisticated threat groups. To detect threats from such campaigns, organizations need to analyze historical incidents in conjunction with threat intelligence collected from various sources to figure out the attack patterns. IOCs provide limited help in detecting and contextualizing such sophisticated threats.
How Cyware helps customers go beyond XDR
How Cyware helps partners go beyond XDR
Posted on: September 21, 2021
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
Explore Industry Briefs
Cyware for Enterprise
Adopt next-gen security with threat intelligence analysis, security automation...
Cyware for ISACs/ISAOs
Anticipate, prevent, and respond to threats through bi-directional threat in...