In the world of cybersecurity, acronyms abound. From AV to EPP to EDR and now XDR, these changing technologies reflect an ever-present truth: cyber threat actors keep evolving, and defenders need to stay one, or more, steps ahead. Coupled with the shifting threat landscape are the innovations in business and business operations themselves. We’ve moved from an on-prem world bounded by a manageable network perimeter to a distributed, cloud-powered infrastructure, with remote working and 5 billion monthly teleconferences adding to the complexity of ensuring business and operational security. On top of all that, as any CISO will tell you, the number of cyberattacks, cyber attackers, and offensive toolset is increasing.
The security technologies of the past were not built to cope with today’s complex, fast-moving threatscape. The evidence for that is compelling: rising ransomware attacks coupled with data breaches and IP theft, strained SOC teams dealing with alert fatigue and staffing shortages, and the proliferation of attacks that succeed despite the presence of traditional security tools.
It’s clear that we need a new and more holistic approach to detection and response, one that not only encompasses traditional endpoints but also includes the increased attack surface such as network and cloud. Fortunately, these are just some of the problems XDR was designed to solve. In this post, we’ll explain what XDR is and how it changes the game to empower enterprise security teams and put threat actors on the back foot.
What is XDR?
XDR, Extended Detection and Response, is the evolution of EDR, Endpoint Detection and Response. EDR, particularly ActiveEDR, brought visibility and automated response to endpoints like laptops and workstations, but today’s network has so many other data points that may be traversed by attackers on the road to a successful compromise, from mobile phones and IoT devices, to Containers and Cloud-Native applications.
Sometimes referred to as “Cross-Layered” or “Any Data Source” detection and response, XDR extends beyond the endpoint to make decisions based on data from more products and can take action across your stack by acting on email, network, identity, and beyond.
What are the benefits of XDR over EDR?
XDR replaces siloed security and helps organizations address cybersecurity challenges from a unified standpoint. With a single pool of raw data comprising information from across the entire ecosystem, XDR allows faster, deeper and more effective threat detection and response than EDR, collecting and collating data from a wider range of sources.
XDR provides more visibility and context into threats, incidents that would have not otherwise been addressed before will surface to a higher level of awareness, allowing security teams to remediated and reduce any further impact and minimize the scope of the attack. A typical ransomware attack traverses the network, lands in an email inbox, and then attacks the endpoint. Addressing security by looking at each of those independently puts organizations at a disadvantage. XDR integrates security to enable allowing, blocking, removing access, and more all to happen via custom rules written by the user or by logic built into the engine.
With a single pool of raw data comprising information from across the entire ecosystem, XDR allows faster, deeper and more effective threat detection and response than EDR, collecting and collating data from a wider range of sources.
This comprehensive visibility leads several benefits, including:
- increased ability to detect stealthy attacks
- reduced dwell time
- increased speed of mitigation
Moreover, thanks to AI and automation, XDR helps reduce the burden of manual work on security analysts. An XDR solution can proactively and rapidly detect sophisticated threats, increasing the productivity of the security or SOC team, and return a massive boost in ROI for the organization.
How is XDR different from SIEM?
Although both XDR and SIEM tools collect data from multiple sources, they have almost nothing else in common. Unlike an XDR platform, SIEMs (like passive EDR tools) have no ability to identify meaningful trends, nor do they provide any automated detection or response abilities. Further, to be useful, SIEMs require a great deal of manual investigation and analysis.
Fortunately, if you have invested in SIEM tools, these need not be made redundant by your XDR platform, as they can directly feed into your XDR platform’s data lake, exposing all that raw data to the XDR’s AI and machine learning capabilities.
What should i look for in a good XDR solution?
Thirdly, how easy is your XDR solution to learn, maintain, configure and update? One of the main advantages that a strong XDR solution brings in increased productivity for your staff with automated detection and response. However, you want to be sure you’re not simply redirecting the work your staff have to do to managing or navigating a complicated solution.
The first key to an effective XDR solution is integration. It needs to work seamlessly across your security stack, utilizing native tools with rich APIs. Second is the extent to which the engine offers out-of-the-box cross-stack correlation, prevention, and remediation. Third is the ability to build on that engine by enabling users to write their own cross-stack custom rules for detection and response. Beware immature or rushed solutions that may be nothing more than old tools bolted together. Your XDR should offer a single platform that allows you to easily and rapidly build a comprehensive view of the entire enterprise.
Second, automation backed by advanced AI and proven Machine Learning algorithms is essential. Does your vendor have a rich history in developing state-of-the-art AI models, or are they primarily known for legacy technologies but now trying to change their spots?
Cybersecurity is often likened to an arms race between attackers and defenders, and that race is now extending beyond the single layer of the endpoint. As businesses embrace remote working and cloud infrastructure, introducing an increasing attack surface, only an integrated platform can provide the visibility and automated defenses required across all assets. By combining endpoint, network, and application telemetry, XDR can provide security analytics to win that race through enhanced detection, triage, and response.
- Best antivirus software of 2021
Jan Tiezte,Director Security Strategy EMEA, SentinelOne