2019 is witnessing a wave of “awakening” in cybersecurity Threat Detection and Response (‘TDR’). The domain has gained greater interest in recent years, as organisations determined “prevention” was no longer enough. Until recently, TDR consisted of three main solution categories:
- Single-sensor security solutions: Mainly Endpoint Detection and Response or Endpoint Protection Platform (EDR/EPP);
- Managed security solutions: Managed Detection and Response (MDR) and Managed Security Service Provider (MSSP), ranging in the level of response they provide;
- Data management solutions: that better organise, visualise, and serve organisations’ data. Mainly, these are Security Information and Event Management (SIEM) platforms.
A new chapter in threat detection & response
Since the beginning of 2019, however, we’ve seen a shift in the way organisations and vendors address threat detection efficiency, bringing about a new category. Specifically, security vendors are attempting to improve the allocation of data sources, threat telemetry and analytics delivery along with the accessibility of cyber-adversary expertise.
Aligning with this mind shift, cybersecurity analysts are now trying to name a new and improved category for threat detection and response. Currently dubbed ‘EDR+’, or ‘XDR’, this new TDR category aims to move beyond endpoint/single-sensor level, and can be affiliated with two main enhancements:
- Consolidation of data sources. New solutions are expanding their data sources (platforms, logs, events) to gain a broader view of the environment and enable organisations to better tackle the growth in attack surfaces and in the sophistication of threats. A good case in point would be Palo Alto Networks and Trend Micro’s recently launched ‘XDR’ solutions – both of which expand detection beyond the endpoint. Google and Microsoft are also consolidating technologies, pushing telemetry beyond endpoint level on Google Cloud Platform and Microsoft Azure products.
- Automation of processes. Recent ESG research found two of the top five challenges for threat detection and response deal with the human factor: hindrance caused by manual processes and the shortage in cyber-adversary expertise. While security operations centre (SOC) processes are likely to remain analyst-centric, CISOs and SOC teams have started looking closer into self-sufficient, effective detection and response tools. These should also enable less friction with noise.
Is EDR dead?
The EDR market is undergoing changes. Forrester’s Josh Zelonis went so far as to describe VMware’s acquisition of Carbon Black as “signalling the end of ‘endpoint’ detection and response.” Is this really it? According to Gartner, not quite yet. We can expect, however, to see EDR merge into EPP, with greater emphasis on incident response.
Regardless of the case of EDR, organisations and vendors are increasingly looking to improve threat detection and response capabilities. ‘XDR’ would be the latest and greatest to support this notion, representing solutions that push the envelope beyond endpoint level, correlating multiple data sources, and automating these processes on the go.
Vendors who offer vendor-specific ‘XDR’ can only push so far, however. They have expanded data correlation beyond the endpoint but have stayed within their own perimeters.
An effective ‘XDR’ solution should be able to correlate events and log data from every data source, platform, and device in a vendor-agnostic manner to proactively detect threats and provide a full analysis of attack story. When highly effective, it should also allow you to utilise your existing security controls for holistic, spot-on detection.
Humans can’t be the best hunters
‘XDR’ has yet to be formalised as a new category. Vendors and analysts may yet think of new, better ways to label this evolution in threat detection and response. Whatever the case may be, the source of change is certain: businesses are connected more nowadays than ever before, and are continuously expanding their data sources. Digital transformation has brought an escalated growth in data, and this growth is unlikely to end. While, respectively, cyberattackers are also becoming more advanced in their tactics, techniques and procedures (TTPs), one thing becomes clearer: human experts alone cannot sufficiently analyse organisational data and protect against threats - the scope is just too big. To allow efficacy in threat detection and response, organisations will have to start looking at organisational data holistically, and correlate threat signals. In addition, machine power will have to be brought into the game to correlate at scale.
So, what would such a machine look like? As mentioned, the volume of data coming from network logs and other sensors is enormous, and is too large for humans alone to analyse. One option is using artificial intelligence tools, such as neural networks. Neural net capabilities can be used in very large data sets to run transformations and domain reductions, and enable organisations to look at their data with a very focused perspective. However, pouring in the cyber-human domain expertise may still prove to be the tricky part. When successful, a neural network-powered expert system can be used for sophisticated, creative tasks. Such tasks can include tracing after file-less attacks that use existing endpoint software, battling with asymmetric cyberwarfare, and identifying advanced persistent threats. Ultimately, using those human-based skills in a scalable, automated manner - is the key to achieve better detection and improve response time.
What can you do to start improving threat detection efficiency?
- Cover a variety of attack surfaces, including cloud, endpoint, network, etc.
- Count on automation to ensure threat detection is happening constantly and rapidly
- Choose solutions that offer interoperability and allow you to utilise the protection tools that best fit your business
- Bulk up on cyber-adversary expertise to make sure you can proactively and effectively tackle cyber-attackers
It’s clear that we’ve reached a new chapter in the evolution of cybercrimes. As cybercriminals become more advanced, threat detection and response procedures must develop as well to keep businesses and their data safe. With the above steps, CIOs, CISOs, and security teams can begin detecting threats earlier and preventing real damage. It’s time to stop looking for threats and start finding them instead.
Uri May, CEO, Hunters