Fortinet: Extended Detection and Response (XDR) critical for security automation
Jon McGettigan, Fortinet A/NZ Regional Director, explains why more and more enterprises are adopting XDR (extended detection and response) capabilities to reduce MTTD (mean time to detection) and apply AI techniques to fast-track MTTR (mean time to response).
MTTD and MTTR. Two acronyms that quantify how well your security services work. MTTD – mean time to detection – signifies the time gap between when a potential threat enters your network and when you know about it. The shorter, the better.
MTTR – mean time to response – represents how long it takes you to analyse the anomalous behaviour, decide if it is indeed a threat and then respond appropriately. Every nanosecond counts. Especially with fast-moving ransomware attacks.
Typically MTTD is addressed by your integrated security services. Firewalls, endpoint protection, anti-virus, network access controls, intrusion prevention systems and more all work together to detect any anomalous behaviour. MTTR, on the other hand, takes highly-trained pros to determine if the threat is real, what actions to take and then act.
But people are slow (even the smartest), false positives tie up valuable resources and the sheer volume of anomalies can overwhelm even the most agile security operations teams. The solution is to automate as many of the SOC (security operations centre) tasks as possible without compromising your overall security process. And to do that, more and more enterprises are turning to XDR (extended detection and response) to minimise MTTD and optimise MTTR.
XDR to the rescue
XDR solutions capture and structure disparate security metrics from all of your security services, including multiple vendors, and classify them according to their attack surface in a ‘data lake’. This data lake, essentially a data repository, stores the data in their raw format whilst retaining all of their relationships to facilitate processing. XDR then creates new associations to facilitate automated analysis.
Since all of the data are normalised (ie comparing apples to apples), XDR can automatically identify not just an anomaly but where and how it might affect other components of the network. False positives are reduced, genuine threats are isolated and neutralised and the XDR solution ‘learns’ from the exercise to refine the process moving forward. As a result, many of the initial manual tasks that fell onto your SOC operators can be handled at speed by a machine and your smart humans can focus on being proactive instead of reactive.
Moving beyond EDR, SIEM and SOAR
XDR leverages your current security service framework to consolidate the detection capabilities of your firewalls, EDR (endpoint detection and response) and SIEM (security information and event management) solutions. It then extends the automated response functions of SOAR (security orchestration, automation and response) to all nodes on your network.
XDR is most effective when your security services are interconnected, comprehensive across the entire network and support common security policies for all services. An integrated security fabric reduces the machine resources required to normalise disparate data sets and takes advantage of already existing data relationships. This facilitates detection and reduces overall MTTD.
Similarly, interconnected services and common security policies provide a pre-defined (and self-learning) set of actions and remediation routines that can be fully automated without having to transform data characteristics and responses set up by non-standard point solutions.
XDR: What is required
Automation powers XDR. But building an XDR isn’t automatic. You need to ensure that every network component is secured and that the activity metrics can be captured and structured. Gaps are just as dangerous with XDR, if not more so. Your security policies have to account for every one of those components and contain clear pathways to isolate and mitigate any threats that enter (or try to enter) your network.
Once you have done that, you and your network can start to take advantage of the many benefits of XDR and decrease your MTTD whilst optimising MTTR.
About the author
Jon McGettigan is Fortinet’s Regional Director Australia, New Zealand & Pacific Islands. As such, he is responsible for driving Fortinet’s continued expansion in the region through building and maintaining relationships with businesses, Partners and staff. As a senior executive, he understands the risks, motivations and opportunities that face enterprises as they transform their networks into 21st century revenue centres.
Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider and government organisations around the world. Fortinet empowers customers with complete visibility and control across the expanding attack surface and the power to take on ever-increasing performance requirements today and into the future. Only the Fortinet Security Fabric platform can address the most critical security challenges and protect data across the entire digital infrastructure, whether in networked, application, multi-cloud or edge environments.
Fortinet ranks #1 in the most security appliances shipped worldwide and more than 500,000 customers trust Fortinet to protect their businesses. Both a technology company and a learning organisation, the Fortinet Network Security Expert (NSE) Training Institute has one of the largest and broadest cybersecurity training programs in the industry. Learn more at the Fortinet website, the Fortinet Blog, or FortiGuard Labs.