How an intelligence-driven approach can close the XDR gap
Article by Anomali senior VP and GM Stree Naidu.
Threat detection isn’t getting any easier. Today’s threat actors are escalating the number of attacks they launch, going after more targets, using increasingly sophisticated techniques, and achieving their goals through a surreptitious approach.
With more than 2,000 security vendors catalogued and organisations reporting an average of 45 security solutions deployed, why aren’t we any closer to solving the threat detection gap?
To answer this question, we must first ask, what are we trying to achieve?
For years now, the ‘whack-a-mole’ approach of detecting discrete threats has been at best a stopgap for the next inevitable attack. The always-shifting nature of adversaries, emergence of new vulnerabilities and exploits, and the all-menacing ‘zero-day’ leads to the continued proliferation of incidents.
As soon as we close one door to attackers, they find and open another. There’s more to this, though. Some of the answers can be found in the failure to optimise existing tools to give teams visibility over threats.
An industry analyst said recently: “We’ve reached an inflection point. Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using them to their maximum potential.”
In other words, we know the goods are available. So how do we start using them to better find and neutralise the bad actors?
Enter extended detection and response (XDR).
Lately, XDR has become the white-hot name in the security world. Scores of vendors are entering the fray. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Gartner adding XDR to the ‘innovation trigger’ on the newly created Security Operations Hype Cycle.
While there has been enthusiasm for trends at different periods, the level that XDR is generating is similar to three other significant movements that changed the course of computing and security.
The first was for security information and event management (SIEM). The second was during the ‘big data’ era. The third was for ‘cloud’, which in many ways has been reinvigorated due to COVID-19.
XDR: What is it?
XDR is an architecture in terms of how enterprises can leverage it to maximise the performance of their overall security investment to take action against threats at the fastest possible speed.
Organisations that run on top of XDR architectures can move closer to managing their security infrastructure as an integrated, unified platform. With XDR, security operations centres (SOCs) can break silos to converge all security data and telemetry generated by security technologies they’ve deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, TIP etc.).
With this information, they can generate strategic threat intelligence that empowers immediate threat detection, streamlined investigations, and high-performance, automated-response capabilities that isolate and mitigate threats before they escalate into costly and disruptive incidents.
XDR: The early days?
XDR is perceived as new (added to the hype cycle just over eight months ago). Although there is hype, it is a very real movement within the security market.
The emergence of attention and excitement around XDR has caught the attention of many. Not only because it is ushering in acceptance of an available leap forward when it comes to closing the gap between information gathering, detection, and response, but also in many ways because it validates what Anomali has been delivering to the market all along.
XDR, COVID-19, and the cloud
No future vision of any technology can be presented without acknowledging what impact the cloud will have on it, and the same can now be said of COVID-19. Any enterprise that wasn’t a cloud operation before the pandemic is undoubtedly one now. Organisations that have made it through this past year will never descend from the cloud.
The cloud provides consistent access in a world that is now characterised by uncertainty. People may not be allowed into the office, but they can always connect from remote locations. Sales reps may not be able to travel to customer locations, but they can always meet virtually. Marketers may no longer have access to trade shows, but they are finding ways to keep their organisations relevant through virtual events.
For businesses, leaders, and employees, the cloud has become essential to survivability.
The ability to scale fast enough for millions of workers and processes to shift from the office to a remote reality could be handled only because of the cloud. For security operations, the cloud has, of course, created new challenges.
Overnight, millions of endpoints connected to corporate networks via at-home WiFi, meetings started taking place over vulnerable video and chat applications, data became cloud-native, patching and vulnerability scanning backlogged. Unfortunately, this sea change wasn’t missed by adversaries, which are taking advantage of it all.
To meet the present and keep pace with the future, XDR has to move into the cloud as well. It’s the only way it will be able to scale alongside the new IT infrastructure reality.
Remember when Big Data burst onto the scene? As it quickly became part of the Silicon Valley vernacular, everywhere we turned, there were vendors ‘differentiating’ by claiming that their solutions were ‘Big Data Ready.’ As it turned out, this wasn’t all hype. Security technologies that could handle massive data volumes ended up in the winners’ column.
In that same vein, soon we are sure to see vendors start differentiating their XDR by marketing around terms like ‘Cloud Native.’ Although much of this will be marketing, enterprises should demand that vendors can do XDR in the cloud before investing.
XDR: The end game
Gaining the ability to holistically manage a security infrastructure, ingest every bit of security data available, and then use it to automate threat detection and response has always been a goal of security.
Unattainable? Maybe not. Established players are committing huge resources to bringing XDR solutions to market. Disruptive start-ups are eager to contribute. Enterprises have everything to gain from the efficiency and risk reduction benefits it promises to provide. It’s worth keeping an eye on the XDR wave.