Expanded Horizons: The Benefits of XDR
Sivan Tehila, co-authored by Jacob Leichter
Networks experience a constant stream of activity from all connected devices. Keeping track of the goings-on across smaller networks poses a challenge for security teams, with this problem only magnifying as the network expands. Because of this, it is all too easy for suspicious activity or actual attacks to go undetected until real damage is effected. Detection and response solutions were developed to help mitigate this issue. These tools facilitate the collection and presentation of network activity, allowing security personnel to mount faster and more targeted responses to threats. Some detection and response tools even leverage artificial intelligence to automatically launch initial mitigation efforts, potentially containing the attack and preventing additional damage. Whether it is a more rudimentary tool or a newer “next-gen” implementation, detection and response solutions are an excellent asset to an effective security architecture.
There have been, until recently, two general varieties of detection and response tools available on the market. The first is known as Endpoint Detection and Response (EDR), which has been around since Gartner coined the term in 2013 in reference to arrays of tools that collect and aggregate data into a centralized location. As the name suggests, an EDR functions primarily, if not entirely, on the endpoint itself. While this is not without its benefits, EDRs are severely limited in their range of observation on a network. Because endpoints have very high levels of activity, the sheer volume of alerts increases the chances of critical incidents being missed by overwhelmed security teams. As technology evolves and security tools become more complex, personnel may not be able to keep up with new trends or be able to juggle multiple EDR tools simultaneously.
Enter the second of the two options, Managed Detection and Response (MDR). MDR utilizes EDR solutions, as well as other network monitoring tools like SIEM or IDS, to report on network activity and coordinate responses to incidents. However, it does not stop there. MDR outsources the monitoring and response efforts to third-party providers. These external teams can do everything from investigations to containment to restoration of normal business operations. Having the extra manpower is a huge boon to smaller security teams or to organizations with high traffic on their networks. This is, unfortunately, a more costly option and may exceed budgetary constraints for small- and medium-sized companies.
EDR solutions and MDR providers offer invaluable services to security teams looking to keep a close watch on their networks, but they are not without their shortcomings. EDR can be good for tracking endpoint activity, but fails to monitor other areas of the network. Similarly, having to use multiple tools can be overwhelming for security personnel. MDR can ease this burden by contracting external professionals to shoulder some or all of the detection and response demands, but is not a fix for a lackluster in-house security architecture and is not without the price tag. As such, both of these solutions fail to adequately meet an organization’s security needs.
Organizations faced this challenge until 2018, when Palo Alto introduced the newest iteration of detection and response tools: Extended Detection and Response (XDR). XDR aims to simplify and streamline the security process by combining multiple tools and processes into one centralized location. XDR platforms utilize detective tools both within the network and across the Internet in the form of cyber threat intelligence (CTI) sources, using this diverse array of information to conduct continuous analyses of the network to look for any anomalous behaviors. If such activity is discovered, the XDR solution can be configured with response playbooks or leverage linked tools to implement automated response efforts to contain incidents before serious damage is done.
XDR may sound exactly like a SIEM platform, but they are not the same. A SIEM simply collects data from across the network. XDR does the same, perhaps in a greater capacity by pulling information from a wider variety of sources, including Identity and Access Management, endpoints, and connected IoT devices. Where XDR prevails over SIEM is in how it utilizes this information. SIEM sends off alerts for security personnel to follow up on. XDR also aggregates the data and sends it to the security teams for follow-up, while orchestrating preliminary responses using automated processes. And, with the incorporation of artificial intelligence and machine learning, the automation behind the detective and responsive capabilities is constantly refined to continually improve these procedures.
These are not the only benefits of XDR for organizations. Cisco, the vendor behind the SecureX cloud suite, crunched the numbers on just how helpful XDR can be in the security response process. They found that alerts sat for 72% less time with an XDR than without, meaning potential threats were investigated much faster. Given the decrease in time to follow up on incidents, responses could be mounted at a quicker rate, saving anywhere from 6 to 10 hours in total. Furthermore, the expanded look across the entire architecture and the use of threat intelligence allowed security teams to catch both common vulnerabilities and trickier attack vectors that would otherwise be missed by more traditional controls.
As the threat landscape evolves to feature innovative methods targeting any element within the infrastructure, security personnel must develop new ways to detect suspicious activity and protect against potential attacks. The cybersecurity arsenal is constantly growing to include tools that counter-threat actors’ latest efforts. Using each of these solutions independently of each other is not manageable for effective defensive strategies, as it slows down the investigative process and, thus, the response time to contain events and return to normal operations. XDR allows cybersecurity practitioners to combine all the parts of their toolbox into one unified platform for more efficient detection and response processes, freeing up their time to focus on helping the organization achieve its business goals.