Extended detection and response in networks, endpoint devices, and the cloud

Searching for a Cure

Integrated XDR

XDR environments should provide a wide range of capabilities and not just a mere bundling of separate products. Because XDR is typically a SaaS service, functionality should include unified licensing, subscription, and integrated deployment. Centralized dashboards that visualize the threat landscape are also a mandatory requirement for XDR products. Events need to be consolidated across the various networks and systems.

A high level of performance in correlating and analyzing information to provide usable information is a central feature. One of the key challenges in IT security is that, out of the huge number of signals collected, the truly critical threats need to be analyzed to find a response.

The analysis results of XDR (Figure 2) can be divided into three groups. The events shown in black are clear and known threats. Ideally, the response can be automatic (e.g., by redirecting the event to decoy systems by DDP technologies to render the attacks ineffective). The events shown in white are clearly identified as non-critical.

Figure 2: The challenge in IT security is to minimize and target unclear events.

In individual cases, an automated response might still be needed, for example, by IT operations management (ITOM). The middle, gray area is the most problematic because it contains the unknown events that require further analysis by humans. A good XDR solution must reduce this section to the extent possible, while providing good advice as to how to handle the event.

One of the essential functions in analytics is the ability to handle encrypted data and either decrypt the data or draw conclusions by reference to the metadata. Additionally, a wide range of analytical capabilities must be available to identify specialized forms of attack, such as an accumulation of unusual DNS requests or an unexpectedly high or low volume of port scanning operations. The broader the analytical capabilities, the more likely complex attacks will be detected.

On the other hand, an XDR system's performance is also determined by the width and depth of the sensors (i.e., the components that collect data on the network or on end devices). An important component of XDR now increasingly common in the NDR area is integration with operational technology (OT) environments. Cloud workload protection platforms as an XDR building block provide the interfaces to common cloud environments.

XDR is a complex, multilayered technology precisely because it integrates and extends a variety of existing IT security technologies (Figure 3). However, as I mentioned earlier, the functional differences between solutions are significant, which is what makes a thorough investigation indispensable.

Figure 3: XDR uses a variety of information sources and analytics technologies.

XDR, SIEM, and SOAR

One question that continually crops up in the context of XDR is how it relates to and interacts with security information and event management (SIEM) and security operations, automation, and response (SOAR) systems. The boundaries between these technologies are fluid.

First and foremost, SIEM platforms collect security-related information and events from different systems and other sources. The value proposition of SIEM also includes continuously analyzing this information to act on it. In this respect, SIEM and XDR are closely related, with SIEM typically seen as a source of information for data that XDR systems process, although it can also serve as a target system for information from XDR. Ultimately, however, the precise nature of the interaction also depends on whether a SIEM solution is primarily used as a plain vanilla database or whether analytical functions are also deployed to some extent.

SOAR, on the other hand, mainly focuses on operations and the response to threats, with SOAR products also collecting information from a variety of sources. External sources with up-to-date information on threats (threat intelligence) are particularly important. SOAR systems are typically used in combination with XDR and SIEM, with an increasing convergence of SIEM and SOAR emerging.

Ultimately, before deciding on the specific solution portfolio, you will need to ascertain which functions are needed, what the priorities are, and which systems are already in place. This requires a portfolio review of the existing IT security products to ensure that you are not just adding one more system, but sensibly integrating a deliberately limited number of solutions. XDR, with its integrative approach, can play a central role in this process. What is also important in this analysis and decision-making process is how the technology will be operated.

Security as a Service

This question brings to the fore the interplay between XDR, managed detection and response (MDR), and security operations centers as a service (SOCaaS). MDR describes an approach in which XDR environments and other systems are monitored by an external vendor who also responds to any security incidents. MDR is therefore not primarily a matter of technology, but of operations. The same applies to SOCaaS, which involves offerings in which service providers assume responsibility for setting up and operating security operations centers for multiple clients, typically in a defined interaction with internal IT security team staff so that customer-specific requirements and applications can be addressed.

Whereas MDR focuses on technical threats, SOCaaS encompasses a broader range of services, including SIEM and SOAR system operations and security technologies such as next generation firewalls (NGFWs). However, a SOCaaS approach also specifically includes incident response management (IRM; i.e., incident preparation and structured security incident response), whereas MDR is primarily focused on threat analysis and response at a technical level. Again, the boundaries are fluid, as is so often the case.

Managed security service providers (MSSPs) also have offerings that provide additional services, such as vulnerability assessment, application and code security analysis, penetration testing, IAM operation, and other services.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus