Detection and Response
Guide to Better Threat Detection and Response (XDR)
50% of teams in a Trend Micro global study said they’re overwhelmed by the number of alerts surfaced by disconnected point products and SIEMs. Discover how XDR can reduce false positives and enhance threat detection and response.
Alert overload is a challenge for many security teams. A Trend Micro global study of IT security and SOC decision makers found that more than 50% said their teams were overwhelmed by the number of alerts. Furthermore, 55% admit they aren’t entirely confident in their ability to prioritise and respond to them.
At the core of this issue is disconnected and inefficient threat detection and response solutions. Many security professionals will leverage a SIEM to collect logs and alerts from multiple, disparate security tools. There are two issues that can arise: one, cyberattacks rarely stay in siloes and two, SIEMs are great at collecting data, but they don’t correlate it. Hampered visibility and lack of context often leads to noisy false positives, which slow down investigative efforts. Enter: extended detection and response (XDR).
What is XDR?
XDR is the evolution of endpoint detection and response (EDR). It goes beyond the single-vector approach by collecting and correlating data in real time across multiple security layers like email, server, cloud workload, network, and endpoint. This reduces the overwhelming volume of false positives and enables faster threat detection and response.
Choosing an XDR vendor
There are several vendors touting XDR solutions but they’re not all built the same. CISOs and security leaders need to make an informed decision when choosing an XDR vendor to reap the full benefits.
The three most common XDR approaches are:
- Closed: This endpoint-focused approach ingests additional data sources to validate and enrich endpoint detections
- Open: Vendor to vendor partnerships which share indicators of compromise (IoCs) between layers for sweeping
- Hybrid: This purpose-built architecture provides correlated detection, integrated investigations, and multi-layer response natively in tandem with third-party and API integrations
Of the three, opt for a vendor with a hybrid approach. Closed is still limited the endpoint, and open XDR can introduce risk from third-party partners and cloud misconfigurations. It’s also very challenging to understand data that you don’t own. You can enrich it with detection data, but it’s next to impossible to understand and ingest another company’s full activity data within your own platform. A hybrid approach can deliver a tech foundation and purpose-built architecture provide enterprises with stronger threat detection and response.
The key is to extend past the endpoint by deploying sensors on email, server, cloud workloads, and network layers. Going further provides the context needed to answer two critical questions: Where did the threat originate? Where else is this threat in my infrastructure?
Not all threats originate at the endpoint. According to Verizon’s 2022 Data Breach Investigations Report, web applications and email are the top two vectors for breaches. XDR enables you to detect compromised accounts sending internal phishing emails, whereas native email security tools typically only monitors for malicious emails being delivered externally. XDR will also sweep mailboxes for IoCs in real time. With this information, the SOC can investigate who else received the email as well as quarantine and delete it.
Furthermore, XDR at the network level fills EDR blind spots. Real time activity data collected on traffic flow and behaviours plus perimeter and lateral connections help analysts discover how the threat is communicating and moving across the network. With this knowledge, security professionals will be able to block the host and URL as well as disable the Active Directory account to limit the scope of an attack.
Cloud workloads, servers, and containers are critical to business operations, meaning security insight at this layer is necessary to reduce cyber risk. XDR collects and correlates activity data such as user account activity, processes, executed commands, network connections, files created/accesses, and registry modifications to tell the entire story beyond the alert. This enables security teams to drill down into what happened within the cloud workload and how the attack propagated.
While sensor coverage is important, there’s a lot more to consider when choosing an XDR vendor to ensure you receive the best threat detection and response capabilities. Consider asking the following questions:
1. Is your product API-friendly? Some vendors don’t fully-support APIs, which makes integration very difficult. The more XDR is integrated, the more data is collected and correlated, which helps to further reduce false positives. Also, a vendor with an XDR solution that integrates into a cybersecurity platform will provide security professionals with a much-needed single pane of glass view across the entire attack surface.
2. Does you XDR product visualise an end-to-end understanding of an attack? Some XDR solutions may only provide a snapshot of an attack. To limit the scope of an attack and strengthen your security posture for the future, security teams need to be able to see where it originated and how it spread.
3. How is the user experience? Finding (and keeping) skilled staff remains a challenge. Avoid security solutions that have a steep learning curve and poor support. A vendor who wants you to succeed (not just sell you a product) will have in-app tutorials, an online help centre, and even direct feedback loops or feature requests built-in.
4. Are the alerts actionable? As we mentioned earlier, an SIEM will spit out a ton of alerts, but they’re often useless. XDR still has the same logs an SIEM would capture, but it doesn’t surface those logs as false positives — they’re just available for reference. The right XDR solution will prioritise alerts based off the risk score and severity of impact.
5. What is the pricing structure? Some vendors will charge by bundles or subscriptions. For example, if you buy a scription for 1000 employees but then lay 10% of them off, you’ll be stuck paying for unused sensors. Alternative licensing options, like a credit model ensures you can move credits around to different security layers in-line with any business changes.
6. Do you offer managed services? Staff and budget resources can hinder threat detection and response efforts. Managed services augment existing staff with expert threat hunting, 24/7 monitoring and detection, and rapid investigation and mitigation.
7. Have you received any industry analyst accolades? Everyone loves to say they’re #1, so make sure you check out reports from renowned industry analysts like Forrester, Gartner, and IDC to validate the vendor’s claims.
Getting the board on board with XDR
While statistics show that cybersecurity spend continues to increase, that doesn’t guarantee your budget will grow in-line. Getting the greenlight on cybersecurity investments can be challenging, so framing the benefits of XDR in a financial and risk context is critical. Here are some high-level points to consider making:
1. Investing in security solutions = investing in the business. According to IBM 2022 Cost of a Data Breach, organisations using XDR saved nearly 10% on average in breach costs and shortened the breach lifecycle by 29 days. Less operational downtime and financial impact is music to the c-suite’s ears.
2. Compliance requirements. XDR can help meet compliance regulations, which saves the business from being hit with costly fines. And naturally, when you’re compliant, your security posture is stronger.
3. Reduce cyber insurance premiums. With the right XDR vendor, you can demonstrate how EDR extends threat detection and response beyond the endpoint, which reduces risk.
For more information on XDR and cyber risk management, check out the following resources: