Detection and Response
Guide to Better Threat Detection and Response (XDR)
50% of security teams in a Trend Micro global study said they’re overwhelmed by the number of alerts surfaced by disconnected point products and SIEMs. Discover how XDR can enhance threat detection and response to improve a SecOps team’s efficiency and outcomes.
Security teams face a number of pressing challenges. Take alert overload: in a Trend Micro global study of 2,303 IT security and SOC decision makers, more than 50% said their teams were overwhelmed by the number of security alerts. Furthermore, 55% admit they aren’t entirely confident in their ability to prioritise and respond to them.
At the core of this issue is disconnected and inefficient threat detection and response solutions. Many security professionals will leverage a SIEM to collect logs and alerts from multiple, disparate security tools.
There are two issues that can arise: one, cyberattacks rarely stay in siloes and two, SIEMs are great at collecting data, but not all of them can effectively correlate that data. Hampered visibility and lack of context often leads to noisy false positives, which slow down investigative efforts. Trend Micro Research found that 27% of security analysts’ time is wasted on investigating low-fidelity alerts that turn out to be false positives.
Enter: extended detection and response (XDR).
What is XDR?
XDR is the evolution of endpoint detection and response (EDR). It goes beyond the single-layer EDR approach by collecting and correlating data in real-time across multiple security layers like email, server, cloud workload, network, and endpoint. Correlating related activities to reduce high-confidence detections reduces the overwhelming volume of false positives and enables faster threat detection and response. Adopting and fine-tuning XDR capabilities improves security efficiency, streamlines security operations, and bolsters staff productivity.
Explore more SOC best practises: Three Ways to Evolve Your Security Operations
Taking the right XDR approach
The XDR approach you take will depend on the needs of your organisation. There is no one way to achieve an XDR capability, and not all XDR solutions or approaches are created equal. The three most common XDR approaches are:
- Native (Comprehensive): This approach leverages its own foundation for many of its data sources and manages the full XDR process within a single platform.
- Open: Delivers certain XDR capabilities via a collection of third-party integrations.
- Hybrid: Uses native sources in tandem with third-party and API integrations for correlated detection, integrated investigations, and multi-layer response.
Of the three, opt for a vendor with a hybrid approach. Native XDR offers significant advantages in its ability to leverage deep activity data to optimise analytical models for correlated detection. While Open XDR has an advantage over Native in that it can collect data across a broader option of sources, in many cases it is only looking at alert data which limits the context it provides and analysis that can be done. Hybrid XDR builds upon Native XDR with additional integrations across security layers to supplement and enrich data wherever needed. This approach enables security operations to integrate detection and response functions across those layers for broader protection.
Integrating investigations for greater detection effectiveness
The key is to unite third-party and API integrations with sensors deployed on email, server, cloud workloads, and network layers. Correlated detection provides the context needed to answer the following critical questions:
- How did the users or hosts become compromised?
- What was the first point of entry?
- What or who else is part of the same attack?
- Where did the threat originate?
- How did the threat spread?
- How many other users are potentially vulnerable to the same threat?
Not all threats originate at the endpoint. According to Verizon’s 2022 Data Breach Investigations Report, web applications and email are the top two vectors for breaches. XDR should enable you to detect email threats, including compromised accounts sending internal phishing emails. Upon a detection, XDR should also sweep mailboxes to identify who else received the email, so that it can be quarantined or deleted to prevent the spread
Furthermore, XDR at the network level fills EDR blind spots. Real time activity data collected on traffic flow and behaviours plus perimeter and lateral connections help analysts discover how the threat is communicating and moving across the network. With this knowledge, security professionals will be able to block the host and URL as well as disable the Active Directory account to limit the scope of an attack.
Cloud workloads, servers, and containers are critical to business operations, so monitoring activity at this layer is necessary to reduce critical incidents. XDR collects and correlates activity data such as user account activity, processes, executed commands, network connections, files created/accesses, and registry modifications to tell the entire story beyond the alert. This enables security teams to drill down into what happened within the cloud workload and how the attack propagated.
Operationalize threat intel from XDR
According to ESG’s SOC Modernization and the Role of XDR report, the top SOC initiative for 2022 was to “improve operationalisation of threat intelligence.” Incorporating threat intel is an integral part of the SOC function in the face of increasingly sophisticated and successful cyberattacks. The more you can understand the attacker’s manoeuvres and objectives, the more resilient and responsible an organisation can be.
The MITRE ATT&CK Framework is invaluable for mapping specific attack campaigns, threat groups, and individual attack activities. Despite its ubiquity, many organisations are still figuring out how to leverage the framework consistently.
From an XDR solution perspective, you can use TTPs to develop detection rules and models, while ensuring threat intel is directly inserted into the investigation of events. This surfaces the identity of a particular attack campaign and provides visibility into the full campaign lifecycle.
The TTPs can also be used to develop threat hunting criteria or provide proactive views of identified TTPs in the environment that can be leveraged as a starting point for targeted investigations.
Lastly, leveraging the MITRE ATT&CK framework can be used to identify security gaps and prioritise activities to lower risk and improve resiliency.
Key XDR considerations
While sensor coverage is important, there’s a lot more to consider when choosing an XDR vendor to ensure you receive the best threat detection and response capabilities. Consider asking the following questions:
1. Is the product API-friendly? Some vendors don’t integrate their APIs with SIEM and SOAR. The more XDR is integrated, the greater the ability it provides to automate and orchestrate tasks, enabling workflows across the ecosystem. Also, a vendor with an XDR solution that integrates into a cybersecurity platform will provide security professionals with a much-needed single pane of glass view across the entire attack surface.
2. Does the product visualise an end-to-end understanding of an attack? Some XDR solutions may only provide a snapshot of an attack. To limit the scope of an attack and strengthen your security posture for the future, security teams need to be able to see where it originated and how it spread.
3. How is the user experience? Finding (and keeping) skilled staff remains a challenge. Avoid security solutions that have a steep learning curve and poor support. A vendor who wants you to succeed (not just sell you a product) will have in-app tutorials, an online help centre, and even direct feedback loops or feature requests built-in.
4. Are the alerts actionable? As we mentioned earlier, a SIEM will spit out a tonne of alerts, but they’re often useless. XDR still has the same logs a SIEM would capture, but it doesn’t surface those logs as false positives — they’re just available for reference. The right XDR solution will prioritise alerts based off the risk score and severity of impact.
5. What is the pricing structure? Look for vendors who offer pricing models that are favourable to shifting business dynamics. Most vendors commonly charge by bundles or seat-based subscriptions which can leave you paying for unused sensors in case your employees leave or are laid off. Consider more flexible licencing options that allow you to adjust allocations on-demand, while removing fixed costs and any losses due to underutilised licences.
6. Are managed services offered? Staff shortages and budget constraints can hinder threat detection and response efforts. A vendor who can offer managed services to augment your existing team with expert threat hunting, 24/7 monitoring and detection, and rapid investigation and mitigation can be invaluable. You can gain expertise and competencies while alleviating your overstretched teams to work on higher priority programmes.
7. Has the product received industry analyst accolades? Everyone loves to say they’re #1, so make sure you check out reports from reputable industry analysts like Forrester, Gartner, and IDC to validate the vendor’s claims.
Getting the board on board with XDR
While statistics show that cybersecurity spend continues to increase, that is no guarantee your budget will grow in-line. Getting the green light on cybersecurity investments can be challenging, so framing the benefits of XDR in a financial and risk context is critical. Here are some of the things to consider when making a case for XDR:
1. Investing in security solutions = investing in the business. According to IBM’s Cost of a Data Breach 2022, organisations using XDR saved nearly 10% on average in breach costs and shortened the breach lifecycle by 29 days. Less operational downtime and financial impact are music to the C-suite’s ears.
2. Compliance requirements. XDR can help meet compliance regulations, which saves the business from being hit with costly fines. The connectivity of XDR also enables you to audit the effectiveness of your security investments to ensure you’re remaining compliant. And naturally, when you’re compliant, your security posture is stronger.
3. Reduce cyber insurance premiums. With the right XDR vendor, it’s easier to demonstrate that your company has capable cybersecurity tools in place, and that you can monitor and rapidly manage threat activity. Both of these will help to lower costly cyber insurance premiums.
Next steps
For more information on XDR and cyber risk management, check out the SOC series:
