Real enterprises are messy places. One messy reality is that enterprises don’t manage all their endpoints. A smart colleague turned me onto using the % of endpoints and servers managed as a prime security metric.
On one end of the spectrum are places like universities that maybe manage 10% of the endpoints on their network. On the other end are places like some large banking and R&D companies that can manage about 98 or 99%. A financial services company that was spending millions of dollars on getting from 96% to achieving 98%, using the very good reasoning that they were “cutting their biggest security problem in half” rather than “2%, meh.” So even the very best enterprises can have unmanaged endpoints that can be more easily exploited than ones with a security agent deployed on them. A lot of the advanced security we’ve been delivering on the last few years has been focused on this problem.
EDR is an example of how stealthy or evasive attackers can be better uncovered than with traditional endpoint protection. EDR is great for endpoints they are on. Ian Loe of NTUC gives a killer example of uncovering stealthy attacks using EDR and MDR here.
But most of EDR’s capabilities are for endpoints they are on: ones they manage. Sure there’s some herd-immunity with EDR that the greater number of managed endpoints the harder it is for an attacker to move laterally or deeper. But more capable, patient, and stealthy attackers are getting better at being evasive, knowing that EDR may be or is deployed. Mark Nunnikhoven does a great job in this post talking about lateral movement.
EDR can only go so far on its own to help spot attacks that are exceptionally low and slow, and/or using unmanaged endpoints. Endpoint security needs to step outside the endpoint silo to keep step with advanced attackers. An attack using many hops could see movement between managed endpoints, IoT, email, network components, containers and cloud-based servers over the course of many months. The delivery and reconnaissance could involve multiple protocols, emails, payloads, files, and credentials. Pulling together the tenuous and ephemeral threads of such an intentional attack needs more modern tools, rather than hoping we stumble on a supply of highly advanced threat hunters.
Pulling together deep security information from across your enterprise is what is needed to face off against such advanced and intentionally evasive attacks. XDR is intended to be that security data lake of deeper enterprise infrastructure and security information than we’ve previously gathered in a single addressable pool and designed to be useful for threat hunters and analysts. In these posts here and here we talk about what XDR is and how it brings in more sources, such as network data.
In the game of measure-countermeasure that is cybersecurity today and tomorrow, XDR is the next evolutionary step in dealing with more evasive threats.