The cybersecurity discipline entails data collection, analysis, and responding to threats with precision, confidence, and speed. Yet, with threat actors utilizing multiple attack vectors and a range of lateral-movement tactics, a single source of telemetry is insufficient to fully uncover all the tentacles of attack campaigns. Telemetry must be collected and correlated rapidly and reliably from multiple sources—endpoints, email, network routers, gateways, proxies, and authentication systems—to gain an accurate and comprehensive understanding.
Confirming this point, over two-thirds of respondents to IDC's EDR and XDR survey (December 2020) rated nine different telemetry sources as “useful” or “very useful” in detecting threats. But additional telemetry sources raise the very real potential of increasing an already unmanageable volume of false-positive alerts. From this same survey, "too many alerts are false positives" was the most frequently cited reason for not investigating all alerts.
The COVID-19 pandemic made circumstances for security operations worse. In response to the pandemic, organizations are accelerating their cloud migrations, and for many, their workforces shifted from on-site to remote literally overnight. While some employees will eventually return to working on-site, a larger-than-before percentage will work from home either full-time or routinely for a portion of the workweek.
Combined with a steady rise in the internet of things (IoT), organizations' digital footprints have broadened, are more dynamic and diversified, and increasingly exist outside traditional perimeter defenses. Threat actors recognize the fragility these circumstances add to organizations' cyber defenses. Consequently, real-time telemetry from a diversity of sources and rapid analysis has leapt from “nice-to-have” to “must-have”.
New Approach Needed
For organizations with mature security operations centers (SOCs), they have a foundation to build upon. Evolving their toolsets and tweaking their workflows will serve them well. For the many organizations that are SOC-lite or SOC-less, their capability deficits relative to threat actors will only deepen unless they act. And, with perennial shortages in cybersecurity talent and budget constraints, spending their way out of this deficit is not a viable option. They need a new approach.
IDC believes an XDR platform approach can put an SOC-lite or SOC-less enterprise onto a positive trajectory. But what is an XDR platform? Essentially, an extended threat detection and response (XDR) platform is the integration of multiple SOC functions into a single security operations platform.
Rather than cobble together multiple purpose-built tools from an assortment of vendors and surround these tools with home-grown workflows to facilitate data collection, correlation, analysis, and response, these capabilities are out-of-the-box integrated within the platform and actualized through a baseline of automated workflows. The overarching objective of an XDR platform is to up-level rather than build-out security teams to combat an ever-changing threat landscape of attack surface and cyber adversaries.
XDR platform extensibility is critical on five fronts:
- The platform is plug-and-play. Folding in new and existing sources of telemetry without reconfiguration or adjustment by the user.
- The platform is automatically upgraded. Correlation and analysis algorithms advance over time to surface attacks from low-level signals in multiple sources.
- The platform detects, contains, and recovers. Automatically propagating and confirming containment actions at the optimal control points (e.g., endpoints, firewalls, email servers, authentication servers, etc.). And in similar fashion, returns system to their pre-compromised states through an automated process that easily integrates into the organization's existing IT management system.
- The platform is self-learning. Eliminating manual tasks is a key benefit in detecting and responding to threats faster, with greater certainty and completeness, and with less human engagement and potential error. Included workflows place security teams at the starting line of an automation pathway by systematically refining baseline workflows.
- The platform is multi-functional. Respondents to IDC's EDR and XDR survey view the benefits of EDR as extending beyond improving "detect and response" functions. Other benefits are in the preventive side of security and include strengthening the security posture of endpoints and reducing time to administer and manage endpoint security. A truly extensible XDR platform not only improves on its core functions but improves adjacent functions as well.
Threat actors will continue to advance their tradecraft and increase their capacity to target more organizations with greater frequency and potency. To offset this reality, organizations must improve their security operations. An XDR platform approach can be the means.