Adding more people behind data streams to scale won’t keep up with automated attacks
Extended Detection and Response, or XDR, is an emerging technology generating buzz across the cybersecurity community.
Unfortunately for IT leaders, there has yet to be a single definition widely accepted by both analysts and vendors purporting to be experts on the subject.
To debunk common myths about XDR, and to help advise on the best ways to take advantage of the technology, Secure Agility hosted an executive luncheon for IT and security leaders, moderated by a leading security practitioner.
Attendees were given practical advice on how XDR can be integrated into an existing enterprise security portfolio. Here is some of that detail:
XDR is here and it’s a thing
XDR should be considered in the enterprise security stack as it extends on endpoint detection and response (EDR) with more automation and data analysis.
According to Gartner’s hype cycle, end point protection is right at the end and the next five years will be the period at which XDR becomes mainstream.
XDR can be deployed in three ways:
• natively by a single vendor
• in a hybrid way where the organisation can integrate other solutions into the core XDR for response/remediation
• and/or in a raw fashion where the organisation’s own data is used as ingestion
Secure Agility has partnered with SentinelOne to cover cloud and on-premises systems, including integration with tools like Mimecast. This open architecture allows customers to ingest data from any source and make the most of their existing investments.
An XDR capability delivers numerous benefits, including:
1. Better resilience for the organisation as a whole
2. Ability to securely adopt a modern workplace, including remote work and cloud
3. Address the security skill shortage with AI and machine learning
XDR, EDR and SIEM: Debunking the myths
Myth #1: A common misconception is organisations don’t need a successful EDR implementation to reap the benefits of XDR.
Speaking at the event, Jason Duerden, Regional Director, ANZ at SentinelOne, said EDR exists because prevention is failing, and it continues to be best threat detection and prevention tactic.
“A lot of tools can collect data, but XDR adds insights and context to it, and this is proven through adoption and third-party testing programs,” Duerden said.
“A very high percentage of breaches originate at the end point and a good XDR strategy starts with an excellent EDR foundation.”
Myth #2 is that XDR is just next-generation SIEM, or security information and event management.
To this Duerden said there are some use cases where XDR and SIEM can be complementary, and it depends on the organisations operating model.
“The strengths of SIEM include it is good at broad data ingestion, but it is expensive, complex and requires a lot of people and tuning. We cannot continue to put humans behind streams to scale as this approach can’t compete with automated attacks.”
That said, SIEM and XDR are coming together and on a collision course.
“In my view 90 per cent of the market will move to primarily to an XDR-driven strategy and the remaining, probably top end enterprises will have augmented strategy,” Duerden said.
“SIEM does not have EDR which is key to having good response and control. For example, you can’t do remediation with SIEM alone.”
Security data, response, and control
Keeping up with today’s automated attacks requires insights at scale, not just data, and organisations need whatever help they can get to make the right response decisions.
Myth #3 about XDR is that response automation leads to loss of control, but in Duerden’s view, the opposite is true.
“Response automation actually enables control. What happens today is if you are running this as a human process, as with most XDR SIEM products, you are stuck sifting through data,” he said.
“With automation humans don’t have to make choices about prioritisation and the sifting through data can happen in minutes. As humans we think we need to make the choices because they are better, but humans will always make poorer choices than an ML engine which executes logic in real time. As an industry we won’t end up in a situation where we automatically pull the red cord on incidents, however automation can help reduce having to review repetitive alerts.”
Myth #4 is that simply having more data will inherently lead to better decisions is another misconception about XDR.
“Just because you have data that doesn’t make it usable,” Duerden said. “For example, many data lake projects fail as they are expensive and don’t lead to customers knowing how to make it useful.”
“The endpoint story is there in SentinelOne, so any data you put into our XDR is applied with the same storyline technology. This means relevant data is automatically correlated,” he said.
If an organisation has EDR and SIEM the priority data should be fed into XDR, including email, identity, and access controls such as a web gateway/SSE.
This approach creates automated context, and all other data can be sent to data store.
Beginning your XDR journey
XDR can be daunting and confuse customer between what is reality and hype, but the good news is that good MSPs are at forefront of enablement as they can help customers integrate and build workflows and provide a fabric for vendors to work together.
A typical XDR engagement involves:
1. EDR enablement
2. Email data integration
3. Web data integration
4. ID data integration
These segments of cyber are what makes up the nucleus of XDR. Secure Agility can setup XDR in controlled environment and customers can start adding in these components.
Modern XDR services are cloud-based and API-driven, so the ingestion points do not require changes to network configurations.
MSPs can also help customer set governance policies for how aggressive they want the controls to be.
“The reality is most organisations have too many security flaws, too much data and no simple way to execute a security program to get ahead of the game,” Duerden said. “The evolution of the treat landscape is moving faster, and adversaries are automating everything. On the defender side it is still very ‘moat and wall’ manual and people heavy, which is losing the battle, we need to embrace XDR to drive resiliency.”
Secure Agility can help stand up a POC quicker and more efficiently than you may think. Contact us to find out more.
“The benefit of the MSP model for XDR is the option for ongoing monitoring, support, and improvement,” Jason Duerden, Regional Director ANZ, SentinelOne