By Vibin Shaju, General Manager, UAE, Trellix
As cyberattacks continue to hit headlines, the siege mentality of business stakeholders persists in parallel. A recent PwC report highlighted this plummeting confidence in the safety of our digital estates. Some 58% of Middle East organisations foresaw an increase in security budgets for this year compared with 43% last year. And around 43% said they expected a “surge in reportable incidents” in 2022.
In such a climate of anxiety, it is inevitable that a thriving market in reassurance will arise. The latest comforting term to do the rounds in the industry is “XDR” (extended detection and response). It promises much — safe estates, relaxed security teams, and a world in which the threat landscape is an irrelevance. But many organisations that have opted for the technology have been left disappointed.
Why? Because XDR is a relatively nascent technology. In trying to perform early capture on a new market, many vendors have mischaracterised it. Technology and business stakeholders must dial out the white noise and understand what XDR is and what it is not.
XDR 101
XDR’s overall message is the hope of taking the complexity out of cybersecurity. In a world where multiple clouds and networks come together with a sea of new personal devices used by remote workers, it is no surprise security teams would jump at the prospect of a unified detection and response platform that takes endpoint detection and response (EDR) to a new level. And XDR does go beyond — beyond the endpoint to network and cloud infrastructure, the very things that are bringing anxiety to security teams.
It is at this point that we can see the origin of the expectation gaps that lead to disappointment in XDR. Oftentimes it is sold as a product. But just as the adoption of, say, AI, involves a culture change, so XDR calls for the development of a new ecosystem of processes, responsibilities, policies, and coordination between different roles and areas of the business. SOC analysts need to liaise with threat hunters. Incident responders need to get together with IT administrators. And so on. We could think of this as “living security”.
So while we can easily define XDR as a cloud-native detection and response tool that integrates multiple solutions into a cohesive whole, we should never forget the human elements that are required for any XDR platform to deliver value. And while centralisation of vendor data, correlation of telemetry and alerts into incidents, and centralisation of response capabilities are all important, the living-security model is critical to ensure organizations reap the optimum value from their XDR investments.
XDR themes
XDR unites security functions, integrates and curates data, and delivers better operational efficiency. Complexity is eliminated, and better detection arises and leads to better response. And just as internal cooperation is vital, many security professionals now recognise the need for cross-vendor partnerships to streamline efforts across domains and vectors.
And so we come full circle to the previously mentioned XDR buyer’s remorse. Many vendors still insist they have a fully unified and integrated XDR ready to deploy. Often, this turns out to be merely a single-console system with an incomplete view of the ecosystem, albeit from a single pane. More data sources and more cross-vendor cooperation mean organizations can accelerate their threat investigations through automatic analysis of a range of data sources.
XDR should also be capable of threat prioritisation by assessing factors such as an organisation’s industry and location and weighing them against an attack’s proximity to sensitive data. These three themes — unification of multiple security functions, acceleration of investigations, and threat prioritisation — are the heart of XDR. If a single vendor cannot demonstrate the ability to deliver on all of them, disappointment may lie ahead. The living-security model demands a broader approach.
Cui bono?
Who benefits from XDR? Who is it for? While its abilities to automate and unify mean it has a place in any organisation, XDR’s impact on a business will be determined by that enterprise’s level of cybersecurity maturity and its readiness to embrace the new processes of living security. At the less mature end of the scale, we will find a lack of resources, skills, and data intelligence. These organisations can leverage XDR for telemetry correlation and investigation. At the medium-to-high level of maturity, making sense of data is automated, so actionable intelligence will be the greatest boon.
No matter the maturity, however, all XDR should improve security operations during an attack. Coverage across infrastructure and vectors should eliminate silos and grant comprehensive visibility by unifying tools, data, and business units. Distilled data and correlated alerts should allow telemetry to be leveraged into a coherent image of the infrastructure and dispel the need for manual discovery. Centralised management should eliminate the need for stressful dashboard-hopping and lead to enhanced response times. And automatic data exchange and imbedded alert triggers should allow the system, rather than security personnel, to handle detection and response.
The better XDR solutions on the market will go further than the core functions and get organisations even closer to the safety they crave. They will harden the environment in preparation for an attack, with actionable intelligence on the latest threats. And advanced leverage of threat intelligence and insights on organisational impact will allow more effective prioritisation in remediation efforts.
A safer world
More accurate detection means more effective response. Faster detection means faster remediation. Fewer blind spots mean fewer vulnerabilities… and fewer opportunities for bad actors. And better visibility and searchability mean better control across the IT ecosystem. This is the world of XDR, the world of living security. It is a more effective world, a faster world, a more visible world. And it is a safer world.