The Whats, Whys, and Hows of XDR

Preventing security incidents is one of the primary goals of any security program. This should come as no surprise, and with today's ever-evolving threat landscape, implementing preventive countermeasures in a multilayered fashion is vital. Right now the so-called Endpoint detection and response (EDR) market is going through its biggest transformation ever, driven by innovation.

 

Systems are not without faults—risk-free environments simply do not exist. Incidents do occur, and when they do—not if—it is vital to quickly detect and respond to limit the negative effects that the incident has on the classic CIA triad—i.e., no longer being able to guarantee the confidentiality, integrity, or availability of the data. Historically EDR was created to provide this ring of defence for systems, providing coverage of endpoints in cyber attacks.

When EDR first came, tracing the root cause of incidents occurring on the endpoints was suddenly made easier. This new approach to endpoint security meant security professionals now had a tool that increased their visibility and helped them respond to threats in a fast manner. The information gathered from monitoring the endpoints got recorded and stored on a centralized repository and detection, correlation, and remediation done in a mostly manual fashion became a thing of the past.

 

Additionally, given the growing skill gap in the security industry, EDR became critical for advanced protection—the effectiveness and efficiency of threat investigation has increased and we have been awarded with a deeper understanding of activities and events taking place on the endpoints, all thanks to the machine-driven technology that powers EDR.

EDR suffers from lack of full visibility into your environment but gives visibility to the actions attackers are taking on your endpoints, and offers some form of control to what is possible to carry out from there. An obvious evolution of EDR is to extend beyond the endpoint which is why there is a justifiable reason to declare EDR dead. 

 

By its very definition, EDR focuses only on endpoints, which is necessary but not enough. Take email as an example: It is the number one threat vector and data collected from this source—and what effectively is a silo—is key to determine the origin of a threat, and subsequently the scope and impact of it. There is an argument to be made that detection and response is needed beyond the endpoint and across multiple layers. Collecting and analyzing data in silos with no shared context between them simply does not provide the visibility needed to uncover the root cause of an incident. For starters, there are many endpoints you may not have visibility of or can manage. IoT devices are a good example of this—devices that more often than not are inherently insecure with security bolted on as an afterthought. Several other threat vectors exist, and by adding the capability to consume data and view contextual alerts from, e.g., email and the network itself, observations across silos are turned into valuable insights. This is where Extended Detection and Response (XDR) comes into play.

 

The ability to do detection and response across a wider range of threat vectors, such as email, endpoint, server, cloud workloads, and network, preferably via a single platform, greatly enhances the possibility to trace threats back to their source. Other key benefits of XDR include reduced time to detect threats and more effective analysis, which ultimately helps the security team in their threat investigation and mitigation work.

Modern XDR platforms are designed to aid security teams to be more effective and to efficiently 

 

• Identify the more sophisticated cyber security threats that often are shrouded in obscurity

• Offer a large degree of automation

• Detect and respond with mitigative actions at a fast pace

• Track threats across multiple systems

 

As XDR tools are becoming increasingly available, vendors are continuously working on extending their ability to correlate and analyze data across multiple threat vectors. It is no longer just about the endpoint—the greater the knowledge base, the greater your chances are at keeping the attackers at bay.

In a few of CapGemini and TrendMicro joint projects I recently was involved in, it struck me that in order to keep at bay with the more sophisticated threats organizations are faced with, it's evident that enterprises need to change their detect and response processes and technologies to mitigate the risk of being compromised. Traditional solutions are limited as they fail providing the scale and flexibility contemporary organizations require to tackle their adversaries. Are you facing the same type of challenges outlined above, feel free to reach out to me for a deeper discussion on how to address them. 

How Running IGA Natively on an ITSM Platform Supports a Culture of Compliance

In my previous two posts, I addressed the many challenges of governance for today’s enterprises – but also the opportunities that are available and presented when leveraging cloud-based ITSM platforms to support governance and compliance initiatives. 

The goal of this third post is to describe what’s possible when enterprises take things a step further, not just by putting governance and compliance on these cloud platforms but by embedding governance and compliance into an ITSM strategy.

For today’s enterprises, it just makes sense to bring governance and ITSM together. That’s because there’s a clear relationship between every service that an employee can (and cannot) access and the role of that employee within an organization. 

Approaching this in an ad hoc manner presents a number of problems. First and foremost is inefficiency. It takes time and effort to set up accounts for new hires, especially with the average enterprise using dozens of business systems. This process requires a lot of manual labor, and it’s prone to human error. In a recent customer conversation with a logistics company, I learned that the expected wait time for accounts in AD and a few other downstream business applications to be created, operational, and provided to the new hire was two to three weeks. The client’s assessment pointed to the lack of integration between their ITSM system and the actual provisioning activities. In the background, Excel sheets were shuffled around between the involved parties after tickets had been raised. 

The bigger sets of problems, though, relate to security, compliance, and risk management. Some roles need to be subjected to tighter security controls than others. For executive leadership, the finance team, and others who fit this description, it’s critical to understand not only how they access information but also the status of the various pieces of technology they’re using. Is their laptop up to date on its patches? Are they using a personal smartphone to access enterprise apps? Have they enabled two-factor authentication? How well is their VPN connection performing? 

This multi-layer, across multiple security layer challenge will be the subject of my next post, so stay tuned to learn about what's titled XDR. 

When it’s hard to do things the right way

There’s a key factor that often exacerbates these problems, and it’s one that a single piece of technology or a single policy isn’t going to fix. It’s the absence of a corporate culture focused on security and compliance.

When enterprises haven’t established such a culture, it’s easy – if not expected – for employees to cut corners. That’s because, in so many cases, it’s actually harder for employees to do things the proper way.

Let’s unpack the above examples a bit further. 

• It’s unlikely that the average user maliciously avoids patch updates. But if they aren’t being reminded of the importance of installing patches, or if the install process requires carving a lot of time out of a busy schedule, it probably won’t happen. The same goes for two-factor authentication – if it stands in the way of getting information to key decision-makers when and where they need it, then users will find a way around it.

• Likewise, users don’t turn to apps on their smartphones to intentionally undermine the IT department. They do it because easy-to-use alternatives haven’t been made readily available, or because existing processes favor a more bureaucratic approach. It’s similar to the BYOD phenomenon enterprises had to deal with about a decade ago.

• IT departments can repeat as much as they want the message about why the VPN is critical for remote security. But if logging into the VPN hinders the performance of critical enterprise apps, or if the network crashes at inopportune moments, employees will stop using it in order to remain productive.

The advantages of IGA that’s native to ITSM

These scenarios keep IT professionals up at night. One of the most effective ways to end the nightmare is to embed governance in your ITSM strategy by running IGA native on your ITSM platform. 

For IT staff as well as employees, this brings about a number of advantages, including several listed below. Taken together, these advantages show that an enterprise takes governance and compliance seriously – and also takes steps to meet these needs without getting in the way of end users’ everyday work.

Self-service requests. Applying logic to self-service requests could do things like bulk-assign a user to the right Active Directory groups or to a batch of enterprise applications.

Separation of duties. By matching privileges to the systems a user has access to and the level of security those systems require, you can restrict a user’s access to certain enterprise system based on their role. Further, you could restrict access unless users take specific security steps. 

Incident management. When information on permissions, software versions, and credentials can be pulled from the ITSM system as the Help Desk is responding to an open ticket, incidents can be closed much more quickly.

Incident prioritization. Linking the ticketing system to hardware and software asset inventory enables the incident response system to automatically prioritize a ticket based on a business system’s impact and urgency, and to detect repeated incidents on a single system or in a single location.   

Workflow management. Bringing IGA and ITSM together enables these workflows to converge, which eliminates unnecessary steps. This removal of the traditional IGA silo also brings standardization and transparency to business processes. 

Process automation. One of the main selling points of ITSM platforms is automation, not just for everyday workflows but also for uncommon and time-consuming processes that can be uncovered through the application of predictive intelligence.

Change management. With role and privilege data for all end users available at a glance, you can minimize the disruption of tasks such as software upgrades, hardware updates, or scheduled downtime. 

Mobility and flexibility. ITSM platforms offer SSO and two-factor authentication for multiple mobile solutions. This gives end users the convenience they want and IT teams the security they need, without having to code integrations for individual enterprise apps with an SSO solution. 

Supporting a culture of compliance

Addressing governance can often feel like trying to hit a fast-moving target. Business requirements change frequently. New security risks emerge constantly. Employee roles and privileges evolve. Business systems are added, modified, and sunsetted. Most teams find themselves reacting to things that have already happened, with little or no time for proactive planning.

When IGA runs natively on an ITSM platform, that target slows down and becomes much easier to hit. Teams gain access to insights across the enterprise that directly impact governance but are all too often tucked away in yet another data silo. 

This allows teams to make important decisions quickly and automate straightforward tasks where appropriate, which frees up time and resources to support the ongoing development of a company-wide culture of governance and compliance that reduces risk while improving usability for all end users. When GRC and IGA become seamless processes for end users, and not complex and laborious drains on productivity, the entire enterprise reaps the benefits.

I’m engaging in more and more conversations with our customers, many of whom have deployed ServiceNOW as their ITSM system. These companies want to make the most of their existing ServiceNOW investment; they don’t want to go down the path of yet another iteration of their legacy IDM system. That’s why I bring up products such as Clear Skye, which is IGA running natively on the NOW platform - and that steers the conversation in the right direction.