fredag 20 november 2020

The Whats, Whys, and Hows of XDR

Preventing security incidents is one of the primary goals of any security program. This should come as no surprise, and with today's ever-evolving threat landscape, implementing preventive countermeasures in a multilayered fashion is vital. Right now the so-called Endpoint detection and response (EDR) market is going through its biggest transformation ever, driven by innovation.

 

Systems are not without faults—risk-free environments simply do not exist. Incidents do occur, and when they do—not if—it is vital to quickly detect and respond to limit the negative effects that the incident has on the classic CIA triad—i.e., no longer being able to guarantee the confidentiality, integrity, or availability of the data. Historically EDR was created to provide this ring of defence for systems, providing coverage of endpoints in cyber attacks.


When EDR first came, tracing the root cause of incidents occurring on the endpoints was suddenly made easier. This new approach to endpoint security meant security professionals now had a tool that increased their visibility and helped them respond to threats in a fast manner. The information gathered from monitoring the endpoints got recorded and stored on a centralized repository and detection, correlation, and remediation done in a mostly manual fashion became a thing of the past.

 

Additionally, given the growing skill gap in the security industry, EDR became critical for advanced protection—the effectiveness and efficiency of threat investigation has increased and we have been awarded with a deeper understanding of activities and events taking place on the endpoints, all thanks to the machine-driven technology that powers EDR.


EDR suffers from lack of full visibility into your environment but gives visibility to the actions attackers are taking on your endpoints, and offers some form of control to what is possible to carry out from there. An obvious evolution of EDR is to extend beyond the endpoint which is why there is a justifiable reason to declare EDR dead. 

 

By its very definition, EDR focuses only on endpoints, which is necessary but not enough. Take email as an example: It is the number one threat vector and data collected from this source—and what effectively is a silo—is key to determine the origin of a threat, and subsequently the scope and impact of it. There is an argument to be made that detection and response is needed beyond the endpoint and across multiple layers. Collecting and analyzing data in silos with no shared context between them simply does not provide the visibility needed to uncover the root cause of an incident. For starters, there are many endpoints you may not have visibility of or can manage. IoT devices are a good example of this—devices that more often than not are inherently insecure with security bolted on as an afterthought. Several other threat vectors exist, and by adding the capability to consume data and view contextual alerts from, e.g., email and the network itself, observations across silos are turned into valuable insights. This is where Extended Detection and Response (XDR) comes into play.

 

The ability to do detection and response across a wider range of threat vectors, such as email, endpoint, server, cloud workloads, and network, preferably via a single platform, greatly enhances the possibility to trace threats back to their source. Other key benefits of XDR include reduced time to detect threats and more effective analysis, which ultimately helps the security team in their threat investigation and mitigation work.


Modern XDR platforms are designed to aid security teams to be more effective and to efficiently 

 

  • Identify the more sophisticated cyber security threats that often are shrouded in obscurity

  • Offer a large degree of automation

  • Detect and respond with mitigative actions at a fast pace

  • Track threats across multiple systems

 

As XDR tools are becoming increasingly available, vendors are continuously working on extending their ability to correlate and analyze data across multiple threat vectors. It is no longer just about the endpoint—the greater the knowledge base, the greater your chances are at keeping the attackers at bay.


In a few of CapGemini and TrendMicro joint projects I recently was involved in, it struck me that in order to keep at bay with the more sophisticated threats organizations are faced with, it's evident that enterprises need to change their detect and response processes and technologies to mitigate the risk of being compromised. Traditional solutions are limited as they fail providing the scale and flexibility contemporary organizations require to tackle their adversaries. Are you facing the same type of challenges outlined above, feel free to reach out to me for a deeper discussion on how to address them. 


Inga kommentarer:

Skicka en kommentar

The Whats, Whys, and Hows of XDR

Preventing security incidents is one of the primary goals of any security program. This should come as no surprise, and with today's eve...