XDR: Future-Ready Extended Detection and Response

We are in a new world, and over the past year the dynamics of your company network has likely experienced massive changes. Recent surveys estimate that nearly half of employers intend to allow employees to remotely work from home on a permanent basis.

This means employees need anywhere, anytime access while at the same time the quantity and complexity of the cyber attacks we face have ramped up.

If you’re dealing with a single attack on a single asset, today’s endpoint detection and response (EDR) tools are all up to task. But can your endpoint technology or SIEM correlate attacks – and more importantly stop those attacks – across all user identities, devices, and endpoints?

XDR technologies for Extended Detection and Response should allow organizations to be able to readily detect, correlate, and end sophisticated attacks wherever they start on the network. By fusing together endpoint telemetry with behavioral analytics for XDR, security teams can protect users and assets wherever they are in the world.

While traditional solutions provide alerting that may identify various aspects of an attack operation, alerting alone only reveals aspects of the whole attack sequence. This alert-centric, siloed approach to securing complicated network infrastructure across on-prem, hybrid, cloud and mobile assets gives attackers ample opportunity to hide in the seams, which makes hunting and eliminating attackers all but impossible.

The focus for XDR technologies are to detect, expose, and end persistent malicious operations (Malops™) while eliminating false positives, to enable security teams to investigate threat indicators faster, and affect complete eradication of any Malop with a lower mean time to remediate.

Key to the proficiency of an XDR solution is that it needs to be operation-centric instead of alert-centric. This means the solution can correlate disparate attack indicators from across the whole of the network as opposed to simply generating alerts or alarms that lack the necessary context to uncover a Malop.

Important characteristics organizations should look for in an XDR solution include:

Understanding Threats Beyond the Endpoint: Security begins with knowing what to protect. An XDR solution should empower analysts of all skill levels to quickly dig into the details of an attack without the need to craft complicated queries. XDR is intended to extend traditional detection and response capabilities from the endpoint out to critical SaaS services, email, and cloud infrastructure.

Detections Extensible to Tomorrow’s Threats: XDR solutions should deliver superior visibility and enhanced correlations across both Indicators of Compromise (IOCs) and key Indicators of Behavior (IOBs), the more subtle signs of network compromise. XDR detections also need to identify suspicious user access and insider threats.

Automated and Guided Response Options: XDR solutions should make it simple for analysts to understand the full attack story immediately, and remediation actions such as kill process, quarantine asset and remote shell should be automated or accomplished remotely with a simple click. A solution should also offer automation options for immediate remediation of threats and continuous threat hunting.

XDR is a promising approach that can reverse the attacker advantage and return the high ground to the defenders by extending detection and response capabilities across the broader IT ecosystem that makes up modern enterprise environments. This unified detection and response capability can automatically surface Malops across the entire IT stack including endpoint, network and cloud deployments.