An XDR implementation can quickly turn into a very large consulting project requiring significant time and budget
As cybersecurity professionals we’re accustomed to change. We know that as soon as new attack vectors emerge, threat actors change their approaches to achieve their goals. So, we change accordingly – adding a new security tool or new process as needed. But over the last couple of years, the acceleration of digital transformation, remote work and moving to the cloud have forced security practitioners to take a more holistic approach to detection and response.
Security practitioners have had to rethink detection to include a breadth and depth of information from disparate systems and sources across the infrastructure in order to better understand and defend against threats. Similarly, they have had to update their approach to response to include all the enforcement points across the infrastructure impacted by an attack. And to support these new detection and response requirements, they’ve had to prioritize and improve how systems and tools work together. As a result, Extended Detection and Response (XDR) is gaining a lot of traction.
But even more change is afoot. Couple this evolution with the global cybersecurity talent shortage of over three million professionals, and organizations are also rethinking their overall approach to security operations. The promise of XDR is predicated on enabling integration and data flow across the infrastructure for prevention, detection and response. However, many organizations struggle to implement and manage XDR solutions. Even if the XDR solution vendor has great APIs that are “easy” to write to, getting data from on-premises, legacy applications to a cloud platform is a considerable undertaking. An XDR implementation can quickly turn into a very large consulting project requiring significant time and budget.
So, some organizations choose to outsource a portion or the entire function to a managed detection and response (MDR) service provider that offers XDR as a service. An offshoot of the traditional Managed Security Service Providers (MSSPs) market, MDR is a burgeoning category in cybersecurity services and is forecasted to grow from $975 million in 2020 to nearly $7.3 billion in 2028. Gartner defines MDR providers as delivering 24/7 threat monitoring, detection and response services using a combination of technologies and human expertise. Sounds like XDR is in their sweet spot, right? Ideally, yes. But if you’re considering outsourcing XDR to an MDR company, make sure they have solid answers to the following three questions:
1. How can you cover more attack vectors for companies? Like XDR solutions which initially focused on Endpoint Detection and Response (EDR), many MDR companies did as well. But now the writing is on the wall. Yes, EDR is important but so is telemetry across the network, out to the cloud and across the dozens of existing security tools companies already have, many on-premises and legacy. Data from every tool the enterprise uses is foundational for extended detection and response.
2. Are you able to bring in and utilize the right external data sources for companies? As part of any detection and response strategy, third-party data and intelligence feeds are critical to get a complete picture of what is going on and add context to internal threat and event data. These can include commercial sources, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Leveraging information about attackers, their methods and campaigns, an MDR company can look for associated artifacts in other tools across the enterprise, confirm the scope of malicious activity and identify all impacted systems.
3. Can you get all tools and all teams to work in concert? Whether the entirety or just a portion of XDR services is being outsourced, the ability to actively collaborate with internal SecOps teams to address the proper use cases and workflows is paramount. Additionally, bi-directional integration with all tools ensures actions are performed across multiple systems, the defensive grid is strengthened immediately, and data can be retrieved for continuous learning and improvement. If this isn’t possible in all instances then, at a minimum, processes must be in place from the MDR provider to the internal SOC and vice versa to ensure a comprehensive and coordinated response.
If you are among the growing group of organizations looking to an MDR provider to supplement your security operations with XDR, make sure you consider these three factors. Only when an MDR provider has a deep understanding of how detection and response are evolving and the implications for their services, can they deliver on the promise of XDR.