Every discipline has its acronyms, but I’d venture to say cybersecurity has more than its share. We use them to describe threat actors and how they operate, as well as different security teams, their certifications and the tools they use. There’s nothing wrong with acronyms, but when they are used to describe emerging solutions, an interesting phenomenon occurs…that new acronym becomes the next silver bullet technology that will solve all our security problems. Unfortunately, that never turns out to be true.
Acronyms and Promises
Let’s go back a decade to unified threat management (UTM) which Gartner defines as a converged platform of point security products, particularly suited to small and midsize businesses, with feature sets that fall into three main subsets: firewall/intrusion prevention system (IPS)/virtual private network, secure Web gateway security and messaging security. UTMs were supposed to address everything the network needed to stay secure, only they did not. So, next-generation firewalls (NGFWs) emerged to provide more customization for the unique needs of enterprises and even then, they did not become an end all, be all.
UTMs and NGFWs focused on defending the network. However, as endpoints proliferated and the spotlight shifted to this expanded attack surface, like moths to a flame the industry shifted to Endpoint Protection Products (EPP). But what about threats that evaded these solutions? Enter Endpoint Detection and Response (EDR) tools.
One of the more recent acronyms being thrown around is XDR which stands for Extended Detection and Response. Initial definitions of XDR describe it as a solution built from EDR solutions, where “X” is simply an “extension” or “next-generation” of EDR. But what about the other “DR” variations that we haven’t even touched on yet, specifically Network Detection and Response (NDR) and Cloud Detection and Response (CDR)? XDR must include those too, plus the dozens of existing security tools organizations have already deployed across their infrastructure. And the cycle continues with emerging Threat Detection, Investigation and Response (TDIR) platforms aimed at addressing the fact that Security Operations Centers (SOCs) also need investigation tools within a “DR” solution. And there’s a cockpit concept for security operations that also should be included in any SOC platform worth its salt.
The goal of XDR and subsequent variations is detection and response across the infrastructure, across all attack vectors, across different vendors, and across security technologies that are cloud based and on premises. So, how do we get there? XDR is a destination, not a solution, that can only be reached with a holistic, architectural approach. Viewing it as another silver bullet technology, another acronym with another promise, is history repeating itself. It is not a path forward to SOC efficiency and effectiveness.
Shift from Acronyms to Use Cases
The only thing more relentless than this constant wave of acronyms, is the wave of attacks that we need to combat. So, let’s put acronyms aside. Instead, let’s focus on what it is going to take to address the use cases of the SOC as it modernizes and transitions to become a detection and response organization, these include: alert triage, spear phishing, incident response, threat hunting and threat intelligence management.
To be efficient and effective, the SOC of the future needs to be able to:
1. Focus on data. Data is the lifeblood of security because it provides context from a wide range of internal and external sources, including systems, threats, vulnerabilities, identities and more. When security is data-driven, teams have the context to focus on relevant, high-priority issues, make the best decisions and take the right action. Data-driven security also provides a continuous feedback loop that enables teams to store and use data to improve future analysis.
2. Ensure systems and tools can work together. Since the data that teams need for analysis is spread throughout the typical organization, bi-directional integrations enable teams to bring that data together in a common work surface. An open integration architecture provides the greatest access to data from technologies, threat feeds and other third-party sources. It also enables teams to drive action back to those technologies once a decision is made.
3. Balance automation with human response. The most effective way to empower teams is to apply automation to repetitive, low-risk, time-consuming tasks, and recognize that the need for human analysis remains. Irregular, high-impact, times-sensitive investigations are best led by a human analyst with automation simply augmenting the work. Automation, when there is a balance between human and machine, ensures that teams always have the best tool for the job.
Security Operations Centers do not need another acronym. What they need are capabilities that enable them to address their top use cases faster and more thoroughly in the face of evolving attacks. That’s the promise the security industry needs to make and can only deliver with the right architectural approach. We’ll take a deeper dive into each of these three areas in the future.