XDR must be approached as an open architecture where integration is the linchpin
Over the past couple of months, I’ve talked about how adversaries are evolving their approaches to attacks and the ripple effect that is having on our approach to detection and response.
Detection now requires a breadth and depth of information from disparate systems and sources across the infrastructure, with data and actions brought into a single view, so you can gain a comprehensive understanding of the threat you are facing and know what you must defend.
Response is changing in parallel. Because multiple systems are now involved in attacks, we need to be able to put the pieces together to get a complete picture of what is happening. Response is predicated on the capability to look beyond one file or system to find all related events and data across the organization, connecting the dots and contextualizing with additional intelligence so you can remediate and respond to an incident across the infrastructure.
Enter Extended Detection and Response (XDR). There has been a lot of confusion with respect to what XDR is. Much of this stems from initial definitions of XDR as a solution built off of Endpoint Detection and Response (EDR) solutions, where “X” is simply an “extension” or “next-generation” of EDR. But if you consider how detection and response are evolving, we need to rethink how we view “X”.
John Oltsik of ESG captured the need to clarify X when he tweeted: “I for one am sick of hearing that XDR is really an extension of EDR. Wrong! XDR assumes the whole is greater than the sum of its parts. EDR is a part.” His commentary that XDR is more than EDR means integration with additional security tools is critical.
The goal of XDR is detection and response across the infrastructure, across all attack vectors, across different vendors, and across security technologies that are cloud based and on premises. This cannot be achieved if you simply think of XDR as a souped-up solution. To get there, XDR must be approached as an open architecture where integration is the linchpin, the X in XDR. What’s more, integration capabilities must be broad and deep to bring data together and drive action.
Integrated to support new detection requirements
Let’s start with the data requirements. Integration must be broad to cover any tool the enterprise has, including all internal data sources – the SIEM system, log management repository, case management system and security infrastructure – on premise and in the cloud. It must also integrate with the multiple external data sources organizations subscribe to – commercial, open source, government, industry and existing security vendors. Internal and external data aggregation, normalization and correlation allows you to tap into the richness of all available data to get a complete picture of what is going on. This includes contextualizing data with additional intelligence, including internal observations of network activity and file behavior. Pivoting to external data sources to learn more about campaigns, adversaries and their tactics, techniques and procedures (TTPs), allows you to look for associated artifacts in other tools across the enterprise to confirm the scope of malicious activity and identify all impacted systems.
Integrated to support new response requirements
Integration must also be deep to facilitate the exchange of information for action. With the dots connected to reveal a bigger picture of an attack, you can execute a comprehensive and coordinated response, performing actions across multiple systems and sending associated data back to the right tools across your defensive grid immediately and automatically to accelerate response. Blocking threats, updating policies and addressing vulnerabilities happens faster. Deep integration is also bi-directional to include the ability to send data from the response back to a central repository for learning and improvement.
With an open architecture where integration is broad and deep, you can have a data flow across the infrastructure to support the business needs for truly integrated defense. You can act immediately and automatically for comprehensive response. And you can automatically capture and share results to improve over time. That’s the ultimate goal of XDR, and it can only be achieved when the “X factor” is integration.